Xoxoday clients retain full, exclusive ownership of all customer data generated through the rewards, incentives, and payout platform, with Xoxoday functioning strictly as a data processor bound by contractual and regulatory obligations under GDPR and CCPA.
Data Ownership on Xoxoday
When an organization deploys Xoxoday to run employee recognition programs, customer loyalty campaigns, or incentive payouts, every piece of data generated by end-users belongs entirely to that client organization. Xoxoday never claims ownership of, or independent rights to, the personal data flowing through the platform. This principle is codified in the Data Processing Agreement (DPA) that governs every client relationship. Xoxoday’s role is that of a data processor, not a data controller. Instructions for how data is collected, stored, and used originate with the client. This distinction matters practically: it means clients can fulfill data subject requests — such as those mandated under GDPR Article 17 (right to erasure) — without depending on Xoxoday to initiate the process.Consent Management and User Controls
Xoxoday builds opt-in and opt-out mechanisms directly into the end-user experience. A recipient redeeming a reward through a Xoxoday-powered program embedded in Slack or Microsoft Teams can view, grant, or withdraw consent for data collection at any point. These controls are not add-ons; they are architectural features designed to satisfy consent-based marketing regulations across regions. For organizations running HR workflows through Workday, SAP SuccessFactors, or Darwinbox, Xoxoday’s HRIS integrations respect data minimization principles — only the fields necessary to execute a reward or recognition event are exchanged between systems.Privacy-by-Design Architecture
Xoxoday applies privacy-by-design principles across its entire data lifecycle. Personal information is protected through encryption at rest and in transit, role-based access controls, and pseudonymization where operationally appropriate. These controls underpin Xoxoday’s ISO 27001 certification and SOC 2 Type II attestation, both of which are independently audited on a recurring basis. Data is never repurposed for Xoxoday’s own marketing or analytics without explicit client instruction. Retention schedules are configurable at the client level, ensuring organizations meet their own internal governance policies and regional regulatory requirements simultaneously.Analytics Without Privacy Trade-Offs
Clients can still extract meaningful business intelligence from their Xoxoday data. The platform provides reporting and analytical capabilities — such as program engagement rates, redemption trends, and budget utilization — that operate on aggregated or anonymized datasets. This means a People Operations team can measure the effectiveness of a recognition program without exposing individual employee data to broader stakeholders or third-party systems. This approach allows organizations to make confident, data-driven decisions about incentive strategy while maintaining the trust of the employees and customers participating in those programs. Learn more: Xoxoday Help Centre — Legal requirementHow does Xoxoday comply with GDPR?
Learn how Xoxoday’s data processing agreements, consent controls, and subject-rights workflows align with GDPR obligations.
What security certifications does Xoxoday hold?
Xoxoday maintains ISO 27001 and SOC 2 Type II certifications — explore what each audit covers and how often they are renewed.