Xoxoday ensures the confidentiality of all human subjects and participants through ISO 27001 and SOC 2 Type II certified infrastructure, end-to-end encryption, GDPR-compliant data handling, and HIPAA-ready controls that together prevent unauthorised access to personally identifiable information.
Certified Infrastructure for Data Confidentiality
Xoxoday operates on an ISO 27001 and SOC 2 Type II certified infrastructure, meaning every layer of the platform — from data storage to access control — has been independently audited against internationally recognised security standards. These certifications are not annual checkboxes; they form the operational foundation governing how Xoxoday handles participant data across every reward, recognition, and engagement workflow your organisation runs.Encryption at Every Stage
All personally identifiable information (PII) collected through Xoxoday is encrypted both at rest and in transit. Data stored within Xoxoday’s systems uses AES-256 encryption, while data exchanged between your HR systems — such as Workday, SAP SuccessFactors, or Darwinbox — and Xoxoday is protected over TLS. Participant information is never exposed in plain text, whether it is sitting in a database or travelling across an integration pipeline.Role-Based Access and Anonymisation
Xoxoday enforces strict role-based access control (RBAC), ensuring that only authorised personnel within your organisation can view or interact with participant-level data. Administrators can define permissions at a granular level, restricting who can see redemption records, survey responses, or recognition histories. Where full identity is not required for reporting or analysis, Xoxoday supports data anonymisation measures to further reduce the exposure surface of sensitive records.Audit Logs and Ongoing Compliance Reviews
Every action taken on participant data within Xoxoday is recorded in detailed, tamper-evident audit logs. These logs capture who accessed which data, when, and from which location — providing a clear chain of accountability that supports both internal reviews and external regulatory audits. Xoxoday conducts regular compliance audits to verify that controls remain effective as the platform scales and regulatory requirements evolve.GDPR Compliance and HIPAA Readiness
Xoxoday is GDPR-compliant, supporting data subject rights including the right to access, rectification, and erasure. For organisations operating in healthcare or handling health-adjacent participant data, Xoxoday’s infrastructure is HIPAA-ready, delivering the technical and administrative safeguards required under US federal health data regulations. As a practical example: an HR team deploying Xoxoday for an employee wellness recognition programme can configure participant data to appear anonymised in aggregate dashboards shared with leadership, while individual reward histories remain accessible only to designated HR administrators — not to managers or peers. This configuration is enforced at the platform level, not dependent on manual processes.Learn more: Xoxoday Help Centre — System Requirement
Data Encryption Standards on Xoxoday
Learn how Xoxoday applies AES-256 and TLS encryption to protect participant data at rest and in transit across all connected HR systems.
GDPR Compliance and Data Subject Rights
Understand how Xoxoday supports GDPR obligations including data subject access, rectification, and erasure requests.