Data
Q: Where is customer data stored geographically?
The Xoxoday rewards, incentives, and payout platform ensures secure, compliant, and globally accessible data hosting infrastructure through Amazon Web Services (AWS).
Key aspects of data storage include:
• Primary Data Centers in the United States: All customer data is stored on AWS cloud infrastructure, with primary hosting facilities located within the United States.
• High Availability and Redundancy: The platform leverages AWS’s geographically distributed data centers to ensure business continuity, high availability, and disaster recovery.
• ISO 27001 and SOC 2 Compliance: All hosting infrastructure complies with globally recognized data protection and security standards.
• Data Encryption: Customer data is encrypted both in transit (via TLS 1.2) and at rest (via AES-256 encryption), ensuring maximum security.
• Optional Regional Hosting: For enterprise clients, data can also be hosted in other jurisdictions such as Singapore or the European Union, based on compliance and data residency requirements.
This architecture ensures that customer data is protected by rigorous physical, administrative, and technical safeguards as outlined by AWS.
Data, Policy and Privacy
Q: What are Xoxoday’s data security practices?
Xoxoday follows a comprehensive, enterprise-grade information security framework to fully protect customer and end-user data.
Core data security practices:
Certifications: ISO 27001, SOC 2 Type II, GDPR-compliant
Encryption: AES-256 for data at rest; TLS 1.2+ for data in transit
Access Management:
Role-based access control (RBAC)
Multi-factor authentication (MFA)
Least privilege principle
Regular access reviews and logs
Cloud Infrastructure:
Hosted on AWS with VPC isolation and auto-scaling
Monitored using real-time security event tracking and anomaly detection
Data Retention & Deletion: Aligned with client contracts, GDPR, and PIPL retention requirements
Audits & Testing:
Periodic internal audits
Annual third-party vulnerability assessments
Penetration testing and risk remediation workflows
Incident Management: Structured incident response plan with SLA-bound notification and containment steps
Ensures high availability, confidentiality, and integrity of data across all geographies and client use cases
Q: Does the customer retain copyright on customizations made to the platform?
All proprietary rights, including customizations built within the Xoxoday gift card marketplace or customer incentive software framework, remain with the platform provider. Clients may use these customizations as part of their subscription but do not acquire ownership of the platform’s source code or IP.
Q: How does the platform maintain detailed records of transactions for audit and compliance purposes?
The Xoxoday customer rewards platform keeps comprehensive logs of all payments, user actions, and redemptions, ensuring audit readiness, transparency, and compliance. Authorized administrators can access these records anytime via the reporting dashboard.
Q: Where can I find the privacy policy or product/service privacy notice for the platform?
Xoxoday’s privacy notice is publicly accessible via its official website and outlines its full commitment to data privacy and user rights.
Privacy notice includes:
• The types of personal data collected across services.
• Purposes for data processing (e.g., reward fulfillment, communication, analytics).
• Legal basis under GDPR, CCPA, and other applicable frameworks.
• User rights and instructions for submitting access or deletion requests.
• Contact details for privacy and data protection queries.
The privacy policy can be accessed on https://www.xoxoday.com/security
AI Data Security
Q: Can sensitive data be removed from your solution’s AI model upon request?
Yes, the Xoxoday rewards, incentives, and payout platform is designed with enterprise-grade data governance and compliance frameworks that support the removal or de-identification of sensitive data from AI models and systems, upon valid customer requests. Below is a breakdown by product.
Xoxoday Rewards, Incentives, and Payout Platform
Data deletion upon request: The platform supports data subject rights under regulations like GDPR and CCPA, including the right to erasure (“right to be forgotten”), which applies to both structured and unstructured data—including inputs processed by AI systems.
Model behavior isolation: LLM-based AI features (e.g., reward explanation bots) do not persist user-specific training data beyond a session scope. Any user-specific data processed during AI interactions can be purged without impacting model performance.
Multi-tenant architecture: Each client's data—including AI interaction history—is logically segregated with encryption keys per tenant, allowing secure and isolated deletion actions.
Audit support: Administrators can request audit logs or deletion confirmations for compliance reviews.
Deactivation of AI modules: For sensitive cases, AI modules (like LLM reward explainers) can be disabled for specific tenants or use cases, ensuring no further processing occurs.
Employee Engagement Platform
PII sanitization via content moderation: Em's AI scans and blocks the ingestion of personally identifiable information before it's processed by internal models, preventing long-term retention by design.
Consent-based AI processing: AI-driven analytics such as skill mapping, sentiment analysis, and recognition insights are governed by internal privacy policies, allowing user or admin-led revocation of processed data.
Data control APIs: Admins can raise requests to remove engagement logs and user-generated content used in AI training.
Sales Incentives Platform
Custom dashboards and reports built through natural language queries do not permanently train AI models on client data. These are temporarily cached and can be purged or redacted based on user role or admin request.
Data deletion workflows: Uploaded sales data, including sensitive information used in analytics, can be deleted at the user or organization level via administrative workflows and support teams.
Loyalty Platform
While direct LLM integration is limited at present, all customer data used in AI-driven segmentation or CLTV prediction models can be excluded or deleted upon request, thanks to configurable segmentation rules and data access policies.
Merchant Offer Platform
AI modules that use personalization logic operate within secure, tenant-specific boundaries. Sensitive user or partner data involved in offer targeting can be excluded or wiped via admin-level operations or customer success support.
Q: Is user input data used to influence or train the AI model within your platform?
Xoxoday uses user input data to enhance feature performance and personalization, not to train generalized or foundational AI models.
Purpose: Data is leveraged for smart recommendations, sentiment analysis, predictive analytics, and engagement insights.
Patterns used: Recognition activity, reward redemptions, and survey feedback inform contextual outputs.
Personalization focus: Inputs are applied to improve user-specific experiences within the platform.
Examples: Skill mapping from recognition messages, reward suggestions based on behavior, and predictive trends for retention and engagement.
Q: Does your platform provide logging for AI features, including user actions, dates, and timestamps?
Yes. The platform provides real-time analytics and reporting with detailed user activity logs.
AI Co-pilot tracks active users, pending nominations, award givers/receivers, budget utilization, and engagement reports
Logs are time-bound and actionable, helping admins monitor AI usage over time
Supports auditability and transparency, with timestamped logs available for compliance needs
Q: Do you have documented technical and procedural processes to address potential negative impacts of AI as described by the AI Risk Management Framework (RMF)?
Yes. Xoxoday’s AI solutions follow responsible AI practices aligned with the NIST AI Risk Management Framework.
Safety checks are built into AI features for content moderation, fraud detection, and decision transparency
Technical safeguards include anomaly detection, rule-based overrides, and configurable escalation protocols
Procedural controls allow workflows to be flagged, paused, or escalated for manual oversight
AI outputs are designed for explainability, ensuring interpretability and auditability
Q: Does the platform process protected health information (PHI) or any data under HIPAA compliance?
Yes. The Xoxoday rewards, incentives, and payout platform is capable of processing Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA) when required by the client’s use case. The platform’s design, infrastructure, and operational processes incorporate the necessary safeguards to protect sensitive healthcare data. This includes:
• HIPAA compliance framework – implemented controls and processes aligned with HIPAA’s Privacy, Security, and Breach Notification Rules.
• Data encryption – PHI is encrypted both in transit (using TLS protocols) and at rest (using AES-256 encryption) to prevent unauthorized access.
• Access control measures – role-based access controls (RBAC) and multi-factor authentication (MFA) restrict PHI access to authorized personnel only.
• Audit logging and monitoring – comprehensive logging of system access, data interactions, and administrative actions for accountability and traceability.
• Secure hosting environment – cloud infrastructure hosted on ISO 27001 and SOC 2 Type 2 certified data centers with strong physical and network security controls.
• Data segregation – multi-tenant architecture with logical separation of client data, ensuring PHI is isolated and protected from other tenants.
• Incident response protocols – documented procedures to identify, contain, and report any potential data breaches in compliance with HIPAA requirements.
• Business Associate Agreement (BAA) – available for clients in the healthcare sector who require contractual assurance of HIPAA compliance.
System Requirement
Q: Does Xoxoday reward payout solution meet all regulatory recordkeeping and reporting requirements applicable to the vendor?
The system is designed to comply with all regulatory recordkeeping and reporting standards applicable to vendors in the rewards and incentive space. It incorporates robust mechanisms to ensure accurate documentation, timely reporting, and data traceability. Whether it’s audit trails, transaction logs, or compliance records, the platform maintains structured data practices that fulfill regulatory obligations. If there are specific regulatory needs, the customer incentive software team is open to customizing workflows or discussing tailored solutions.
Q: How does the system ensure confidentiality of sensitive research data and human subject information?
The platform upholds high standards of data confidentiality and privacy for research participants. It utilizes end-to-end encryption, RBAC, anonymization techniques, and audit logs to ensure all sensitive data, including that of human subjects, is secured and de-identified where required. By applying secure design principles and adhering to data protection frameworks, the solution guarantees compliance with confidentiality requirements for human research data.
Q: Are you PCI-DSS compliant?
The platform is not required to comply with PCI-DSS standards, as it does not collect, store, or process sensitive payment card data. Instead, all reward transactions are securely managed through the Xoxoday reward payout platform using industry-standard encryption and compliance protocols to ensure safety and integrity.
Q: Can the system scale efficiently during promotions or seasonal spikes in traffic?
Yes, Xoxoday is built for scalability and is capable of handling large user bases and high transaction volumes. The system currently supports over 10,000 transactions per minute and includes auto-scaling infrastructure to handle demand surges during promotions, campaigns, or seasonal reward cycles. This ensures that performance and reliability are not compromised under peak load conditions.
Xoxoday’s Platforms are engineered for horizontal scale and seasonal spikes in traffic. The core architecture uses containerized microservices, async messaging, and caching so components can scale independently and absorb spikes without blocking user flows. High-availability is built in with active-active deployment across availability zones, fronted by an AWS Application Load Balancer, plus managed Kafka, Redis, and Elasticsearch to decouple workloads and keep latency low during traffic surges. Datastores run with replication, snapshots, and DR, and the estate is continuously watched via APM/monitoring with PagerDuty alerts; target uptime is 99.99% with RTO/RPO of 120 minutes. For global programs, we also provide multi-region hosting options (e.g., USA, Singapore) to keep experiences responsive near users.
How we handle Seasonal Spikes in Traffic (what scales and why):
Stateless services scale out behind the ALB; critical data is cached to avoid database hot spots.
Kafka-backed queues smooth “flash-sale” style traffic; consumers scale horizontally to drain backlogs.
Search & audit workloads are offloaded to managed Elasticsearch; analytics run on Redshift so reporting never competes with transactions.
WAF/Bot protection (Cloudflare) shields the perimeter, important during promos when bot traffic rises.
Kubernetes & modern scaling practices (when K8s is used):
Our microservices are containerized and orchestrator-ready; for K8s-based deployments we apply industry patterns such as HPA/VPA for pod autoscaling, cluster autoscaler, Pod Disruption Budgets, readiness/liveness probes, and rolling/canary or blue-green rollouts. We also employ rate-limiting, back-pressure, circuit breakers, and exponential backoff to prevent thundering-herd effects. (These are global best practices; the platform’s containerized design and HA setup are documented in Xoxoday’s architecture materials.)
Operational playbook for peak events (best practices we follow):
Capacity planning & load tests ahead of campaigns; pre-scaling hot services and pre-warming caches.
Messaging partitioning & consumer concurrency tuning to raise throughput without impacting latency.
Read replicas/replication on primary databases; hourly snapshots and cross-AZ DR safeguard data while allowing scale.
Real-time observability with APM + alerting to spot hotspots early and autoscale safely.
These controls, microservices + containers, multi-AZ HA, async queues, managed search/analytics, and proactive ops, allow Xoxoday to sustain promotional peaks smoothly while preserving performance and reliability.
Q: Can the system scale efficiently during promotions or seasonal spikes in traffic?
Yes. Xoxoday is engineered for scalability and reliability, ensuring smooth performance even during peak events like promotions, campaigns, or seasonal reward cycles. The platform currently supports 10,000+ transactions per minute and uses auto-scaling infrastructure to handle sudden surges without affecting user experience.
How Xoxoday Manages Seasonal Spikes:
Scalable Architecture
Built on containerized microservices, async messaging, and caching so each component can scale independently.
Stateless services scale horizontally behind AWS Application Load Balancers.
Kafka-backed queues absorb “flash-sale” traffic, while Redis caching avoids database hot spots.
High Availability & Reliability
Active-active deployments across availability zones ensure continuity.
Datastores run with replication, hourly snapshots, and disaster recovery (RTO/RPO of 120 minutes).
Target uptime of 99.99%.
Performance Under Load
Search & audit handled by managed Elasticsearch; reporting & analytics run on Redshift—keeping transactions fast.
WAF and Cloudflare bot protection secure the perimeter against promo-related bot traffic.
Modern Scaling Practices
Kubernetes-ready microservices with HPA/VPA pod autoscaling, cluster autoscaler, and safe rollout strategies (blue-green, canary).
Rate-limiting, back-pressure, circuit breakers, and exponential backoff prevent overloads during sudden spikes.
Operational Playbook for Peak Events
Capacity planning and load testing ahead of campaigns.
Pre-scaling hot services and pre-warming caches.
Partitioned messaging and tuned concurrency to maximize throughput.
Real-time observability with APM and alerting (PagerDuty) for proactive autoscaling.
With this combination of scalable microservices, async queues, HA deployments, managed search/analytics, and proactive operations, Xoxoday ensures that even under seasonal spikes or large-scale promotions, performance, reliability, and security remain uncompromised.
Legal
Q: Can high-denomination physical Visa gift cards (e.g., $1,000–$1,500) be sourced if needed?
The Xoxoday gift card solution can support high-value physical Visa cards, but denomination limits vary by issuing partner and region. We recommend confirming availability and legal compliance during onboarding for denominations exceeding $1,000.
Security and Compliance
Q: How does your firm stay current with state regulations that impact multi-state or multi-location users?
Xoxoday recognizes the importance of compliance in operating across multiple states, countries, and regulatory jurisdictions. Our approach combines governance, continuous monitoring, and proactive adaptation to ensure our Platforms remain compliant for all customers and users, regardless of their location.
Dedicated Compliance & Legal Teams
We have specialized compliance, data privacy, and legal teams who continuously monitor state, federal, and international regulations affecting employment, data privacy, rewards, taxation, and payments.
Regulations such as GDPR, CCPA/CPRA, HIPAA (where applicable), SOC 2, and ISO 27001 are embedded into our global frameworks, ensuring we meet or exceed jurisdictional requirements
Regulatory Intelligence & Partnerships
Xoxoday leverages partnerships with audit firms, legal advisors, and compliance consultants in different geographies to stay ahead of state-specific regulatory updates.
We subscribe to regulatory intelligence feeds and compliance monitoring services that track multi-state taxation, digital rewards governance, data residency, and employment-related laws.
Product Flexibility for Multi-State Needs
Our Platforms allow localization of program rules, including tax handling, redemption catalogs, accrual structures, payout modes, and communication templates, ensuring adaptability to state or region-specific mandates.
For payments and financial products, we integrate with licensed payment partners who are compliant with state money movement and tax reporting laws.
Global Best Practices in Data Privacy and Security Compliance
We adopt Privacy by Design and Security by Default principles across all products, ensuring compliance is embedded at every stage of the product lifecycle.
Frequent third-party audits, penetration testing, and certification renewals validate compliance against changing standards.
Our multi-region hosting options (e.g., USA, Singapore, EU) ensure adherence to data residency and sovereignty requirements.
Customer Communication & Assurance
Any regulatory changes impacting product usage are communicated through release notes, compliance updates, and customer success reviews.
Clients benefit from configurable compliance controls such as audit trails, retention policies, and access management to meet their own internal governance needs.
By combining dedicated compliance governance, expert partnerships, flexible platform configurations, and global data privacy and security best practices, Xoxoday ensures that multi-state and multi-location users are supported in a compliant, secure, and future-ready manner.
Security Requirement
Q: Will the platform have access to confidential business data?
Yes. The platform securely manages confidential and sensitive business data as part of its operations.
Data types handled include:
Employee and customer PII (names, emails, contact details)
Transaction and redemption history
Financial identifiers for payouts and prepaid cards
Security and compliance measures include:
Enterprise-grade encryption for data at rest and in transit
Role-based access control (RBAC)
Secure API integrations with audit logs
Compliance with GDPR and relevant local data privacy laws
Regular third-party audits to prevent unauthorized access and mitigate risks
Technical Requirement
Q: Does your solution require institutions to host a virtual appliance or make firewall exceptions for remote access?
No. All Xoxoday solutions are cloud-based and accessible via secure HTTPS connections, without requiring clients to host virtual appliances or modify firewall rules.
Global rewards marketplace & payout platform: Fully cloud-hosted, with optional on-premise deployment available for highly regulated environments.
Employee engagement & recognition platform: Delivered as SaaS, accessible via browsers and mobile apps with no additional network configuration.
Sales commission & incentive management system: Cloud-native, integrating securely with CRM and HRMS platforms via APIs.
Customer loyalty management solution: Entirely online, eliminating the need for local hosting or infrastructure.
Merchant-funded offers & promotion engine: Cloud-based with secure API access for seamless partner integrations.
Q: Does your platform have access to institutional or personal data?
Yes, but only as required to deliver contracted services, with strict role-based access controls and full GDPR compliance.
Global rewards marketplace & payout platform: Uses recipient names, emails, and transaction data solely to process and deliver rewards.
Employee engagement & recognition platform: Stores and processes employee identifiers, email addresses, and engagement activity to support recognition and surveys.
Sales commission & incentive management system: Handles sales team identifiers, performance metrics, and payout details to calculate and distribute incentives.
Customer loyalty management solution: Manages loyalty member data including profiles, points balances, and redemption history.
Merchant-funded offers & promotion engine: Maintains merchant details, customer segment data, and redemption records for campaign management.
Q: Do you have a documented business continuity plan (BCP) with ownership and annual testing?
Yes. All Xoxoday solutions operate under a corporate-level Business Continuity Plan owned by senior management and tested annually.
• Global rewards marketplace and payout platform: Includes continuity procedures for reward delivery, catalog access, and payment processing.
• Employee engagement and recognition platform: Ensures uninterrupted engagement, recognition, and survey operations during disruptions.
• Sales commission and incentive management system: Maintains continuous access to commission tracking, incentive calculations, and reporting.
• Customer loyalty management solution: Keeps loyalty enrolment, accrual, and redemption systems available in crisis scenarios.
• Merchant-funded offers and promotion engine: Provides continuity for merchant offer creation, validation, and redemption tracking during outages.
Q: Do you maintain a documented disaster recovery plan (DRP) with ownership and regular testing?
Yes. Xoxoday has a corporate Disaster Recovery Plan owned by the Information Security team and tested regularly to meet RTO/RPO objectives.
• Global rewards marketplace and payout platform: Covers restoration of transaction processing, catalog services, and payment integrations.
• Employee engagement and recognition platform: Ensures rapid recovery of recognition data, engagement analytics, and survey records.
• Sales commission and incentive management system: Restores commission plans, sales performance data, and payout schedules promptly after incidents.
• Customer loyalty management solution: Recovers loyalty member accounts, points balances, and redemption records with minimal downtime.
• Merchant-funded offers and promotion engine: Brings back merchant campaign data, offer rules, and redemption history in line with recovery targets.
Record Creation
Q: Can the system maintain a secure record of credit card issuance while preserving subject confidentiality?
Yes. The Xoxoday gift card solution maintains detailed records of credit card issuance, including information on both issuers and recipients. These records are encrypted and accessible only by authorized personnel, ensuring complete confidentiality of participant data while supporting compliance and audit requirements.
Q: Can the system flag studies or projects that are exempt from collecting personally identifiable information (PII) like name or SSN, and assign this flag based on user roles?
Yes, the Xoxoday customer rewards platform enables administrators to flag studies or projects as exempt from collecting personally identifiable information (PII), such as names or SSNs. These exemption flags are configurable based on user roles, allowing secure, role-specific access while ensuring compliance with research privacy protocols and institutional review board (IRB) requirements.
Q: Does the system allow attaching an IRS Form W-9 when entering subject information (unless the study is exempt from SSN collection)?
The Xoxoday reward payout platform supports the secure upload and attachment of IRS Form W-9 during the input of subject information. This ensures streamlined compliance with U.S. tax documentation requirements, particularly for human subject payments that require IRS reporting, such as 1099 filings.
Q: Can the system flag or identify studies conducted entirely outside the United States?
Yes, the Xoxoday survey rewards platform includes geo-tagging capabilities that allow administrators to classify and flag studies based on their geographic scope. This supports accurate reporting, compliance, and operational tracking for global studies conducted outside the U.S.
Q: Does the platform support the externalization of back-office operations such as account management, reporting, reconciliation, and customer support through APIs or partner portals?
The platform is designed to support selective externalization of back-office functions via APIs. Transaction data necessary for reporting and reconciliation can be programmatically accessed using secure APIs provided by the Xoxoday reward payout platform.
Q: Can Xoxoday host the reward portal within a client’s private infrastructure?
Yes. Xoxoday supports on-premise deployments and can host the reward portal within the client’s internal network. This deployment option ensures full control over infrastructure, data governance, and security settings. Our implementation team will work closely with your IT and security stakeholders to align with existing policies and protocols, while ensuring seamless integration and compliance throughout the deployment process.
Q: Is the solution provider a dependency for any business-critical activity?
Yes. Xoxoday plays a direct role in mission-critical engagement and incentive workflows for enterprises, SMBs, and global organizations:
Powers customer loyalty programs, employee recognition programs, sales and channel incentives, and instant payout delivery, all of which are essential for business continuity.
Delivers time-sensitive reward redemptions for events like sales milestones, festive gifting, employee anniversaries, and customer retention campaigns.
Supports multi-region and multi-currency operations, ensuring that global incentive programs remain uninterrupted.
Operates on high-availability infrastructure with redundancy, minimizing downtime risk.
Without Xoxoday, businesses would face disruptions in engagement programs, potentially leading to reduced retention, sales performance, and customer satisfaction.
Q: Is your solution designed to handle, store, or transmit credit card data?
No. Xoxoday does not process, store, or transmit credit card information. It operates as a digital rewards and incentives engine and does not serve as a payment gateway or financial processing tool.
Xoxolink
Q: Does Xoxoday comply with regulatory recordkeeping and reporting requirements?
Xoxoday adheres to all major global regulatory standards. It maintains comprehensive audit trails, logs, and exportable reports for every transaction. Custom reports can be scheduled or generated on-demand to support compliance with tax, financial, or internal audit policies.