WORKDAY SECURITY

Regulatory Compliance and Certifications

Customers are responsible for complying with local, state, national, and foreign laws, including those related to data privacy and transmission of personal data, even when a service provider holds their data. Workday maintains a formal and comprehensive security program designed to ensure the security and integrity of customer data, protect against security threats or data breaches, and prevent unauthorized access to the data of its customers. The specifics of Workday's security program are detailed in its third-party security audits and international certifications.

External Audits (SAS-70 Type II Audit and SSAE 16 Type II Audit)

The SAS-70 (Statement on Auditing Standards) Type II audit validates Workday's physical and environmental safeguards for production and disaster recovery data centers, backup and recovery procedures, and nonproduction systems such as customer implementation and sandbox systems. The audit is conducted every six months by an independent third-party auditor.

Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations effective June 15, 2011. It gives companies around the world confidence when conducting business with SSAE 16 audited companies such as Workday.

ISO 27001:2005 Certification

ISO 27001 is a standard by the Information Security Management Systems (ISMS), published in 2005 by the International Organization for Standardization (ISO). It is a standards-based approach to security and is supported internationally by members of the ISO and is commonly used in Europe and around the world. The ISO standard is unique in that it is an international standard with predefined security clauses, objectives and controls as opposed to the US SAS-70/SSAE 16 audits which are certified against service provider defined controls.

Certification is achieved following an independent assessment of Workday's conformity to the ISO 27001 standard that includes assessing security risks, designing and implementing comprehensive security controls and adopting an overarching management process to meet security needs on an ongoing basis. In September 2010, Workday obtained ISO 27001 certification covering Workday's production, sandbox and implementation environments. The certification is valid for three years, with annual surveillance audits taking place.

Safe Harbor Framework Self-Certification

In October 1998, the European Commission's Directive on Data Protection went into effect prohibiting the transfer of personal data to non-European Union countries that do not meet the European Union (EU) adequate standard for privacy protection. To help U.S. companies meet this directive the U.S. Department of Commerce in consultation with the European Commission's Directive on Data Protection and the Federal Data Protection and Information Commission of Switzerland developed the Safe Harbor privacy framework on the transfer of personal information from European Union member countries and Switzerland to the United States.

Workday annually self-certifies to the Safe Harbor privacy framework. This certification demonstrates that Workday provides adequate privacy protection based on the European Commission's Directive on Data Protection.

More information about the U.S. Department of Commerce's Safe Harbor program can be found at http://www.export.gov/safeharbor/. More information on Data Privacy can be found in the Workday Data Privacy Overview paper.