Hero Background Image
Security and Trust

Built on a foundation of trust.

At Workday, trust is woven into the fabric of everything we do. To keep your data safe and private, we deploy industry-leading safeguards and continuously monitor our system, so you can rest easy knowing your most sensitive data is protected 24/7 in the cloud.

 

Security

At Workday, our top priority is keeping our customers' data secure. We employ rigorous security measures at the organizational, architectural, and operational levels to ensure that your data, applications, and infrastructure remain safe.

Decorative

Organizational Security

Security begins on day one here, and we view it as everyone’s responsibility. All employees receive security, privacy, and compliance training the moment they start to keep both Workday and customer data safe and secure. Our Information Security team provides the knowledge and skills needed to avoid or minimize security risks on an ongoing basis via our security training and awareness program.

This commitment to security extends to our executives. The Executive Leadership Team, a cross-functional group of executives spanning the enterprise, drives executive alignment across the organization and ensures that security awareness and initiatives permeate throughout the organization.

Architectural Security

Processing Relationship

Our customers serve as the data controller while Workday is the data processor. This means that you have full control of the data entered into services, as well as all setup and configurations. Because you control your data—and we only process it—you won’t have to rely on us to perform day-to-day tasks such as:

  • Assigning security authorization and manipulating roles
  • Creating new reports and worklets
  • Configuring business process flows, alerts, rules, and more
  • Creating new integrations with Workday utilities or incumbent tooling
  • Changing or creating new organizational structures
  • Monitoring all business transactions
  • Looking at all historical data and configuration changes

Data Encryption

Workday encrypts every attribute of customer data before it’s persisted in the customer’s tenant. This is a fundamental design characteristic of the Workday technology. Because Workday is an in-memory, object-oriented application instead of a disk-based RDBMS, we can achieve the highest level of encryption. We use the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits and a unique encryption key for each customer.

Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery. File-based integrations can be encrypted via PGP or a public/private key pair generated by Workday, using a customer-generated certificate. WS-Security is also supported for web services integrations to the Workday API.

Logical Security

Workday security access is role-based, supporting LDAP Delegated Authentication, SAML for single sign-on, and x509 certificate authentication for both user and web services integrations.

Single-Sign-On Support

SAML allows for a seamless, single-sign-on experience between the customer’s internal web portal and Workday. Customers log in to their company’s internal web portal using their enterprise username and password and are then presented with a link to Workday, which automatically gives customers access without having to log in again. Workday also supports OpenID Connect.

Workday Native Login

For customers who wish to use our native login, Workday only stores our Workday password in the form of a secure hash as opposed to the password itself. Unsuccessful login attempts are logged as well as successful login/logout activity for audit purposes. Inactive user sessions are automatically timed out after a specified time, which is customer configurable by user.

Customer configurable password rules include length, complexity, expiration, and forgotten password challenge questions.

Multifactor Authentication

We recommend that customers use multifactor authentication (MFA). Workday allows customers to bring in their own MFA provider that is backed by the TOTP (time-based one-time passcode) algorithm. With this setup, customers can easily integrate MFA providers with the native Workday login. Workday also allows end users of customers to receive a one-time passcode delivered via an email-to-SMS gateway mechanism. Lastly, Workday supports challenge questions as an additional mechanism to prove a user’s identity.

Step-Up Authentication

Organizations that use SAML can require an additional level of verification for critical functionality in Workday. Step-up authentication allows customers to force a secondary authentication factor that users must enter to access those items.

Configurable Security

Workday configurable security enables the customer security administrators to control the items users can view and the actions they can perform in the customer tenant. The administrators can determine how they want to group users through security groups. The administrators can specify the items and actions that members of security groups can view and perform through security policies.

Operational Security

Physical Security

Workday applications are hosted in state-of-the-art data centers designed to protect mission-critical computer systems with fully redundant subsystems and compartmentalized security zones. Our data centers adhere to the strictest physical security measures including, but not limited to, the following:

  • Multiple layers of authentication for server area access
  • Two-factor biometric authentication for critical areas
  • Camera surveillance systems at key internal and external entry points
  • 24/7 monitoring by security personnel

All physical access to the data centers is highly restricted and stringently regulated.

Network Security

Workday has established detailed operating policies, procedures, and processes designed to help manage the overall quality and integrity of the Workday environment. We’ve also implemented proactive security procedures, such as perimeter defense and network intrusion prevention systems (IPSs).

Network IPSs monitor critical network segments for atypical network patterns in the customer environment as well as traffic between tiers and service. We also maintain a global Security Operations Center 24/7/365.

Application Security

Workday has implemented an enterprise Secure Software Development Life Cycle (SDLC) to help ensure the continued security of Workday applications.

This program includes an in-depth security risk assessment and review of Workday features. In addition, both static and dynamic source code analyses are performed to help integrate enterprise security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.

Vulnerability Assessments

Workday contracts with third-party expert firms to conduct independent internal and external network, system, and application vulnerability assessments.

Application

We contract with a leading third-party security firm to perform an application-level security vulnerability assessment of our web and mobile application prior to each major release. The firm performs testing procedures to identify standard and advanced web application security vulnerabilities, including, but not limited to, the following:

  • Security weaknesses associated with Flash, Flex, AJAX, and ActionScript
  • Cross-site request forgery (CSRF)
  • Improper input handling (such as cross-site scripting, SQL injection, XML injection, and cross-site flashing)
  • XML and SOAP attacks
  • Weak-session management
  • Data validation flaws and data model constraint inconsistencies
  • Insufficient authentication or authorization
  • HTTP response splitting
  • Misuse of SSL/TLS
  • Use of unsafe HTTP methods
  • Misuse of cryptography

Network

External vulnerability assessments scan all internet-facing assets, including firewalls, routers, and web servers for potential weaknesses that could allow unauthorized access to the network. In addition, an authenticated internal vulnerability network and system assessment is performed to identify potential weaknesses and inconsistencies with general system security policies.

Privacy

Workday is deeply committed to protecting the privacy of our customers’ data, and also to helping our customers meet their own privacy obligations. When choosing a finance or an HCM system, businesses should select one that enables customers to comply with their data protection obligations and protect the privacy of their data. With Workday, you gain leading privacy functionality and practices that enable you to meet your privacy obligations.

Additionally, we are transparent about our privacy practices. We also provide our customers with the necessary resources and information to help them understand and validate the privacy and compliance requirements for their organization, as well as show how Workday can help power their compliance efforts.

 

   

Decorative

Privacy Principles

As data protection issues and global laws continue to evolve and become increasingly complex, Workday understands the importance of maintaining a comprehensive privacy program that is embedded into our company's culture and services.

We’re committed to following three principles that reflect our core values:

  • We put privacy first.
  • We innovate responsibly.
  • We safeguard fairness and trust.

Our philosophy of “privacy by design” is a testament to this and provides our customers with the assurance they need for the privacy and protection of their data.These privacy principles drive how we train our employees, how we design and build products, and ultimately, how we process personal data.

Privacy and data protection require year-round vigilance, and we’re strongly committed to protecting the personal data of our customers and employees. Read more about how we embrace the key principles of privacy.

Review our privacy policy to learn more about how we manage and protect our customers’ information.

  

Global Privacy

Global Data Privacy

Privacy continues to be front and center on the global stage, with the advent of the General Data Protection Regulation, the continued momentum for U.S. privacy legislation, and new laws throughout Asia and Latin America. At Workday, we welcome this renewed attention, as privacy protections have been a fundamental component of ourservices from our very beginning. We also understand that privacy is a shared responsibility between us and our customers.

Workday and our customers must be prepared to comply with complex global privacy laws and regulations. Workday stays ahead of international privacy regulations by maintaining a comprehensive global data protection program that contains comprehensive technical, administrative, and organizational safeguards. Our customers can rest assured that we are committed to global privacy standards, as shown by our implementation of Binding Corporate Rules for Processors (BCRs), and being the first company to certify to the Asia-Pacific Economic Cooperation Privacy Rules for Processors.

EU Data Privacy

To highlight how Workday prepares for changing regulations, on May 25, 2018, the General Data Protection Regulation (GDPR) significantly changed the European data privacy landscape by harmonizing the patchwork of data protection laws in Europe. After GDPR went into effect, we remained confident in our ability to process our customers’ personal data in alignment with the GDPR. As an example, not much changed for Workday customers with respect to any applicable cross-border data transfer flows of personal data to Workday for processing. We already had robust data protection terms but proactively updated them to meet GDPR requirements.

Some highlights of how our robust privacy and security practices support GDPR compliance include:

  • Recurring role-based employee training on security and privacy practices
  • Well-developed processes to capture Privacy Impact Assessments
  • Offering data transfer mechanisms to legalize transfers of personal data outside of the European Economic Area, including the Workday BCRs
  • Maintaining records of processing activities
  • Providing configurable privacy and compliance features to our customers
  • Mapping of GDPR requirements to our SOC2 controls

In addition, Privacy by Design and Privacy by Default are concepts deeply embedded in Workday. We continue to monitor guidance that EU supervisory authorities issue to ensure that our compliance program remains up-to-date.

Workday understands that not only is it important for our own organization to be compliant with GDPR as a data processor, but also for our customers to be able to use Workday to help with their internal compliance requirements. This is why Workday designs our applications with configurability in mind to help you meet your GDPR obligations.

Cross-Border Data Transfers

While there have been many challenges to cross-border data flows over the years, Workday has remained confident that we can support our customers. We built a program early on that offers our customers various data transfer mechanisms. Our agreement includes the European Commission’s Standard Contractual Clauses (SCC), which enable the transfer of personal data from the European Economic Area to the United States. In addition, Workday offers customers Processor Binding Corporate Rules (BCRs) as an additional transfer mechanism. Workday’s BCR are available here.

We partner with our global customers as they conduct Transfer Impact Assessments prior to transferring European personal data to third party countries. We proactively share information, such as FAQs and white paper, to help them navigate these assessments. In addition, Workday commits to providing transparency to our customers in the event we receive a valid legal process from law enforcement or other government agencies for access to electronic information customers submit into Workday’s software-as-a-service applications.

Demonstrating Compliance

We invest in certifying to leading industry standards and frameworks so our customers can easily verify our privacy practices. We’re often the first to do so.

Workday signed up for the Privacy Shield on the first day the U.S. Department of Commerce launched the Privacy Shield certification process, demonstrating our strong, ongoing commitment to privacy and protecting our customers’ data. Even though the Privacy Shield is no longer a valid data transfer framework, Workday continues to certify to the Department of Commerce that we adhere to the Privacy Shield Principles. While companies can self-certify to the Privacy Shield, Workday uses TRUSTe as our third-party verification agent to further demonstrate our compliance. Read more about our TRUSTe verification status to Privacy Shield.

Workday was the first cloud service provider to declare adherence to the EU Cloud Code of Conduct (CCoC), which consists of a set of requirements that enable cloud service providers (CSPs) to demonstrate their capability to comply with GDPR. Annual reviews take place by the independent monitoring body. Verify Workday’s adherence to the CCoC.

Workday has certified to the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) and Privacy Rules for Processors (APEC PRP). The APEC certifications are a voluntary set of privacy standards developed for data controllers and processors, respectively, to facilitate data transfers among APEC economies. These certifications demonstrate compliance with high standards of privacy compliance throughout the Asia-Pacific region.

Workday was one of the first companies to be certified to the APEC CBPR in March 2014, and the first to be certified for APEC PRP in September 2018. We have received a third-party certification from TRUSTe, which is the APEC Accountability Agent for the United States.

Compliance

Today’s technology leaders are charged with securing and protecting the customer, employee, and intellectual property data of their companies in an environment of increasingly complex security threats. Companies are also responsible for complying with all applicable laws, including those related to data privacy and transmission of personal data, even when a service provider holds and processes a company’s data on its behalf.

Workday maintains a formal and comprehensive security program designed to ensure the security and integrity of customer data, protect against security threats or data breaches, and prevent unauthorized access to our customers’ data. The specifics of our security program are detailed in our third-party security audits and international certifications.

   

   

decorative

To help your compliance and legal teams understand and validate the compliance requirements for your organization, we’ve gathered the following compliance resources.

Third-Party Audits and Certifications

Profile image
SOC 1

Service Organization Controls (SOC 1) reports provide information about a service organization’s control environment that may be relevant to the customer's internal controls over financial reporting.

Profile image
SOC 2

The Workday SOC 2 Type II report is an independent assessment of our control environment performed by a third party.

Profile image
SOC 3

The American Institute of Certified Public Accountants (AICPA) has developed the Service Organization Control (SOC 3) framework for safeguarding the confidentiality and privacy of information that is stored and processed in the cloud.

Profile image
ISO 27001

ISO 27001 is a globally recognized, standards-based approach to security that outlines requirements for an organization’s Information Security Management System (ISMS).

Profile image
ISO 27017

ISO 27017, published in 2015, is a complementary standard to ISO 27001.

Profile image
ISO 27018

ISO 27018, published in 2014, is a complementary standard to ISO 27001.

Profile image
ISO 27701

ISO 27701, published in 2019, is a complementary standard to ISO 27001.

Profile image
PCI DSS

Workday supports PCI DSS compliance within the scope of the Workday Secure Credit Card Environment, which is an isolated environment that stores, processes, and transmits unmasked cardholder data through predefined integrations.

Profile image
HIPAA

Workday has completed a Health Insurance Portability and Accountability Act (HIPAA) third-party attestation for Workday enterprise cloud applications, which provides assurance that Workday has a HIPAA-compliance program with adequate measures for saving, accessing, and sharing individual medical and personal information.

Profile image
NIST CSF and NIST 800-171

The NIST Cybersecurity Framework (CSF) provides guidance for organizations on how to improve their ability to prevent, detect, and respond to cybersecurity risks. The NIST 800-171 standard relates to protecting Controlled Unclassified Information in non-federal Information Systems and Organizations.

Profile image
G-Cloud

The G-Cloud framework is an agreement between the UK government and cloud-based service providers.

Profile image
CSA STAR Self-Assessment

The Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Self-Assessment consolidates current information regarding security risks and controls into one industry-standard questionnaire (CSA STAR CAIQ).

Profile image
Privacy Shield

Workday is an active Privacy Shield participant. TRUSTe is Workday’s third-party verification agent for the Privacy Shield. 

Profile image
EU Cloud Code of Conduct

The EU Cloud Code of Conduct (CCoC) consists of a set of requirements that enable cloud service providers (CSPs) to demonstrate their capability to comply with GDPR. 

Profile image
TRUSTe Enterprise Privacy and Data Governance Certification

Workday is a participant under the TRUSTe Enterprise Privacy & Data Governance Practices Program.

Profile image
SIG Questionnaire

The Standardized Information Gathering (SIG) Questionnaire is a compilation of information technology and data security questions across a broad spectrum of control areas into one industry standard questionnaire. 

Profile image
Cyber Essentials

Cyber Essentials is a UK government-backed scheme to help organizations protect against cyber-security threats by setting out baseline technical controls.