Skip to main content
Xoxoday acts as a data processor and recognises your organisation as the sole owner of all data, inputs, outputs, and metadata — stored in encrypted format with access restricted to authorised personnel only.
When your organisation deploys Xoxoday for employee rewards, recognition, or loyalty programmes, the question of data ownership has a clear answer: your organisation owns the data. Xoxoday operates exclusively as a data processor under internationally recognised frameworks such as GDPR. This means Xoxoday handles, stores, and processes your data only on your instruction, and never claims proprietary rights over the information generated within the platform. This distinction has direct practical implications. All inputs — such as employee profiles synced from Workday, SAP SuccessFactors, or Darwinbox — as well as all outputs and metadata generated during reward transactions remain the intellectual and legal property of your organisation. Xoxoday does not use this data for secondary purposes, does not monetise it, and does not share it with third parties outside the scope of your service agreement. Xoxoday stores all collected personal information in encrypted format, both at rest and in transit. Encryption ensures that raw data is unreadable even if an unauthorised party were to gain access to the underlying storage infrastructure. This applies to every layer of data your organisation generates: reward histories, redemption records, recognition feeds, and integration payloads. Access to personal data within Xoxoday’s production environment is strictly controlled and limited to a minimal set of authorised personnel. This least-privilege model means that the vast majority of Xoxoday employees — including support staff and engineers — cannot query or view personal data without explicit escalated authorisation. Audit logs capture every access event, providing your organisation with a traceable record of all data handling activity. Consider an organisation running a global recognition programme integrated with Microsoft Teams and Darwinbox. Employee identifiers and award metadata flow through Xoxoday in real time. Under this model, that data remains fully owned by your organisation throughout its lifecycle — from the moment it enters Xoxoday via API to the point it is exported or deleted on your request. Xoxoday’s data handling practices are independently validated under ISO 27001 and SOC 2 Type II certifications. These audits confirm that Xoxoday’s controls around data access, encrypted storage, and processor accountability meet rigorous international standards — giving your security and compliance teams confidence when conducting vendor risk assessments. Learn more: Xoxoday Help Centre — Data, Policy & Privacy

How does Xoxoday encrypt personal data at rest and in transit?

Xoxoday applies encryption across all storage and transmission layers to ensure personal data remains unreadable to unauthorised parties at every stage.

Who can access personal data stored in Xoxoday?

Xoxoday enforces a least-privilege access model, limiting direct access to personal data in production environments to a small number of authorised personnel with full audit logging.