Workday security, privacy, and compliance: Protecting your enterprise data.

Organizations today face increasingly sophisticated security threats targeting valuable customer, employee, and financial data. At the same time, navigating evolving data privacy laws and regulations is more complex than ever. Choosing a cloud services provider you can trust with your sensitive information is a critical decision.

Your enterprise needs a solution with security built into its foundation, not added as an afterthought. This requires a comprehensive approach that includes robust security features, flexible privacy controls, and always-on auditing. Most importantly, you need a platform solutions provider with a proven track record of protecting valuable data.

At Workday, security and privacy are built into our products from the ground up, embedded in our development process, and part of our company culture. We’re transparent with our customers about what we do and how we do it—and we prioritize open, consistent, and timely communication to foster a collaborative, trusting relationship.

CHAPTER 5

Workday security, privacy, and compliance: Protecting your enterprise data.

Powerful security: How Workday protects your data.

The Workday security model is the foundation of how we continuously protect our customers’ data. This model allows us to deploy security at scale, so improvements for one customer automatically benefit all customers. In other words, our smallest customers in the least-regulated industries benefit from our investments to satisfy the risk management requirements of our largest, most-regulated customers.

Simplicity is key to strong security. Workday achieves this by extending our security model to all data, transactions, processing, and applications in Workday enterprise products. Every end user, administrator, and system accessing Workday, whether through the user interface, APIs, or integrations, uses the same access model. This streamlines administration, ensuring that the right people and systems have appropriate access to data. The single-access model mitigates the risks associated with administrative “back door” access, which can cause trouble in legacy applications.

Workday incorporates automated security testing into our product development process. We deliver new features and updates through weekly service updates and feature releases. Our single-codeline approach to development allows us to push changes to all customers on Workday enterprise products every week, making all security updates immediately available to everyone. No one is left behind because they’re on an older version of our applications, as is often the case with legacy solutions.

All customer data is considered sensitive and is encrypted at rest. Audit capabilities are integrated into the core of our applications, enabling pervasive, always-on auditing for all customer data. Because business processes are within Workday, we offer complete and continuous audit coverage. This differs from solutions with limited, bolted-on audit capabilities that can be bypassed, creating headaches for auditors.

Our commitment to security and privacy at Workday is evident in our third-party assessments and certifications. We are often among the first cloud service providers to adopt new security and privacy standards. For example, Workday was the first organization to adopt the EU Cloud Code of Conduct (CCoC), demonstrating our readiness and ability to comply with GDPR requirements.

Enhanced security with powerful access control in Workday.

Every user and every system accessing Workday must be authenticated and authorized through our consistent security model. This contrasts sharply with legacy ERP systems, which often have an application layer of security that IT and database administrators can bypass to access data directly at the database level.

Within Workday, security cannot be bypassed. Workday is an object-oriented, in-memory system with an encrypted persistent data store, and no one has direct access to the data store. Both users and administrators can only access data indirectly via secure APIs, which enforce authorization and access policies. All access and changes are continuously tracked and audited. This granular, policy-based security model applies for all data access across Workday applications.

Legacy systems frequently have multiple ways of gaining access to data across their architectures and integrations. This complexity often leads to errors and oversights with serious consequences, especially for data access from custom reporting and analytics tools.

Workday security is more consistent. For example, the Workday report writer applies the same granular, policy-based security to all data, in all reports. This security stays in effect even when reports are distributed and accessed via mobile devices, dashboards, worksheets, Workday web service APIs, and workflows processed in our business process framework.

Workday security and privacy: Protecting your data in the cloud.

Along with the core benefits of the Workday security model, we constantly apply the industry’s best cloud security practices and technologies to detect, prevent, and eliminate threats—and ensure global data privacy. Let’s explore the key areas of security and privacy in Workday.

Identity and authentication.

Secure access starts with verifying the identity of every user and system accessing Workday. Workday allows customers to create user identities within Workday or to integrate with external systems such as Active Directory. Typical examples of identities in Workday include worker, contingent worker, candidate, and student.

To verify a user identity, Workday supports a range of robust authentication methods:

SAML 2.0
X.509 Certificate Authentication
OpenID Connect
Native authentication
Multi-factor authentication
Web Authentication API (WebAuthn), a passwordless authentication method using public key cryptography

Privacy by design.

Data privacy and protection regulations are complex and vary globally, so we monitor requirements wherever we do business. Workday continuously complies with these regulations, providing strong privacy functionality to help customers meet their privacy commitments. We educate all our people about privacy best practices and embed privacy into our processes and technology. We build configurable privacy tools to empower customers to manage their specific privacy needs.

Our philosophy of “privacy by design” drives how we train our employees, design and build products, and process personal data. We incorporate privacy considerations into every stage of the product development lifecycle. Workday gives customers the tools and flexibility to control their data, including:

Which data to enter into the system
How to configure their applications
Which features to enable
Which security and privacy tools to use

Ultimately, the customer, not Workday, retains control over who can access, use, and disclose their data.

Robust tools to manage your unique privacy needs.

Every company has unique privacy requirements. The privacy configurations you need are influenced by your industry, the types of data you collect, where you operate, and your use case. Workday recognizes this complexity and offers a powerful range of configurable privacy tools such as data masking, scrambling, and purging.

These tools allow you to de-identify personal data and protect specific data fields for various purposes such as development, testing, training, demonstrations, and third-party access. To help customers comply with data subject requests, such as the right to be forgotten, Workday provides tools for irreversible data purging, including automation for purging at scale and on a schedule.

Compliance and third-party assessments.

At Workday, we understand that relationships are built on trust, and that trust must be earned. We encourage a “trust but verify” approach to security, privacy, and compliance.

Our rigorous compliance program helps our customers meet their legal and regulatory requirements. Third-party audits and international certifications demonstrate our commitment to data security and privacy, including protection against security threats, data breaches, and unauthorized access.

Workday adheres to global security and privacy standards, including SOC 1 Type II, SOC 2 Type II, SOC 3, TRUSTe, Asia-Pacific Economic Cross-Border Privacy Rules, and other international and regional certifications.

We also provide extensive resources to support our customers’ compliance and legal teams. These resources, available in Workday Community and other customer portals, help customers navigate their privacy and compliance requirements.

Trusting Workday with your data.

Workday prioritizes security and privacy across our entire platform. Our sophisticated measures and procedures ensure that customers have a high-performance cloud solution that is also highly secure. This commitment extends to our technology, applications, and programs.

We’re always exploring ways to enhance data security and foster a strong security culture, including:

Rigorous compliance. We regularly certify Workday security against the industry’s most stringent compliance requirements.

Ongoing education. We provide in-depth security best practices education and training to Workday employees and our customer community.

Platform-wide approach. By keeping all customers on the same software version and using a continuous development approach, we provide a consistent and secure environment that meets the needs of even the most risk-averse organizations.

This commitment to security benefits every Workday customer.

+1-925-951-9000 +1-877-WORKDAY (+1-877-967-5329) Fax: +1-925-951-9001 workday.com

© 2025 Workday, Inc. All rights reserved. WORKDAY and the Workday logos are trademarks of Workday, Inc. registered in the United States and elsewhere. All other brand and product names are trademarks of their respective holders.

20250630-tech-strategy-ebook-content-refresh-and-foleon-migration-enus