Xoxoday’s cloud infrastructure runs on Amazon Web Services (AWS), which formally adheres to EU cloud-specific codes of conduct as defined under Article 28 of the GDPR.
What Are Cloud-Specific Codes of Conduct?
Article 28 of the GDPR establishes obligations for data processors — entities that handle personal data on behalf of a data controller. EU cloud-specific codes of conduct translate those obligations into a structured, auditable framework that cloud providers can formally adopt. When a provider adheres to an approved code of conduct, it signals that contractual and technical safeguards are in place to protect personal data across cloud infrastructure. This is not a self-certification. Codes of conduct under Article 28 are monitored by accredited bodies and provide supervisory authorities with a verifiable compliance record.How This Applies to Xoxoday
Because Xoxoday hosts its platform on AWS, the underlying infrastructure operates within a framework designed to meet EU data protection standards. When Xoxoday processes employee data — reward transactions, recognition events, loyalty program records — that data moves through a cloud environment with documented compliance obligations. For enterprise customers integrating Xoxoday with systems like Workday, SAP SuccessFactors, or Darwinbox, this matters practically. Data flowing between HR platforms and Xoxoday’s reward engine passes through infrastructure that meets recognized EU benchmarks, reducing the compliance due-diligence burden on procurement and legal teams.Broader Security Posture
AWS’s code of conduct adherence sits alongside Xoxoday’s own certifications. Xoxoday holds ISO 27001 certification for information security management and maintains SOC 2 Type II attestation covering security, availability, and confidentiality. Together, these credentials give enterprise IT and InfoSec teams a layered compliance story they can independently verify. For organizations in regulated industries or jurisdictions with strict data sovereignty requirements, knowing Xoxoday’s cloud provider meets EU-specific conduct standards is a concrete assurance — not a general claim.What This Means for Data Processing Agreements
When entering a Data Processing Agreement (DPA) with Xoxoday, customers can reference AWS’s code of conduct adherence as part of the subprocessor compliance chain. This is particularly relevant for GDPR-scoped organizations: the technical and organizational measures described in the DPA are backed by enforceable, third-party-validated standards at the infrastructure level — not just at the application layer. Learn more: Xoxoday Help Centre — System RequirementHow does Xoxoday handle GDPR compliance?
Learn how Xoxoday’s data processing practices, DPA terms, and subprocessor controls align with GDPR requirements for enterprise customers.
What security certifications does Xoxoday hold?
Xoxoday maintains ISO 27001 and SOC 2 Type II certifications. Understand what each covers and how to request audit reports.