Xoxoday notifies clients in writing before engaging any new sub-processor, provides a formal objection window to raise concerns, and enforces binding Data Processing Agreements (DPAs) that carry equivalent GDPR obligations before any personal data access begins.
Preliminary Risk and Compliance Assessment
Before any sub-processor advances, Xoxoday conducts a rigorous security and compliance evaluation. The vendor must demonstrate adherence to recognized frameworks — including ISO 27001, SOC 2 Type II, GDPR, HIPAA, and CCPA — before the process continues. Vendors that cannot meet Xoxoday’s privacy and security benchmarks are disqualified at this stage, regardless of commercial fit.Written Client Notification
Once a vendor clears the initial assessment, Xoxoday sends affected clients a formal written notice. This notice identifies the sub-processor by name, explains the purpose of the engagement, and specifies the scope of processing and the categories of personal data involved. Clients receive this information before any data access occurs — not retroactively.Review and Objection Window
Clients are given a reasonable review window to evaluate the sub-processor details and raise formal objections if they believe the vendor introduces undue risk. Xoxoday resolves those concerns before onboarding proceeds. For organizations running workforce integrations with platforms like Workday, SAP SuccessFactors, or Darwinbox, this window gives HR and IT teams time to assess whether the vendor aligns with their own internal data governance policies.Binding Data Processing Agreements
Every sub-processor Xoxoday engages signs a binding Data Processing Agreement (DPA). These agreements impose the same data protection obligations Xoxoday holds itself to — covering access controls, encryption standards, data subject rights, breach notification timelines, and audit rights. No sub-processor begins processing personal data without a signed DPA in place.Continuous Oversight After Onboarding
Onboarding a sub-processor does not end Xoxoday’s oversight obligations. Sub-processors are subject to continuous monitoring, periodic security audits, and performance reviews to ensure ongoing compliance for the lifetime of the vendor relationship. This applies equally to sub-processors supporting communication-layer integrations, such as those handling notification delivery via Slack or Microsoft Teams. This end-to-end process ensures clients retain meaningful control over who accesses their data, supporting transparency and accountability across Xoxoday’s global data supply chain. Learn more: Xoxoday Help Centre — General Data Protection Regulation (GDPR)What does Xoxoday's Data Processing Agreement cover?
Understand the contractual obligations Xoxoday imposes on sub-processors, including encryption, breach notification, and audit rights under its standard DPA.
How does Xoxoday handle GDPR data subject rights requests?
Learn how Xoxoday processes access, erasure, and portability requests from data subjects within GDPR-mandated timelines.