Xoxoday is certified under ISO 27001, SOC 2 Type II, HIPAA, GDPR, CCPA & CPRA, and ISO 14001, and does not store or process payment card data, making PCI DSS inapplicable to its operations.
Regulatory Compliance and Certifications
Xoxoday meets a broad set of international data protection and information security standards. These certifications reflect Xoxoday’s commitment to protecting employee and customer data across every region it operates in—whether you are running a rewards program in the EU, the US, or Southeast Asia. Xoxoday is fully GDPR-compliant, implementing the required data subject rights, consent mechanisms, and data processing agreements that European operations demand. For organizations headquartered in California or serving California residents, Xoxoday also satisfies CCPA and CPRA requirements, including opt-out rights and data deletion workflows.ISO 27001 and Environmental Standards
Xoxoday holds ISO 27001 certification, the globally recognized benchmark for information security management systems. This means Xoxoday’s controls around data access, incident response, and risk management have been independently audited and verified. Xoxoday also carries ISO 14001 certification, which demonstrates a structured approach to environmental management—relevant for organizations with active ESG reporting obligations.SOC 2 Type I and Type II
Xoxoday has completed both SOC 2 Type I and SOC 2 Type II audits. Type II is the more rigorous of the two—it evaluates not just the design of controls but their operational effectiveness over an extended review period. For enterprise customers integrating Xoxoday with HRIS platforms like Workday, SAP SuccessFactors, or Darwinbox, SOC 2 Type II provides auditable evidence that data flowing between systems is handled securely throughout.HIPAA Compliance
Xoxoday is HIPAA-compliant, which matters for healthcare organizations that need to ensure their rewards and recognition workflows do not expose protected health information. This is particularly relevant when Xoxoday is deployed inside teams whose employee records intersect with health and benefits systems.What About PCI DSS?
PCI DSS applies to organizations that store, process, or transmit payment card data. Xoxoday does not store or process any payment card information, so PCI DSS is not applicable to Xoxoday’s infrastructure. Reward redemptions and fulfillment are handled in ways that keep card data entirely outside Xoxoday’s systems.Practical Impact for IT and Compliance Teams
When deploying Xoxoday alongside collaboration tools like Slack or Microsoft Teams, or syncing employee records from Darwinbox, compliance documentation—including audit reports and Data Processing Agreements—is available on request. IT and legal teams can map Xoxoday’s certifications directly to their vendor risk frameworks without relying on informal assurances. Learn more: Xoxoday Help Centre — Rules and regulationsHow does Xoxoday protect employee data?
Learn about Xoxoday’s encryption standards, access controls, and data handling practices that safeguard employee information at rest and in transit.
What are Xoxoday's data retention and deletion policies?
Understand how Xoxoday manages data lifecycle, including retention periods and deletion workflows aligned with GDPR and CCPA obligations.