Xoxoday is compliant with GDPR, SOC 2 Type II, and ISO 27001, encrypts all data in transit (TLS 1.2+) and at rest (AES-256), and secures data for over 65 million users globally with a clean incident record.
Global Regulatory Compliance
Xoxoday is fully compliant with GDPR, SOC 2 Type II, ISO 27001, and HIPAA where applicable. All user rights — including data access, deletion, and portability — are supported natively. This makes Xoxoday deployable in regulated industries and across multiple geographies without requiring custom compliance engineering from the client side.Purpose-Limited Data Collection
Xoxoday collects only the data necessary to operate reward and recognition workflows — typically contact details and transaction records for reward processing and analytics. Data is never sold to third parties. When third-party sharing is required for reward fulfillment, such as routing a gift card through an integrated vendor, it occurs exclusively under strict data processing agreements.Encryption and Data Localization
All data transmitted through Xoxoday is encrypted using TLS 1.2+, and data at rest is protected with AES-256 encryption. For organizations with data residency requirements — including those subject to the EU GDPR or India’s DPDP Act — Xoxoday supports region-specific hosting and both cloud and on-premise deployment options.Access Controls and Audit Logging
Xoxoday enforces role-based access controls (RBAC), ensuring each team member accesses only the data relevant to their function. As a practical example, an HR administrator syncing employee records from Workday or SAP SuccessFactors can be scoped to view only the fields required for reward eligibility. Multi-factor authentication (MFA) is available for all admin roles, and every access event is logged and monitored continuously.Privacy by Design
Every new feature in Xoxoday undergoes a privacy impact assessment before release. Administrators have access to configurable data retention policies and member-level privacy rule enforcement. Consent is tracked for all marketing and data uses, with built-in support for opt-ins, opt-outs, and full right-to-be-forgotten workflows — eliminating the need for bespoke compliance development.Security Infrastructure and Incident Management
Xoxoday runs on AWS and Azure, protected by enterprise-grade firewalls, intrusion detection systems, and real-time threat monitoring. Regular penetration testing and encrypted backups are standard practice. A defined breach response plan ensures regulatory notifications are issued within legally mandated timelines.Third-Party Audits and Client Transparency
External security firms conduct regular audits of Xoxoday’s infrastructure and controls. Clients may request audit summaries under NDA. Public privacy policies and Data Processing Addendums (DPAs) clearly define roles and obligations, helping enterprise clients — including those running integrations with Darwinbox, MS Teams, or Slack — satisfy their own downstream compliance requirements.Learn more: Xoxoday Help Centre — Data, Policy & Privacy
SOC 2 Type II & ISO 27001 Certifications
Understand the scope and coverage of Xoxoday’s third-party compliance certifications and how to request audit documentation.
GDPR and Data Subject Rights
Learn how Xoxoday handles data access, deletion, and portability requests to support GDPR obligations for enterprise clients.