Skip to main content
Xoxoday maintains a documented privacy management process covering data classification, consent tracking, role-based access controls, data subject rights, vendor governance, and privacy-by-design reviews across all product development.
Xoxoday’s privacy management framework is a comprehensive, documented set of policies and procedures built to meet the requirements of GDPR, CCPA, and other applicable regional data protection laws. Rather than treating privacy as a one-time compliance exercise, Xoxoday embeds privacy governance across every layer of its operations—from engineering to third-party vendor relationships. Xoxoday maintains a structured inventory of all personal and sensitive data it processes, with each dataset tagged by category, purpose, and legal basis. Alongside this inventory, Xoxoday captures and tracks user consent transparently at the point of collection. These consent records are retained to support audit readiness and regulatory inquiries, ensuring Xoxoday can demonstrate accountability at any stage.

Access Controls and Data Subject Rights

Strict role-based access control (RBAC) ensures that only authorized personnel can access personal data, and only to the extent required for their function. Xoxoday also operates formal procedures to honor data subject rights—including access, rectification, erasure, and portability—within the timeframes mandated by applicable law. This is especially relevant for enterprise deployments integrated with HR platforms such as Workday, SAP SuccessFactors, or Darwinbox, where employee data flows across systems and must remain governed end-to-end.

Retention Schedules and Vendor Governance

Xoxoday applies defined retention schedules across all data categories, and data that has served its purpose is deleted in line with those schedules. Third-party processors undergo rigorous vetting before onboarding and are bound by data protection agreements that include Standard Contractual Clauses (SCCs) where required. This ensures the same standard of privacy protection extends beyond Xoxoday’s own infrastructure to every processor in the chain.

Privacy by Design

Every new product feature at Xoxoday goes through a formal privacy impact review during the development phase—before code ships, not after. For example, when Xoxoday introduced integrations with communication tools such as Slack and Microsoft Teams, privacy impact assessments were completed as part of the pre-release process. Privacy considerations are built in from the start, not retrofitted once a feature is live.

Ongoing Audits and Compliance Monitoring

Xoxoday conducts regular internal and third-party audits to assess the effectiveness of its privacy controls and surface any compliance gaps before they become issues. These audits complement Xoxoday’s broader security certifications—ISO 27001 and SOC 2 Type II—which independently validate its information security management and data handling practices on an ongoing basis. Learn more: Xoxoday Help Centre — Process, Strategy & Methodology

Security Certifications: ISO 27001 & SOC 2 Type II

Learn how Xoxoday’s ISO 27001 and SOC 2 Type II certifications validate its data protection and information security controls.

How Xoxoday Handles Data Subject Rights Requests

Understand how Xoxoday fulfills GDPR and CCPA data subject rights including access, erasure, rectification, and portability.