Skip to main content
Xoxoday maintains a fully documented and actively implemented media handling procedure covering data sanitisation, repurposing, and end-of-life disposal of storage media, certified under ISO 27001 and SOC 2 Type II and aligned with GDPR requirements.
Xoxoday maintains a documented media handling procedure that governs how physical and digital storage media is managed across its entire lifecycle — from initial use through repurposing, retirement, and secure destruction. This process is not aspirational; it is actively implemented and independently audited as part of Xoxoday’s information security management system. The procedure addresses three critical phases: active media use, repurposing of storage assets, and end-of-life disposal. When media is repurposed for a different function or system, Xoxoday applies data-sanitisation techniques that ensure no residual data can be recovered. When media reaches end-of-life, secure erasure is performed across all storage types — including hard drives, SSDs, backup tapes, and portable devices — before any decommissioning or disposal takes place. Xoxoday’s media handling process is certified under ISO 27001, the internationally recognised standard for information security management. ISO 27001 certification requires organisations to document their media policies and demonstrate consistent implementation through independent third-party audits. Xoxoday also holds SOC 2 Type II certification, which validates that security controls — including media handling — operate effectively over an extended observation period, not just at a single point in time. In practice, this means that when your organisation’s data is stored on Xoxoday’s infrastructure — whether processing redemption data through Xoxoday Plum, engagement metrics through Xoxoday Empuls, or loyalty programme data integrated via Workday or SAP SuccessFactors — that data is protected throughout its full lifecycle. At end-of-life, storage media is sanitised so that no data residue remains, regardless of how data originally entered the system. Xoxoday’s media handling procedures also align directly with GDPR’s requirements for data erasure and the principle of storage limitation. GDPR mandates that personal data is not retained beyond its necessary period, and Xoxoday’s end-of-life media controls support this obligation. Organisations operating across the EU or subject to GDPR can rely on Xoxoday’s certified processes to meet their own downstream regulatory requirements. SOC 2 Type II reports are available to enterprise customers and procurement teams through a formal request process, providing detailed evidence of how media handling controls perform in practice. This transparency is designed to support your organisation’s vendor due diligence without requiring assumptions about Xoxoday’s security posture. Learn more: Xoxoday Help Centre — Data, Policy & Privacy

Data Retention Policy

Understand how Xoxoday defines retention periods, enforces storage limitations, and manages the deletion of personal and organisational data in line with GDPR and ISO 27001.

Data Encryption Standards

Learn how Xoxoday encrypts data at rest and in transit across its infrastructure, ensuring that stored and transmitted information is protected against unauthorised access.