Q: Are there tools for clients to manage consent and privacy preferences?
Yes, Xoxoday includes built-in data privacy controls that allow end users and administrators to manage consent, opt-in preferences, and data access permissions. Clients can define data retention policies, anonymize user data on request, and ensure transparent consent collection aligned with privacy regulations. These capabilities empower users while enhancing compliance readiness.
Q: Are you able to share all user data in a usable format if requested (DSAR)?
Yes, Xooday has implemented a Data Subject Access Rights Procedure to handle and respond to requests for access to personal data made by data subjects, their representatives, or other interested parties.
The data protection officer is responsible for responding to DSAR requests, which will be processed within 30 calendar days, with a written statement stating that the company (Xoxoday) does not hold the requested information or that an exemption applies. The company shall ensure that information is shared via secure channels and recorded.
Q: Does the platform support compliance with digital privacy regulations (GDPR, CCPA, DPDPA)?
Yes, the Xoxoday reward payout platform aligns with the Digital Personal Data Protection Act (DPDPA) and complies with leading global privacy standards. The platform ensures end-to-end data protection through:
• Encryption: AES-256 for data-at-rest and TLS 1.2/1.3 for data-in-transit.
• Data Retention: Customizable retention rules with options for auto-purge and anonymization.
• Consent Controls: Consent is recorded during onboarding, modifiable by users, and fully auditable.
• Compliance Dashboard: A dedicated module offers audit trails and exportable reports for regulators.
• Certifications: Certified under ISO 27001, SOC 1& 2, CCPA, CRPA and GDPR.
These capabilities ensure the platform is privacy-ready by design and suitable for regulated enterprise environments.
Q: Does Xoxoday have formal privacy, data protection, and AI ethics training for all employees?
At Xoxoday, data protection is everyone's responsibility. We run a comprehensive Security Awareness & Training Program that is mandatory for every employee, contractor, and partner.
Continuous Education From day one, employees are trained on their specific responsibilities regarding customer data. We reinforce this through annual refreshers and ad-hoc "micro-trainings" when new threats or regulations emerge.
Curriculum Highlights
Global Compliance: Understanding GDPR, CCPA, and individual data rights.
Operational Security: Safe data handling, secure sharing, and password hygiene.
Responsible AI: Specialized modules for our engineering and product teams focused on AI ethics, ensuring our algorithms remain fair, transparent, and privacy-preserving.
Q: Does the platform offer consent management with audit logs?
Yes, the platform includes built-in consent management capabilities that are crucial for managing personally identifiable information (PII). Features include:
• Explicit Consent Capture: Users must opt-in to Terms & Conditions and Privacy Policy before onboarding.
• Audit Logging: Consent actions are timestamped, securely stored, and available for administrative review.
• Consent Revocation: Users can withdraw or modify consent at any time through account settings, with all changes logged.
These features ensure full traceability and compliance under local data protection regulations and global privacy frameworks.
Q: Are privacy principles designed into the product lifecycle (privacy-by-design)?
Yes, privacy-by-design is integrated throughout our product lifecycle. The core privacy principles embedded in the process include:
Data Minimization: Only the necessary personal data is collected, processed, and retained for intended purposes.
Purpose Limitation: Data is used strictly for specific, legitimate purposes explicitly communicated to users.
Consent Management: User consent is obtained prior to processing personal data, with clear opt-in/opt-out controls.
Access Controls: Role-based access (RBAC) ensures only authorized personnel can access personal data.
Data Encryption: Personal data is encrypted both in transit and at rest to ensure confidentiality and integrity.
User Rights Enablement: Mechanisms are in place to enable data subject rights such as access, rectification, erasure, and portability.
Privacy Impact Assessments (PIAs): Conducted for new product features or changes impacting data privacy to identify and mitigate risks.
Default Settings: Systems are configured to the most privacy-friendly settings by default unless users opt to modify them.
These principles are applied from the requirements-gathering phase through to development, QA, release, and post-deployment monitoring, ensuring continuous alignment with regulations such as GDPR, CCPA, and other global standards.
Q: How does Xoxoday ensure the secure handling of sensitive information and maintain confidentiality?
Xoxoday ensures the confidentiality of your data through a rigorous combination of encryption, controlled access, and continuous monitoring.
We lock down sensitive information using Client-Specific Encryption Keys for data at rest and TLS 1.2 for data in transit. This means your data is unreadable to unauthorized parties at all times.
Access to our systems is governed by a strict Zero Trust model. Internal access requires VPN connectivity and Two-Factor Authentication (2FA), while Role-Based Access Controls (RBAC) ensure that employees only see the data absolutely necessary for their work.
To ensure accountability, every interaction with sensitive data is logged and audited. We conduct regular access reviews to maintain strict compliance with GDPR and global privacy standards.
Q: How is third-party risk managed across the platform ecosystem?
Xoxoday enforces strict third-party risk management protocols. Every integrated vendor or service provider is vetted through a formal risk assessment process. This includes validation of certifications like ISO 27001, SOC 2, and GDPR compliance. Risk profiles, contracts, audit histories, and data flow documentation are maintained for each third party, ensuring full traceability and data protection across the extended ecosystem.
Security Requirements
Q: Has the provider agreed not to copy, download, or store client production data to any device or server outside the production environment, even if remote access is granted?
Yes. Under no circumstances will production data be copied, downloaded, or stored outside the designated production environment. This applies to all personnel with remote access.
Q: Have background checks been conducted for all team members assigned to client locations?
Yes. Comprehensive background verification is conducted for all staff appointed to work on client-specific projects. This includes identity validation, employment history checks, and criminal record screening, ensuring only vetted professionals are involved in supporting our Xoxoday customer incentive software.