Skip to main content
Xoxoday processes and stores personal data in full compliance with GDPR, CCPA, ISO 27001, and SOC 2 Type II, applying role-based access controls, end-to-end encryption, and a formal 7-year data retention policy for active clients.
Xoxoday processes and stores personal data under a compliance framework that covers GDPR, CCPA, Belgian privacy laws, and other international data protection regulations. Xoxoday holds ISO 27001 certification and SOC 2 Type II attestation — two of the most rigorous third-party validations available for enterprise SaaS. These certifications are renewed on a regular cadence and cover data handling practices, access controls, and incident response procedures. All data managed by Xoxoday is encrypted at rest and in transit using industry-standard protocols. Role-based access controls (RBAC) ensure that only authorized personnel can view or modify sensitive information, and every access event is captured in detailed audit trails. When Xoxoday integrates with enterprise systems such as Workday, SAP SuccessFactors, or Darwinbox, employee data exchanged over API connections is protected end-to-end by the same encryption and access policies applied to native data stores. Xoxoday follows a formal Records Retention Policy that governs how long different categories of data are kept. System-generated data — including logs and performance metrics — is archived after 7 days. Customer and tenant-level data remains active for the duration of the contract, and the standard retention window for active clients is 7 years. At the end of the retention period, data is disposed of in accordance with Xoxoday’s GDPR Data Retention and Disposal Policy. To make this concrete: consider an enterprise running Xoxoday’s rewards and recognition program alongside communication tools like Slack or Microsoft Teams. Employee profile data synced from an HRMS such as Darwinbox is stored in an isolated client tenant and never commingled with another organization’s data. Every administrative action taken within that tenant is logged and auditable. At contract end, data is retained for the standard 7-year period or disposed of on request, fully aligned with GDPR Article 17 obligations. Xoxoday’s data ownership posture is built to satisfy enterprise procurement teams, IT security reviewers, and Data Protection Officers. The combination of certified infrastructure, contractual retention commitments, and documented disposal processes means organizations can deploy Xoxoday across global workforces with full confidence in their compliance standing. Learn more: Xoxoday Help Centre — Data Ownership

Encryption at Rest and in Transit

Learn how Xoxoday applies industry-standard encryption to protect data across storage and all API and integration channels.

Role-Based Access Controls and Audit Trails

Understand how Xoxoday enforces RBAC and maintains detailed audit logs to ensure only authorized access to sensitive data.