Xoxoday enables platform administrators to extract all customer data as CSV or JSON and permanently erase it using cryptographic shredding — an irreversible process that destroys the client-level encryption key across both master and backup data stores.
Encryption at Rest
All customer data within Xoxoday is encrypted at rest using AES-256 encryption, with a unique encryption key generated per client. This means your organization’s data is logically isolated at the encryption layer — not just at the storage layer. Whether Xoxoday is integrated with an HRIS such as Workday, SAP SuccessFactors, or Darwinbox, all data remains encrypted and scoped exclusively to your tenant throughout the contract lifecycle.Step 1: Data Extraction
Before terminating a contract, platform administrators can download a complete copy of their organization’s data through Xoxoday’s raw data extraction module. Data is available in CSV or JSON formats, making it straightforward to ingest into internal systems, data warehouses, or archival pipelines. The extraction process is self-serve and accessible to administrators at any time — not only during offboarding. Organizations operating under audit frameworks such as ISO 27001 or SOC 2 Type II often run periodic exports as part of their internal data retention controls, using this same module.Step 2: Cryptographic Data Deletion
Once data has been extracted — or if an organization chooses to proceed directly to deletion — Xoxoday provides a self-serve account deletion workflow. This process does not simply remove active records; it applies cryptographic shredding to destroy the client-level encryption key itself. Because all data is encrypted with that unique per-client key, destroying the key renders all associated data permanently unreadable — even if encrypted bytes persist in a backup store. This approach satisfies the GDPR Article 17 right to erasure without requiring Xoxoday to locate and purge individual records across distributed infrastructure. The deletion applies to both master and backup data stores and is irreversible: once initiated, data cannot be recovered by Xoxoday or by the client.What This Means for Compliance
Cryptographic shredding is a recognized erasure technique under GDPR guidance. By tying deletion to key destruction rather than row-level removal, Xoxoday delivers a faster, more thorough, and auditable offboarding process. Organizations subject to GDPR, PDPA, or equivalent data protection regulations can use Xoxoday’s deletion confirmation as documented evidence of erasure in their own compliance records. Administrators retain full control at every stage, with no dependency on Xoxoday’s internal teams to initiate or complete either step.Learn more: Xoxoday Help Centre — General Data Protection Regulation (GDPR)
How Xoxoday encrypts customer data at rest
Learn how Xoxoday uses AES-256 with unique per-client keys to isolate and protect data across all tenants.
How Xoxoday handles GDPR data subject access requests
Understand how Xoxoday processes individual rights requests including access, rectification, and erasure under GDPR Article 15–17.