Skip to main content
Xoxoday integrates privacy-by-design principles — including data minimisation, purpose limitation, consent management, and role-based access controls — across the full product lifecycle, ensuring continuous compliance with GDPR, CCPA, and other global privacy regulations.
Privacy-by-design is not a post-launch consideration at Xoxoday — it is built into the product from the moment a new feature enters the requirements-gathering phase. Every stage of the lifecycle, including development, QA, release, and ongoing monitoring, is governed by a consistent set of privacy principles that shape how personal data is handled. Data minimisation and purpose limitation anchor the foundation. Xoxoday collects only the personal data strictly necessary for a defined purpose and ensures that data is never repurposed beyond what was explicitly communicated to users at the time of collection. If your organisation integrates Xoxoday with a platform like Workday or SAP SuccessFactors, only the employee attributes required to deliver rewards and recognition are exchanged — nothing more. Consent and default settings work together to put users in control. Consent is obtained before any personal data is processed, with clear opt-in and opt-out controls exposed at the user level. Systems are configured to the most privacy-protective defaults out of the box, so employees accessing Xoxoday via Slack or Microsoft Teams begin with minimal data exposure unless they choose to adjust their preferences. Access controls and encryption protect data at every layer. Role-based access control (RBAC) ensures only authorised personnel can view or process personal data, limiting internal exposure. All personal data is encrypted both in transit and at rest, maintaining confidentiality and integrity regardless of where data flows within the Xoxoday infrastructure. User rights and Privacy Impact Assessments (PIAs) close the loop. Xoxoday provides mechanisms to fulfil data subject rights — including the right to access, rectify, erase, and port personal data — in alignment with GDPR and CCPA obligations. Before any new feature or significant product change that touches personal data is released, a PIA is conducted to identify and mitigate risks before they reach production. This end-to-end approach means privacy governance does not sit with a compliance team alone — it is operationalised across engineering, product, and QA. Xoxoday’s adherence to frameworks such as ISO 27001 and SOC 2 Type II further validates that these controls are not aspirational but independently audited and consistently enforced. Learn more: Xoxoday Help Centre — Data, Policy & Privacy

How does Xoxoday handle data subject access requests?

Learn how Xoxoday enables your organisation to respond to DSAR requests for access, rectification, erasure, and portability under GDPR and CCPA.

Is data encrypted in transit and at rest on Xoxoday?

Xoxoday encrypts all personal data both in transit and at rest using industry-standard protocols, supporting your organisation’s data security obligations.