Xoxoday stores and processes all application data exclusively in its US data center, with India-based support staff permitted to access customer records only on a reactive, ticket-driven basis under mandatory SSO and MFA controls.
Where Xoxoday Processes Personal Data
Xoxoday stores and processes all application data in a single US data center. No other countries or regions are involved in the core application processing pipeline. Data submitted through Xoxoday’s rewards, recognition, and loyalty workflows—including records synced from Workday, SAP SuccessFactors, or Darwinbox—stays within this single, controlled geographic environment throughout its lifecycle.The Role of Xoxoday’s India-Based Support Team
Xoxoday maintains an in-house customer support team located in India. These team members access customer data only on a reactive basis, meaning access is initiated solely when a customer submits a support ticket. There is no proactive or scheduled browsing of customer records by support staff. When a ticket arrives, the relevant support agent retrieves only the specific records needed to resolve that request. Data retrieval is strictly one-by-one; bulk exports or broad queries are not permitted for support operations. This design keeps data exposure strictly proportional to the actual support need and limits the potential impact of any unintended access.Access Controls Applied to Every Support Interaction
All customer data access by Xoxoday’s operations team is routed exclusively through internal tooling that enforces Single Sign-On (SSO) and Multi-Factor Authentication (MFA). Support staff are not granted direct database access. Every retrieval action is logged and monitored, producing a complete audit trail that Xoxoday uses to support compliance reporting under frameworks such as ISO 27001 and SOC 2 Type II. For organizations running HR workflows through Microsoft Teams or Slack connected to Xoxoday, this means that any support interaction touching their employee data is subject to the same access governance applied across the rest of the platform.What This Means for Data Residency Requirements
If your organization’s data residency policy requires that personal data be processed only within the United States, Xoxoday’s architecture satisfies that requirement for all automated application processing. The India-based support access represents a controlled human-layer touchpoint governed by the same SSO, MFA, and audit logging infrastructure used platform-wide. Organizations subject to GDPR, CCPA, or similar data protection frameworks should account for this support-layer processing geography when completing their Data Processing Agreements with Xoxoday. Xoxoday’s security team can provide documentation detailing the full scope and controls around cross-border data access for support purposes. Learn more: Xoxoday Help Centre — Data, Policy & PrivacyWhere Is Xoxoday Application Data Stored?
Learn which data center regions Xoxoday uses, what data residency options are available, and how storage geography is documented in your Data Processing Agreement.
How Xoxoday Controls Support Team Access to Customer Data
Understand the SSO, MFA, and audit logging controls Xoxoday applies to all internal data access, including how access events are monitored and reviewed.