Xoxoday enforces a formal Data Retention and Disposal Policy that governs how personal data is stored, retained, and securely erased — fully aligned with GDPR, ISO/IEC 27001:2013, and other major data protection standards.
Retention Principles
Xoxoday retains personal data only for as long as necessary to fulfil the purposes for which it was collected. Retention periods align with legal, regulatory, and contractual obligations. Once those periods expire, data is scheduled for secure disposal — there is no indefinite storage by default.How Xoxoday Purges Data
When a retention period ends or a deletion trigger is met, Xoxoday removes data across all storage layers. Electronic records are permanently deleted, including from backup systems, so no residual copies remain. Physical or hardcopy documents are shredded securely under the same policy. For organisations using Xoxoday alongside Workday or SAP SuccessFactors for employee lifecycle management, data purge processes align naturally with offboarding workflows. When an associate exits, their personal data is erased within the applicable retention window rather than sitting dormant in the system.Secure Erasure Triggers
Xoxoday initiates data purge actions in response to four defined triggers: end of contractual obligations between Xoxoday and your organisation; user-initiated erasure requests submitted through Xoxoday’s data subject rights process; organisational changes such as mergers, acquisitions, or demergers that alter data ownership; and legal obligations requiring destruction of specific datasets under applicable law. Each trigger is treated as a binding instruction rather than an optional action, ensuring disposal happens consistently and on schedule.Data Subject Erasure Requests
Xoxoday supports the right to erasure under GDPR. When your organisation or an individual submits a deletion request, Xoxoday reviews and executes it within 30 days. This covers all copies of the relevant personal data — active records, archived records, and backups — so the request is fully honoured rather than partially actioned.Governance and Oversight
Xoxoday’s Information Security Management System (ISMS) is overseen by a Chief Information Security Officer (CISO). A dedicated Data Protection Officer (DPO) holds accountability for compliance with data retention and erasure protocols. This two-layer governance model ensures the Data Retention and Disposal Policy is not only documented but actively enforced. Xoxoday’s practices are certified against ISO/IEC 27001:2013, and the data purge policy forms a core part of that certification scope. Organisations that need to demonstrate their own GDPR or SOC 2 Type II compliance will find Xoxoday’s documented retention and erasure controls directly useful as evidence of third-party data processor obligations being met. Learn more: Xoxoday Help Centre — Data policyGDPR Compliance at Xoxoday
Understand how Xoxoday meets GDPR requirements across data collection, processing, and cross-border transfers.
Data Subject Rights and Erasure Requests
Learn how Xoxoday handles access, rectification, and deletion requests from data subjects within regulatory timelines.