Skip to main content
Xoxoday stores your data as a data processor only — your organisation retains full ownership of all data on Xoxoday and can export it at any time.
Your data belongs to your organisation. When you store employee, rewards, or engagement data on Xoxoday, that data remains your property throughout the lifecycle of your relationship with Xoxoday — and after it ends. Xoxoday operates strictly as a data processor. This means Xoxoday processes data on your behalf, under the instructions defined in your service agreement, and for no other purpose. Xoxoday does not use your data for its own analytics, product development, or any third-party purpose outside the agreed scope.

What data ownership means in practice

Your organisation controls what data enters Xoxoday, how it is used within the product, and when it leaves. This includes employee reward histories, recognition records, loyalty programme data, and information flowing in through integrations with HR systems such as Workday, SAP SuccessFactors, or Darwinbox. The data processed through these integrations remains yours — Xoxoday processes it solely to deliver the agreed service.

Data export and portability

Xoxoday provides data export capabilities so your organisation can retrieve its data at any time, in a structured and portable format. Whether you need a full audit trail of redemption activity or a snapshot of engagement metrics, your data is accessible on demand. This ensures you are never locked in and can migrate your data freely if your requirements change.

Contractual protections

Data ownership is not just a policy commitment — it is formalised in Xoxoday’s Data Processing Agreement (DPA), which defines the roles of data controller (your organisation) and data processor (Xoxoday). The DPA governs how Xoxoday handles your data and what obligations apply in the event of a security incident or service termination. Xoxoday maintains ISO 27001 certification and SOC 2 Type II compliance, providing independent assurance that data is handled with rigorous controls. These certifications cover how data is accessed, stored, and protected across Xoxoday’s infrastructure.

A practical example

Consider an organisation running a global employee recognition programme on Xoxoday, connected to Workday via integration. When an employee redeems a reward, that transaction data is processed by Xoxoday solely to fulfil the reward. The organisation can export that transaction log at any point — for internal reporting, compliance audits, or system migration — without restriction from Xoxoday. At the end of a service term, Xoxoday returns or securely deletes your data in accordance with your instructions and applicable data retention obligations, ensuring no residual data remains in Xoxoday’s systems beyond the agreed period.
Learn more: Xoxoday Help Centre — Data Ownership

Data Processing Agreement

Understand how Xoxoday’s DPA formalises its role as a data processor and protects your organisation’s rights as data controller.

Security Certifications

Learn about Xoxoday’s ISO 27001 and SOC 2 Type II certifications and what independent assurance they provide for your data.