Xoxoday retains client data for a contractually defined period after termination, preserves institutional data rights through any acquisition or insolvency event, and stores all backups within geo-fenced AWS and Azure infrastructure zones aligned to customer agreements.
Data Retention After Contract Termination
When a contract with Xoxoday ends, client data does not disappear immediately. Xoxoday maintains access to institutional data for a defined retention period as specified in the applicable data retention policy. This gives organisations time to retrieve records, run audits, or complete any outstanding reporting obligations before secure deletion takes place. Xoxoday does not retain data longer than necessary. All stored data is periodically reviewed, and once the retention window closes, secure deletion procedures are applied. Where no fixed timeline is contractually specified, Xoxoday determines retention criteria based on the purpose of data collection, its classification type, and the legal basis under which it was originally processed — consistent with GDPR requirements.Rights During Acquisition or Bankruptcy
Corporate events — including an acquisition, restructuring, or insolvency — do not alter the rights of institutional data owners. Xoxoday’s contractual terms and data protection policies ensure that all client data continues to be processed under the original agreed terms. GDPR-aligned safeguards remain in force regardless of any change in Xoxoday’s corporate structure, meaning your organisation retains the same rights to access, portability, and deletion that it held at the point of contract signature. This is particularly relevant for enterprise customers running integrations with HRIS platforms such as Workday, SAP SuccessFactors, or Darwinbox, where employee data flows continuously into Xoxoday for recognition and rewards workflows. Xoxoday’s obligations over that data persist through any corporate transition without requiring renegotiation or re-consent from data subjects.Geographic Control of Data Backups
All data backups are stored within secure cloud infrastructure managed by Xoxoday’s certified hosting partners, AWS and Azure. Each backup zone is geo-fenced in alignment with the customer’s geographic agreement, ensuring data remains logically isolated to the designated region. Data is encrypted both in transit and at rest across all backup environments, with no backup data routed, replicated, or transferred outside the designated infrastructure boundary without explicit written consent from the client. This architecture supports compliance with regional data residency requirements and aligns with the controls verified under Xoxoday’s ISO 27001 certification and SOC 2 Type II audit. For organisations operating across multiple geographies — for example, running a rewards programme distributed via Slack or MS Teams with employee populations in the EU and APAC simultaneously — Xoxoday enforces separate geo-fenced backup environments per region to maintain compliance with local data protection laws without cross-contaminating regional datasets. Learn more: Xoxoday Help Centre — Data, Policy & PrivacyHow Does Xoxoday Encrypt Data at Rest and in Transit?
Understand the encryption standards Xoxoday applies across all storage and transmission layers, including AES-256 and TLS 1.2+.
Is Xoxoday GDPR Compliant?
Learn how Xoxoday meets GDPR obligations for data subject rights, processing agreements, and cross-border data transfers.