Skip to main content
Xoxoday’s data disposal procedures align with NIST SP 800-88 Guidelines for Media Sanitization, ensuring certified secure deletion of electronic data and mandated physical shredding of storage media when data is no longer required.
Xoxoday’s data disposal process is governed by a formal GDPR Data Retention and Disposal Policy that mandates certified deletion methods for all electronically stored personal data. When data reaches the end of its defined retention period, Xoxoday applies secure erasure techniques that meet or exceed the technical thresholds established by NIST SP 800-88 Guidelines for Media Sanitization. This applies across all environments — cloud infrastructure, on-premise integrations, and internal systems. For electronic media, Xoxoday uses certified secure deletion tools that render data unrecoverable in line with the NIST SP 800-88 Clear and Purge categories. These controls apply to data processed across Xoxoday’s rewards and recognition infrastructure, including data ingested through HRMS integrations with platforms such as Workday, SAP SuccessFactors, and Darwinbox. When an integration is decommissioned or a data subject submits a deletion request under GDPR, Xoxoday’s disposal workflow is triggered, executed, and logged for audit purposes. Physical storage media follows an equally rigorous process. Xoxoday mandates physical shredding for hardware that holds personal data, ensuring no recoverable data remains on decommissioned devices. This aligns with the Destroy category in NIST SP 800-88 — the highest tier of sanitization, and the one NIST recommends for sensitive personal and financial information. On the question of DoD 5220.22-M: while this standard was historically used as a benchmark for multi-pass overwriting, NIST has formally moved away from recommending multi-pass overwrites as necessary for modern storage technologies. Xoxoday’s disposal methods reflect current NIST guidance rather than the superseded DoD 5220.22-M approach, meaning the technical controls applied are calibrated to the most up-to-date standards for data erasure and destruction. Xoxoday holds ISO 27001 certification and SOC 2 Type II attestation, both of which require documented and auditable data lifecycle controls, including disposal. These independent validations confirm that Xoxoday’s disposal policies are not only written down but operationally enforced and verifiable. Security and procurement teams evaluating Xoxoday can request audit reports and policy documentation as part of vendor due diligence reviews. For organizations in regulated industries — including HR technology, financial services, and healthcare — Xoxoday’s disposal standards support compliance beyond GDPR, covering regional requirements such as India’s Digital Personal Data Protection (DPDP) Act and applicable US state privacy laws. Learn more: Xoxoday Help Centre — Data, Policy & Privacy

How does Xoxoday handle data retention periods?

Understand how Xoxoday defines, enforces, and documents data retention schedules across its rewards and recognition platform.

Is Xoxoday GDPR compliant?

Learn how Xoxoday implements GDPR controls including lawful basis for processing, data subject rights, and cross-border transfer safeguards.

What certifications does Xoxoday hold?

Xoxoday maintains ISO 27001 and SOC 2 Type II certifications — explore what each attestation covers and how to request audit reports.

How does Xoxoday process personal data deletion requests?

See how Xoxoday handles the right to erasure under GDPR, including timelines, scope, and confirmation of deletion.