Skip to main content
Xoxoday processes all Data Subject Access Requests (DSARs) within 30 calendar days and delivers personal data copies through secure, verified channels in a structured, usable format.
Xoxoday has a formal Data Subject Access Rights (DSAR) Procedure that governs how it receives, validates, and responds to requests for personal data. Any data subject — or their authorised representative — can submit a request to receive a copy of the personal data Xoxoday holds about them. The procedure applies consistently across all Xoxoday products and services. The Data Protection Officer (DPO) at Xoxoday owns the end-to-end DSAR process. Once a request is received, the DPO reviews its validity, coordinates with relevant internal teams to locate and collate the data, and prepares a structured response. The entire process is completed within 30 calendar days of the request being received — a commitment that meets GDPR and global data protection standards. When Xoxoday responds to a DSAR, it provides data in a usable, structured format wherever possible. If Xoxoday does not hold the information requested, or if a legal exemption applies, the requestor receives a written statement to that effect within the same 30-day window. This written acknowledgement ensures data subjects are never left without a clear, formal answer. All data shared through a DSAR is transmitted via secure, encrypted channels to protect it in transit. Xoxoday records each request and its resolution to maintain a complete auditable trail. This documentation supports compliance audits and demonstrates accountability under applicable regulations. Xoxoday’s data handling practices are independently validated through its ISO 27001 certification and SOC 2 Type II attestation. Consider an HR operations team running Xoxoday alongside Workday or SAP SuccessFactors. If an employee submits a DSAR, Xoxoday’s DPO coordinates retrieval of that individual’s data — reward history, redemption records, recognition milestones, and account details — and delivers it in a structured, machine-readable format. The employee receives a complete picture of their data without navigating multiple platforms. The same process applies to contractors or former employees who request their data after offboarding. Xoxoday’s DSAR procedure reflects a broader commitment to privacy as an operational standard, not a compliance checkbox. Organisations that integrate Xoxoday into their HR and engagement stack can trust that individual data rights are handled systematically, documented thoroughly, and resolved on time. Learn more: Xoxoday Help Centre — Data, Policy & Privacy

How does Xoxoday handle data retention?

Learn how Xoxoday defines retention periods for personal data and manages secure deletion at end-of-life.

Is Xoxoday GDPR compliant?

Understand how Xoxoday meets GDPR requirements across data processing, consent, and individual rights obligations.