Skip to main content
Xoxoday processes customer data exclusively for the purposes defined in your contract, adhering strictly to GDPR Article 5’s principle of purpose limitation — your data is never used for analytics, model training, or marketing without your explicit agreement.
When your organisation deploys Xoxoday for employee rewards through integrations with Workday, SAP SuccessFactors, or Darwinbox, the data exchanged — employee identifiers, recognition events, redemption activity — is processed only to deliver those specific reward and recognition functions. Xoxoday does not route that data to secondary systems for behavioural analytics, AI model training, or cross-client benchmarking unless a separate, explicit agreement is in place. This commitment is grounded in the principle of purpose limitation, codified under GDPR Article 5(1)(b). Purpose limitation requires that data collected for one defined reason may not later be repurposed without fresh legal basis or consent. Xoxoday’s data processing agreements (DPAs) document each processing activity, its lawful basis, and the exact scope of use — leaving no ambiguity about what happens to your data. Consider a common enterprise scenario: an HR team integrates Xoxoday with Microsoft Teams or Slack to run a peer-recognition programme. Employee names, department tags, and recognition messages flow into Xoxoday to power the programme experience. That data stays scoped to the recognition workflow. Xoxoday does not aggregate it for product-level analytics reports, does not feed it into recommendation engines, and does not use it to market to your employees or partner organisations. Xoxoday’s information security programme — audited against ISO 27001 and attested under SOC 2 Type II — embeds purpose limitation as a control requirement, not just a contractual promise. Access to client data within Xoxoday systems is role-restricted, logged, and reviewed so that internal teams can only process data for the purposes the contract authorises. If your organisation requires an expanded processing scope — for example, anonymised aggregate data to power custom reward analytics dashboards — that must be negotiated, documented, and added to the DPA before any such processing begins. Xoxoday treats the contract as the authoritative boundary, and no internal team has the discretion to widen that boundary unilaterally. This approach protects your organisation from third-party data misuse risk and simplifies your own compliance obligations. When auditors or regulators ask how your reward platform handles employee data, you can point to a clear, contractually bounded scope backed by a certified security programme. Learn more: Xoxoday Help Centre — DATA PROTECTION, RETENTION & USE

How long does Xoxoday retain customer data?

Understand Xoxoday’s data retention schedules, deletion timelines, and how your organisation can request erasure in line with GDPR obligations.

Is Xoxoday compliant with GDPR?

Learn how Xoxoday meets GDPR requirements across lawful basis, data subject rights, DPAs, and cross-border data transfer mechanisms.