The universal framework for Workday agreements.

Workday cloud services are delivered through cloud-based, mobile, and in-memory object-oriented applications that operate on a true one-to-many business model. By contrast, application service providers typically offer a customizable, one-to-one model, where each customer is treated differently. This approach is essentially outsourced hosting of installed software. The one-to-many model enables a more cost-effective delivery of solutions by ensuring all customers are always on the same release version. Customers avoid costly and disruptive upgrades, while still retaining flexibility. As new feature releases are introduced, customers can choose when to adopt them, making the cloud applications highly configurable to meet individual business needs.

Workday prioritizes the security and privacy of customer content. A comprehensive security program is maintained that reflects the state of the art, the nature and purpose of the Service, the type of customer content processed, the applicable legal environment, and customer requirements for security and confidentiality. The security program is continuously monitored, evaluated, and updated to address changes in technology, as well as evolving legal and business environments. Additional details are provided below and in Question 4.

Data Security:

Workday employs rigorous security measures at the organizational, architectural, and operational levels and continues to invest in world-class technology compliance programs. A comprehensive cybersecurity compliance program is maintained to enhance privacy and security, build trust, and provide assurance that customer content, applications, and infrastructure are protected. The cybersecurity compliance program is anchored by independent third-party audits, industry-standard ISO certifications, and detailed self-assessment evaluations completed annually and made available to customers at no cost through a self-service framework. Privacy and compliance documentation made available to customers includes, but is not limited to:

• SOC 1 and SOC 2 audit reports

• ISO 27001, ISO 27017, ISO 27018, and ISO 27701 certifications

• Shared Assessments SIG questionnaire

• CSA CAIQ questionnaire

• Web and Mobile Applications Independent Security Report

• Networks and Systems Independent Security Report

• Disaster Recovery (DR) Plan and Executive Summary

• Workday Continuity Strategy and Plan

• Tier II CyberGRX Assessment Report

• Transfer Impact Assessments Whitepaper

• Code of Conduct

In combination, these materials provide an in-depth view into data privacy, data security, and the operational processes and control environments supporting delivery of the Service. They also enable customers to conduct self-service risk assessments related to the Service. Validation of the operational effectiveness of the control environment is supported through independent third-party auditor testing procedures, which are documented and summarized in audit reports made available to customers at any point during the subscription order form term. As a result, customers receive independent verification of, and visibility into, the security controls protecting their data. In addition, Workday contractually commits not to materially reduce the protections provided by the controls described in the applicable security exhibits and audit reports during the term of the agreement.

Data Privacy:

• Universal Data Processing Exhibit: The MSA includes a link to a Data Processing Exhibit (DPE) that outlines the terms and conditions governing the processing of personal data. The DPE provides customers with contractual protections related to compliance with applicable data protection laws where Workday acts as a data processor.
• Additional Disclosure Restrictions: Section 3 of the MSA contractually limits use of Customer Content to providing the Service, subject to the terms of the Agreement.

Workday maintains a formal, comprehensive security program designed to protect customer data, safeguard against security threats and data breaches, and prevent unauthorized access. Details of this security program are documented in the Universal Security Exhibit, independent third-party security audits, and international certifications. As a true cloud provider, Workday operates a multi-tenant platform in which all customers share a single version of the Service, with logical data segregation between customers. Security controls are designed specifically for a cloud environment and are applied consistently across all applicable applications and environments where customer data is processed. Workday contractually commits not to materially decrease the protections provided by the controls described in the Universal Security Exhibit and applicable audit reports (such as SOC 1 and SOC 2). Privacy controls are documented separately in the Universal Data Processing Exhibit, which provides contractual commitments regarding compliance with applicable data protection laws where Workday acts as a data processor.

Together, these security and privacy controls are foundational to the one-to-many cloud delivery model. This model allows continuous enhancement and evolution of security and privacy programs for the benefit of all customers. As a result, Workday cannot incorporate individual customer security or privacy standards, terms, or policies into the contract without undermining that delivery model. To ensure transparency and ongoing assurance, Workday conducts independent third-party audits and makes the resulting reports available to customers upon request.

Customers always retain ownership of their Customer Content throughout the relationship (see Section 3, “Proprietary Rights”). Customers may download copies of Customer Content stored in the Service at any time during the subscription term. Workday also provides a standard process for a final data download during the subscription term and following termination of the relationship. Details of this process are outlined in the MSA (see Section 9.2, “Retrieval of Customer Content”).

Yes. Workday maintains a service level availability policy for applicable Service applications, so customers have clear visibility into service level commitments. The success of the Workday cloud delivery business model is based on the efficiency of a one-to-many infrastructure. Because Service applications are delivered using the same operational model for the entire customer base, the applicable SLA cannot be modified on a customer-by-customer basis. Workday provides Service Credits in the event of certain SLA failures, as described in the SLA Service Credit section of the Agreement.

Workday uses a subscription pricing model based on the number of employees, users, other applicable size metrics, and, for certain Service applications, usage. During the subscription Order Term, subscription fees may not be reduced. As a result, Workday cannot accommodate requests to decrease payment obligations based on a reduction in employee or user counts, or applicable usage metrics, regardless of the reason for the reduction (including downsizing, acquisition by another entity, or divestiture of an affiliate).

No. Workday does not agree with the concept of “termination for convenience.” A fundamental element of Workday business model is that the parties enter into a multi-year agreement to which both parties are committed during the specified subscription order term.

The Workday cloud-based business delivery model is fundamentally different from other delivery models. Because the Service runs for all customers on a single code line, its viability has already been demonstrated by existing customers who run their businesses on that same code line. For this reason, an acceptance test period does not exist in the Workday business model.

Most customers rely on the independent third-party audits, industry-standard ISO certifications, and detailed self-assessment evaluations that Workday completes annually and makes available free of charge via a self-service framework. We strongly encourage customers to use these existing privacy, compliance, and security materials instead of performing unique assessment reviews. Customers may elect to participate in the fee-based Workday customer audit program, which enables them to conduct compliance reviews of data security, data privacy, and other operational processes to support relevant audit requirements related to the provision of the Service.

Workday understands that our customers are concerned about the protection of their Customer Content and the remedies available in the event of a breach. Workday has developed a structure unique in the industry because it covers the primary costs associated with a breach of personally identifiable information, providing an exceptionally high level of protection for our customers.

Specified Remediation Costs outside Limitation of Liability: In Section 8.3 of the MSA, Workday agrees to pay certain remediation costs and such costs are not subject to any limitation of liability. Specifically, in the event that any unauthorized disclosure of or access to Personal Data is caused by a breach of Workday security or privacy obligations, Workday will pay the reasonable and documented costs incurred by Customer in connection with the following items: (1) costs of any required forensic investigation to determine the cause of the breach, (2) providing notification of the security breach to applicable government and relevant industry self-regulatory agencies, to the media (if required by applicable law) and to individuals whose Personal Data may have been accessed or acquired, (3) providing credit monitoring service to individuals whose Personal Data may have been accessed or acquired (for a specified period), and (4) operating a call center to respond to questions from individuals whose Personal Data may have been accessed or acquired (for a specified period). These four items represent the full extent of remediation costs Workday will cover outside the limitation of liability.

Other Damages / Breaches are subject to Limitation of Liability: Workday also agrees to uncapped liability for intellectual property indemnity as set forth in Section 7 of the MSA and for breaches arising out of gross negligence, willful misconduct, or fraud as set forth in Clause 8.1 of the MSA. A fundamental principle of the Workday business model is that any other damages and any other breaches of the Agreement are subject to a limitation of liability (see Section 8.1 of the MSA).