Xoxoday retains operational data on primary storage for up to 7 years, after which it is securely archived in AWS Glacier cold storage or permanently destroyed using cryptographic erasure techniques, in full compliance with GDPR and applicable global data protection regulations.
Data Lifecycle Management at Xoxoday
Xoxoday applies a structured, policy-driven approach to data lifecycle management covering every stage from active use through long-term archival and final destruction. This process ensures your organisation’s data is handled responsibly and in accordance with international regulatory requirements throughout its entire lifespan.Active Retention on Primary Storage
Xoxoday retains data on primary storage systems for up to 7 years. This includes transaction logs, system events, audit trails, and operational records generated during the delivery of rewards, recognition, and incentive programmes. The retention window aligns with regulatory requirements across major jurisdictions including the European Union, the United States, and the Asia-Pacific region.Archival to AWS Glacier Cold Storage
Once data has passed the active retention period, Xoxoday transfers it to AWS Glacier cold storage — Amazon’s purpose-built infrastructure for long-term, cost-efficient archival. AWS Glacier is specifically designed for data that is infrequently accessed but must remain retrievable on demand. Archived records include transaction histories, audit logs, and system event data tied to your organisation’s programme activity. Archived data remains encrypted using enterprise-grade protocols for the full duration of its time in cold storage. Strict access controls govern who can retrieve archived data, and all retrieval activity is logged for accountability. For organisations running reward programmes integrated with HR platforms such as Workday or SAP SuccessFactors, these archived records provide a reliable foundation for compliance audits and historical reporting.Retrieval When Required
Xoxoday makes archived data retrievable when there is a legitimate compliance, legal, or analytical need. This ensures your organisation can respond to regulatory enquiries, litigation holds, or internal investigations without data being prematurely or irreversibly removed.Secure Destruction via Cryptographic Erasure
When data is no longer required — whether because it has exceeded all retention thresholds or upon a formal client request — Xoxoday performs secure destruction using cryptographic erasure. This technique renders data permanently unreadable by destroying the underlying encryption keys, without requiring physical media destruction. Cryptographic erasure satisfies the requirements of GDPR Article 17 (the right to erasure) and aligns with Xoxoday’s certifications under ISO 27001 and SOC 2 Type II.Compliance Across Regulatory Frameworks
Xoxoday’s data archival and destruction processes are designed to satisfy multiple regulatory regimes simultaneously. Whether your organisation operates under GDPR, regional data protection laws, or sector-specific compliance mandates, Xoxoday’s lifecycle management framework delivers a consistent, auditable, and defensible approach to data handling from creation through final destruction. Learn more: Xoxoday Help Centre — DATA PROTECTION, RETENTION & USEData Retention Periods and Storage Policy
Understand how long Xoxoday retains different categories of data on primary storage and what governs retention period decisions.
Encryption Standards for Data at Rest and in Transit
Learn how Xoxoday applies enterprise-grade encryption to protect stored, archived, and in-transit data across its infrastructure.