Data Privacy & Security
We implement robust technical and organizational security measures to protect customer data. Our global data protection program focuses on compliance with laws, as well as building trust around the access, use, disclosure, and transfer of customer data.
Give Our Customers Peace of Mind That Their Data Is Secure
Data security is of paramount concern for companies and individuals. At Workday, we’ve built rigorous safeguards into our applications and processes, and we continually update them. Workday has established a comprehensive set of processes and controls to protect customer data, taking a holistic approach that embeds security and privacy into the design of our services.
We start creating a culture of security and privacy for our employees on day one. All employees participate in general awareness training on policies and procedures. Any member of a Workday team that processes customer data, including personal data, undertakes additional secondary security and privacy training tailored to their specific needs. Ongoing awareness campaigns take place to ensure that individuals understand their responsibilities, changes in policies or compliance requirements, updates in technology, and how to keep the workforce alert about any new threats.
Compliance, privacy, and security considerations are core to the overall Workday design. Technical safeguards extend from the physical security of our data centers to network- and application-level security controls. Organizational controls include policies, procedures, training, and awareness campaigns. Protecting customer data against security threats or data breaches is at the forefront of everything we do and is woven into the very fabric of the Workday culture.
Workday is proud to be a corporate member of the Cloud Security Alliance—an organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud-computing environment.
Organizational Safeguards to Protect Customer Data
Chief Information Security Officer and Security Team: Responsible for overseeing the security practices in place surrounding all aspects of Workday technology and operations.
Chief Security Officer and Security Engineering Team: Responsible for the design and deployment of security technology and product capabilities to ensure that Workday protects customer data, and provides capabilities within the product to protect their users’ data.
Chief Privacy Officer and Privacy, Compliance, and Ethics Team: Responsible for the Workday global data privacy program, third-party audits and certifications, and promoting a culture of integrity and ethical behavior at Workday.
Security Council: Cross-functional senior management representatives that meet regularly to discuss organizational activities and assess their potential impact on internal security controls.
Chief Trust Officer: Responsible for providing prospective and existing customers with a transparent view into the practices in place to protect customer data.
Workday Privacy Program
Workday is deeply committed to protecting our customers’ privacy. We provide our customers with an in-depth data protection commitment that sets forth our responsibilities and obligations as a data processor. In addition, we strongly support regulations that protect the cross-border transfer of personal data.
Specifically, Workday was one of the first companies to certify to the new EU-U.S. Privacy Shield. In addition, Workday has obtained approval from EU data protection authorities for global Binding Corporate Rules for Processors (BCRs) that focus on safeguarding customer data. BCRs are a detailed code of conduct that governs the processing and transfer of personal data within a multinational company. This approval demonstrates that Workday has implemented a consistent set of robust privacy practices for processing personal data across our global Workday affiliates.
Workday was also the first company to be certified by TrustArc to the Asia-Pacific Economic Cooperation (APEC) Privacy Recognition for Processors (PRP) system. This certification further demonstrates Workday’s strong privacy protections for customer data, and our commitment to accountability in our global privacy program.
Emphasizing innovation and enhanced privacy protections to our customers and the individuals within their organizations enables us to help customers meet their own GDPR compliance requirements. Privacy by design is closely tied to the Workday core values—especially integrity, customer service, and innovation. We take pride in upholding these values through the way we provide the Workday service and operate from a compliance perspective.
We strive to become an early adopter of newly emerging business practices and standards while always keeping privacy and the protection of our customers’ personal information at the core of what we do. Workday also takes the data privacy of our employees, prospective customers, partners, and website visitors seriously. We do not disclose customer data to third parties for promotional purposes. Workday has been awarded TRUSTe’s Privacy Seal for our websites and our cloud-based enterprise applications. This seal signifies that the Workday privacy policies and practices have been reviewed by TRUSTe for compliance with its privacy program requirements. These include transparency, accountability, and choice regarding the collection and use of personal information. We have also set up a dedicated email inbox (firstname.lastname@example.org) to collect and respond to inquiries regarding our privacy policies and practices. In FY19, Workday did not experience any significant incidents or regulator complaints regarding the processing of personal data.
Workday customers take a trust-but-verify approach to gain assurance that Workday has the tools, technologies, processes, and controls in place to protect their data. To evidence these safeguards, Workday provides our customers with independent third-party audit reports, such as Service Organization Control (SOC) 1 and SOC 2, as well as certifications to ISO/IEC 27001, ISO/IEC 27018, and PCI-DSS.
Our SOC 2 report covers all of the available AICPA Trust Services Principles: privacy, security, confidentiality, availability, and processing integrity. The audit results described in Workday SOC reports demonstrate that we have strong controls in all five of these areas.
Highlights of some of our other recent compliance enhancements include expanding the SOC 2 report to include compliance with the NIST Cybersecurity Framework; obtaining a third-party independent auditor’s opinion confirming Workday conformity to the applicable requirements of the HIPAA Security, Breach Notification, and Privacy Rules; achieving certification against ISO 27017, which supplements ISO 27002 with additional security guidelines for cloud services; and achieving authorization as a service provider for the UK public sector under G-Cloud 9.