Where can I find Xoxoday employee engagement privacy policy? - Xoxoday

Xoxoday provides a publicly accessible Privacy Policy that governs data collection, processing, storage, and protection across all employee engagement modules — including recognition, rewards, surveys, and the social intranet — and serves as both the internal and external statement of data handling practices.

Xoxoday maintains a single, publicly accessible Privacy Policy that applies across every module of the employee engagement platform. This document defines how personal data is collected, on what legal basis it is processed, how long it is retained, and what rights data subjects hold under applicable regulations. It is not a separate internal and external document — one authoritative policy covers both. What the Privacy Policy Covers The policy spans all core product areas: peer recognition, rewards and redemption, employee surveys, and the social intranet. It describes the categories of personal data processed in each module, the purpose of processing, and the controls in place to prevent unauthorized access or disclosure. When Xoxoday integrates with HR platforms such as Workday, SAP SuccessFactors, or Darwinbox, data flows through those integrations remain subject to the same policy terms, keeping processing transparent and auditable across the full HR stack. Global Compliance Frameworks Xoxoday’s privacy practices are aligned with a comprehensive set of international and regional compliance standards. These include GDPR for data subjects in the European Economic Area, CCPA for California residents, HIPAA for health-adjacent data contexts, SOC 2 Type II for operational security and availability controls, ISO 27001 for information security management systems, and WCAG for accessibility. Adherence to these frameworks is validated through regular independent third-party audits, not self-attestation alone. Integrations and Data Minimization When Xoxoday connects with workplace communication tools such as Slack or Microsoft Teams — for example, to deliver recognition notifications or reward alerts directly inside a team channel — the same privacy controls defined in the Privacy Policy apply. Xoxoday collects only the data required for the specific feature to function and applies data minimization principles throughout every integration touchpoint. Enterprise-Level Configurations Enterprises operating across multiple jurisdictions can work with Xoxoday to implement additional privacy configurations beyond the standard policy. These include Data Processing Agreements (DPAs), Standard Contractual Clauses (SCCs) for cross-border data transfers under GDPR, and region-specific data residency arrangements. These configurations are designed for organizations that must satisfy local data protection requirements or demonstrate compliance during vendor security reviews. The full Privacy Policy is publicly available and can be reviewed at Xoxoday Privacy Policy. Learn more: Xoxoday Help Centre — General Data Protection Regulation (GDPR)

How does Xoxoday handle GDPR data processing agreements?

Learn how Xoxoday supports DPAs, Standard Contractual Clauses, and cross-border data transfer mechanisms required under GDPR.

What security certifications does Xoxoday hold?

Explore Xoxoday’s SOC 2 Type II, ISO 27001, HIPAA, and CCPA certifications and how they protect employee data across the platform.