Xoxoday’s privacy governance is unified under a single senior leader — the Chief Information Security Officer (CISO) — who concurrently holds the roles of Chief Data Protection Officer (CDPO) and Chief Privacy Officer (CPO), ensuring end-to-end accountability for data protection and regulatory compliance.
Privacy Governance at Xoxoday
Xoxoday’s privacy function operates under a clearly defined governance model designed to meet the requirements of GDPR, HIPAA, CCPA, and other global data protection frameworks. Accountability sits at the executive level: the CISO holds dual responsibility as both Chief Data Protection Officer (CDPO) and Chief Privacy Officer (CPO), eliminating silos between information security and privacy operations. This consolidated leadership structure means that decisions around data handling, regulatory compliance, and risk mitigation are made by someone with full visibility across both technical controls and legal obligations.What the Privacy Team Is Responsible For
The privacy team, reporting to senior leadership, carries out a defined set of functions across the full data lifecycle. Privacy Impact Assessments (PIAs) are conducted for new product features, vendor integrations, and data processing activities. When Xoxoday introduces a new rewards workflow connected to an HRIS like Workday or SAP SuccessFactors, a PIA is completed before data flows between systems — identifying and mitigating risks before they reach production. Data minimization is a standing principle: Xoxoday collects only the personal data necessary to deliver its services, and processing is always tied to a lawful basis under GDPR Article 6. Privacy notices are maintained in plain language and updated whenever processing purposes change. Where consent is the chosen lawful basis — for example, when capturing end-user preferences through integrations with communication tools like Slack or Microsoft Teams — Xoxoday implements consent capture mechanisms that are affirmative, granular, and revocable. On the technical side, the privacy team works alongside engineering and security to implement organizational and technical safeguards aligned with Xoxoday’s ISO 27001 certification and SOC 2 Type II attestation. These controls cover encryption in transit and at rest, access management, and audit logging.Mandatory Privacy Training
All Xoxoday employees complete mandatory privacy training as part of onboarding and on an annual basis thereafter. The training curriculum covers GDPR, HIPAA, and CCPA, ensuring that staff across engineering, operations, support, and sales understand their obligations when handling personal data. This training requirement applies to all personnel with access to personal data — not only the privacy team — reflecting Xoxoday’s position that privacy is an organization-wide responsibility, not a function confined to a single team. Learn more: Xoxoday Help Centre — General Data Protection Regulation (GDPR)How does Xoxoday handle Privacy Impact Assessments?
Learn how Xoxoday conducts PIAs for new features, integrations, and data processing activities to identify and mitigate privacy risks before they reach production.
What are data subject rights under GDPR at Xoxoday?
Understand how Xoxoday fulfills access, rectification, erasure, and portability requests from data subjects under GDPR.