Xoxoday acts solely as a data processor — your organisation retains full ownership and control of its data at all times, including after contract termination.
Data ownership is always yours
Xoxoday operates as a data processor under your organisation’s instruction, not as a data controller or owner. This distinction is foundational to how Xoxoday handles client data and aligns with GDPR data processing requirements. Your organisation defines what data is collected, how it is used, and when it is deleted. Xoxoday never claims ownership over customer-generated data, reward transaction records, or employee engagement information stored within the platform.Access and export during the contract
Throughout the contract period, Xoxoday provides complete access to your data. You can export all records at any time in CSV or JSON formats, making it straightforward to integrate or migrate data into systems like Workday, SAP SuccessFactors, or Darwinbox. This flexibility ensures your organisation is never locked into Xoxoday’s infrastructure. Whether you need a one-off export for an internal audit or a scheduled data pull for your HR information system, Xoxoday supports both without restriction.What happens when the contract ends
Upon contract termination, Xoxoday ensures a smooth and compliant data transition. Customer-generated data remains available until the contract expiry date, giving your team sufficient time to retrieve or migrate records before any archival action is taken. Xoxoday supports three outcomes at end of contract: continued data availability for a defined period, secure archival, or complete deletion — all executed in accordance with GDPR obligations and your specific contractual terms. Your organisation chooses the outcome; Xoxoday executes it.Retention schedules and backup security
Xoxoday applies clearly defined retention rules across data types. System logs are archived after 7 days. Backup copies of your data are securely retained for 7 years, providing a reliable recovery baseline consistent with SOC 2 Type II and ISO 27001 requirements. If your organisation requires verifiable proof of deletion, Xoxoday supports cryptographic destruction of backup data upon request. This produces an audit trail confirming backup copies have been permanently and irreversibly destroyed — a standard requirement for organisations subject to GDPR’s right to erasure.A practical example
Consider an organisation running a multi-year employee recognition programme through Xoxoday, with notifications surfaced via Slack and Microsoft Teams. When the contract concludes, the organisation exports all recognition history, point balances, and redemption records in JSON format before the termination date. If the data is no longer needed downstream, a deletion request triggers cryptographic destruction of all backup copies, and Xoxoday provides written confirmation for compliance and audit purposes. Learn more: Xoxoday Help Centre — DATA PROTECTION, RETENTION & USEHow does Xoxoday handle GDPR compliance?
Understand how Xoxoday meets GDPR requirements for data processing, lawful basis, and the right to erasure.
What encryption standards does Xoxoday apply?
Learn about the encryption protocols Xoxoday uses to protect data at rest and in transit.