Xoxoday confirms that all customer and programme data remains the full property of your organisation throughout the contract lifecycle, and is securely deleted or returned per your explicit instructions upon termination.
Your data, your rules
Xoxoday acts as a data processor on your behalf, not as an independent data controller over your programme information. This distinction matters significantly under regulations like GDPR, where data controller responsibilities — including individual rights requests and breach notifications — remain with your organisation. The contractual relationship is formalised through a Data Processing Agreement (DPA), which defines permissible processing activities, retention windows, sub-processor obligations, and data subject rights procedures. For organisations integrated with HR systems such as Workday, SAP SuccessFactors, or Darwinbox, employee and programme data that flows through Xoxoday is processed strictly within the parameters your IT and legal teams define. Xoxoday does not mine, sell, or leverage your data for any purpose outside your agreed programme scope.What happens when the contract ends
Upon contract termination, Xoxoday provides two options for data disposition: secure return or certified deletion. Your organisation specifies the preferred method as part of the offboarding process, and Xoxoday fulfils that instruction in line with industry-standard data destruction protocols, including certified data wiping methods that meet regulatory expectations. No residual copies of your data are retained beyond the agreed retention window. This applies to live environment data as well as backups maintained for disaster recovery purposes, which are cycled out according to the retention schedule documented in the DPA. The process ensures no orphaned data persists in Xoxoday’s infrastructure after the contract closes.Compliance documentation and auditability
All data handling commitments are documented in contractual instruments, not simply policy pages. The DPA and supplementary data processing schedules provide a written, auditable record of your rights and Xoxoday’s obligations, giving your legal and compliance teams the assurance they require for vendor due diligence reviews. Xoxoday maintains ISO 27001 certification and SOC 2 Type II attestation — both independently audited frameworks that validate controls over data security, availability, and confidentiality, including data destruction procedures. For teams coordinating programme transitions internally through Slack or Microsoft Teams, Xoxoday’s offboarding documentation can be shared directly with procurement, IT, and legal stakeholders to streamline the data return or deletion workflow. Learn more: Xoxoday Help Centre — Data, Policy & PrivacyData Processing Agreement (DPA)
Understand what Xoxoday’s DPA covers, including processing scope, sub-processor obligations, and your rights as a data controller.
Data Retention Policy
Learn how long Xoxoday retains different categories of programme data and how retention windows are defined in your contract.