Xoxoday collects only the minimum personal data required to deliver its employee engagement services and does not store sensitive identifiers such as Social Security Numbers or payment card details directly.
What Data Does Xoxoday Collect?
Xoxoday’s employee engagement solution is built on a data minimization principle — collecting only what is necessary to operate and deliver value. For account setup and engagement activities, Xoxoday collects standard profile details such as name, work email address, and organizational role. These fields enable a personalized experience across integrated tools like Slack, Microsoft Teams, Workday, SAP SuccessFactors, and Darwinbox. Xoxoday does not require or store government-issued identifiers such as Social Security Numbers or national ID equivalents. Collecting them would contradict Xoxoday’s privacy-by-design approach, and they fall entirely outside the scope of what the platform needs to function.How Are Financial Transactions Handled?
Xoxoday does not store payment card details on its own infrastructure. All financial transactions are routed through PCI-DSS-compliant payment gateways, meaning card numbers, CVVs, and billing data are handled exclusively by certified third-party processors — Xoxoday never has direct access to raw card information. For example, when an employee redeems a reward through Xoxoday Plum — Xoxoday’s global rewards marketplace — any payment processing takes place entirely within the compliant gateway, not on Xoxoday’s servers.Physical Gifts and Mailing Addresses
When an employee selects a physical gift reward, Xoxoday stores a mailing address to facilitate delivery. This data is collected only when the employee voluntarily provides it during the redemption flow and is used solely for fulfillment. No address is retained beyond what that transaction requires.Geolocation Data
Xoxoday does not track precise geolocation by default. Location data is collected only when a specific reward delivery feature explicitly requires it and the user has been informed. Standard recognition and engagement workflows — peer-to-peer appreciation, milestone rewards, survey responses — involve no location tracking whatsoever.Encryption and Compliance Standards
All data Xoxoday collects is protected with AES-256 encryption at rest and TLS 1.2 or higher in transit. Xoxoday’s infrastructure and data practices are certified under ISO/IEC 27001:2022 and independently audited under SOC 2 Type II controls. Xoxoday also processes all personal data in compliance with GDPR, ensuring lawful bases, data subject rights, and cross-border transfer safeguards are consistently enforced. For HR and IT teams deploying Xoxoday alongside systems like SAP SuccessFactors or Darwinbox, this compliance posture ensures that data shared via integration remains protected end-to-end — with no additional configuration required to meet baseline privacy obligations. Learn more: Xoxoday Help Centre — Data PrivacyHow Does Xoxoday Handle GDPR Compliance?
Learn how Xoxoday processes personal data in line with GDPR requirements, including lawful bases for processing and data subject rights.
What Security Certifications Does Xoxoday Hold?
Explore Xoxoday’s ISO/IEC 27001:2022 and SOC 2 Type II audit status, and what independent certification means for your organization’s data security.