Xoxoday 100% GDPR Compliant

GDPR stands for “General Data Protection Regulation”. It is one of the most important changes made to data privacy regulations in the last two decades. It establishes a new framework for handling and protecting the personal data of EU-based residents and is in effect since May 25, 2018. It provides the citizens of the EU greater control over their personal data and assures them that their information is protected.

Even though GDPR is a data protection framework for the citizens residing in the EU, it also applies to all companies that handle the personal data of individuals from the EU. In this way, almost every corporation falls under the jurisdiction of GDPR. If you are someone who stores or processes personal data while offering your goods or services in the EU, then the laws apply to you as well. Also, in the event of an infringement of GDPR laws, you can face fines and penalties up to 20 million dollars or 2% to 4% of the annual revenue of the organization depending upon whichever is higher.

• ‘Data controller’ - A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• ‘Data processor’ - A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
• ‘Personal data’ - Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.
  For Example - Name, an identification number, location data, an online identifier or to one or more factors specific to the physical
  

Xoxoday acts both as a Data Controller and as a Data Processor within the realm of GDPR compliance:

As a Data Processors, we process personal data on behalf of our customers as our product services include that. ‍

As a Data Controller, you're responsible for safeguarding the data of your customers/employees data as they interact directly with products at Xoxoday. Customer Companies determine what data on Employee Users are collected and how it is used. If you wish to exercise your data subject rights to review, rectify, delete or port your Employee User Personal Data, please contact the controller to make such a request. If you make the request to us, we will work with the controller to process and evaluate such request to confirm whether deletion is required by GDPR.

Data Security

Xoxoday takes data integrity and security very seriously. Xoxoday is fully committed to upholding the rights data subjects are granted under the applicable data protection laws. Over 2 million customers across the globe trust us with their data security. Due to the nature of the product and service we provide, it is important that we acknowledge that our responsibilities both as data controller as well as a data processor. Customer data security is an essential part of our product, processes, and team culture. Our facilities, processes, and systems are reliable, robust, and tested by reputed quality control and data security organizations. We continuously look for opportunities to make improvements in the dynamic technology landscape and give you a highly secure, scalable system to provide a great experience.

Features that we built for GDPR compliance

• Right to Rectification
  The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. We allow users to make changes to data fields such as mobile number and names, but since email is a unique identifier at our end, any changes to it  can be done through backend support through raising a ticket.
• Right to Portability
  The data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. Our products directly assist our customer’s need to meet ‘right to portability’ requests from their customers. Both customer and ticket data can be exported from the product by the users who have appropriate access rights.
• Right to be Forgotten
  Personal data must be erased immediately where the data are no longer needed for their original processing purpose, or the data subject has withdrawn his consent and there is no other legal ground for processing. In addition, data must naturally be erased if the processing itself was against the law in the first place. we dispose the data upon user request. For more information, check out our detailed doc on data security.
  ‍

Dedicated Data Protection Officer

We have also appointed a Data Protection Officer (DPO) who looks after any concerns of data infringement across our three products. For any concerns, you can write to [email protected]

Data Processing Anendum ( DPA)

We have amended our Data Processing Addendum to be compliant with the data processing requirements of GDPR. if you are using Xoxoday products and have agreed to our terms of service, you do not need to sign an additional Data Processing Addendum. As of May 25th, 2018, our user terms of service include a provision to ensure compliance with GDPR. If you are the organization administrator and would like to sign a DPA with us, please write to [email protected]

GDPR Compliant set of vendors

Each of Xoxoday’s vendors and sub-processors has an executed Data Processing Addendum to ensure compliance under the EU GDPR requirements. An audited minimum relevant set of data is shared with each vendor. 

Privacy Policy

The information we collect to deliver our services, and how do we process it, and how do we use it is covered in the Privacy policy. We take your privacy seriously. If you have any questions about this Policy or about privacy at Xoxoday, please contact us at [email protected].

Xoxoday regularly evaluates enforcement of - security policies, utilization of dynamic access controls, identity verification of those accessing data, and implementation of protection mechanisms against data breach. Relevant certifications include ISO 27001, SOC II compliant.

‍

Disclaimer -The information presented herein should not be taken as legal advice. We recommend that you seek legal advise on what you need to do to comply with the requirements of GDPR.