在工作日,信任是融入了ything we do. To keep your data safe and private, we deploy industry-leading safeguards and continuously monitor our system, so you can rest easy knowing your most sensitive data is protected 24/7 in the cloud.
At Workday, our top priority is keeping our customers' data secure. We employ rigorous security measures at the organisational, architectural and operational levels to ensure that your data, applications and infrastructure remain safe.
Security begins on day one here. All employees receive security, privacy and compliance training the moment they start. Though the extent of involvement may vary by role, security is everybody’s responsibility at Workday.
This commitment to security extends to our executives. The Workday Security Council, a cross-functional group of executives spanning the enterprise, shapes our security programmes, drives executive alignment across our organisation, and ensures that security awareness and initiatives permeate throughout our organisation.
Our customers serve as the data controller while Workday is the data processor. This means that you have full control of the data entered into services, as well as all set-up and configurations. Because you control your data – and we only process it – you won’t have to rely on us to perform day-to-day tasks such as:
Workday encryptseveryattribute of customer data before it’s persisted in a database. This is a fundamental design characteristic of the Workday technology. Because Workday is an in-memory, object-oriented application instead of a disk-based RDBMS, we can achieve the highest level of encryption. We use the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits and a unique encryption key for each customer.
Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering or message forgery. File-based integrations can be encrypted via PGP or a public/private key pair generated by Workday, using a customer-generated certificate. WS-Security is also supported for web services integrations to the Workday API.
Workday security access is role-based, supporting LDAP delegated authentication, SAML for single sign-on, and x509 certificate authentication for both user and web services integrations.
Single-Sign-On Support
SAML allows for a seamless, single-sign-on experience between the customer’s internal web portal and Workday. Customers log in to their company’s internal web portal using their enterprise username and password and are then presented with a link to Workday, which automatically gives customers access without having to log in again. Workday also supports OpenID Connect.
Workday Native Login
For customers who wish to use our native login, Workday only stores our Workday password in the form of a secure hash as opposed to the password itself. Unsuccessful login attempts are logged as well as successful login/logout activity for audit purposes. Inactive user sessions are automatically timed out after a specified time, which is customer configurable by user.
Customer configurable password rules include length, complexity, expiry and forgotten password challenge questions.
Multi-Factor Authentication
We recommend that customers use multi-factor authentication (MFA). Workday allows customers to bring in their own MFA provider that is backed by the TOTP (time-based one-time passcode) algorithm. With this set-up, customers can easily integrate MFA providers with the native Workday login. Workday also allows end users of customers to receive a one-time passcode delivered via an email-to-SMS gateway mechanism. Lastly, Workday supports challenge questions as an additional mechanism to prove a user’s identity.
Step-Up Authentication
If someone leaves their console open or multiple users access Workday from the same device, organisations that use SAML as an authentication type can secure against unauthorised access by identifying critical items within Workday. This allows customers to force a secondary authentication factor that users must enter to access those items.
Workday applications are hosted in state-of-the-art data centres designed to protect mission-critical computer systems with fully redundant subsystems and compartmentalised security zones. Our data centres adhere to the strictest physical security measures including, but not limited to, the following:
All physical access to the data centres is highly restricted and stringently regulated.
Workday has established detailed operating policies, procedures and processes designed to help manage the overall quality and integrity of the Workday environment. We’ve also implemented proactive security procedures, such as perimeter defence and network intrusion prevention systems (IPSs).
Network IPSs monitor critical network segments for atypical network patterns in the customer environment as well as traffic between tiers and service. We also maintain a global Security Operations Centre 24/7, 365 days a year.
Workday has implemented an enterprise Secure Software Development Life Cycle (SDLC) to help ensure the continued security of Workday applications.
This programme includes an in-depth security risk assessment and review of Workday features. In addition, both static and dynamic source code analyses are performed to help integrate enterprise security into the development life cycle. The development process is further enhanced by application security training for developers and penetration testing of the application.
工作合同与第三方专业公司conduct independent internal and external network, system and application vulnerability assessments.
Application
We contract with a leading third-party security firm to perform an application-level security vulnerability assessment of our web and mobile application prior to each major release. The firm performs testing procedures to identify standard and advanced web application security vulnerabilities, including, but not limited to, the following:
Network
External vulnerability assessments scan all internet-facing assets, including firewalls, routers and web servers for potential weaknesses that could allow unauthorised access to the network. In addition, an authenticated internal vulnerability network and system assessment is performed to identify potential weaknesses and inconsistencies with general system security policies.
Data privacy regulations are complex, vary from country to country and impose stringent requirements. When choosing an HCM, finance or other application, businesses should select one that enables customers to comply with their data protection obligations and protect the privacy of their data. With Workday, you gain leading privacy functionality and practices that enable you to meet your privacy obligations.
Additionally, we provide our customers with the necessary resources and information to help them understand and validate the privacy and compliance requirements for their organisation, as well as show how Workday can help power their compliance efforts.
Workday founded our privacy programme on strict policies and procedures regarding access to and the use, disclosure and transfer of customer data. The core of our privacy programme is that Workday employees do not access, use, disclose or transfer customer data unless it is in accordance with a contractual agreement or at the direction of the customer.
As data protection issues and global laws continue to evolve and become increasingly complex, Workday understands the importance of a privacy programme that is embedded into our company's culture and services. Our philosophy of Privacy by Design is a testament to this and provides our customers with the assurance they need for the privacy and protection of their data.
The Workday Privacy, Ethics and Compliance team, led by our Chief Privacy Officer, manages the privacy programme and monitors its effectiveness. The team is responsible for:
Privacy and data protection require year-round vigilance and we’re strongly committed to protecting the personal data of our customers and employees.Read more about how we embrace the key principles of privacy.
Review our privacy policy to learn moreabout how we manage and protect our customers’ information.
We’ve embedded a holistic privacy programme into our services, from initial design to release. This programme, built on our philosophy of Privacy by Design, guides how we develop products and operate our services.
我们提供到地理regi透明度ons where our customers’ data is stored and processed.
Workday and our customers must comply with complex global privacy laws and regulations. Workday demonstrates compliance with international privacy regulations by maintaining a comprehensive global data protection programme that contains technical and organisational safeguards designed to prevent unauthorised access to and use or disclosure of customer data. Workday remains committed to global privacy standards, as shown by our dedication to programs such as the Privacy Shield, implementation of Binding Corporate Rules (BCR) and Asia-Pacific Economic Cooperation Privacy Rules for Processors. Our applications are designed to allow you to achieve differentiated configurations to help you meet your country’s specific laws.
On 25 May 2018, the General Data Protection Regulation (GDPR) significantly changed the European data privacy landscape. The GDPR harmonised the patchwork of data protection laws in Europe. Workday is confident that we can process our customers’ personal data in alignment with the GDPR.
Some highlights of how Workday’s robust privacy and security practices support GDPR compliance include:
In addition,Privacy by Designand Privacy by Default are concepts deeply enshrined in the Workday Service. Workday continues to monitor guidance that EU supervisory authorities issue to ensure that our compliance program remains up-to-date.
Workday understands that not only is it important for our own organisation to be compliant with GDPR as a data processor, but also for our customers to be able to use the Workday Service to help with their internal compliance requirements. This is why Workday offers tools to help meet their customers’ GDPR obligations.Learn more about how we enable our customers to meet their GDPR obligations.
Workday offers our customers various data transfer mechanisms. Workday’s agreement includes the European Commission’s Standard Contractual Clauses (SCC), which enable the transfer of personal data from the European Economic Area to the United States. In addition, Workday offers customers Processor Binding Corporate Rules (BCRs) as an additional transfer mechanism.Workday’s BCR are available here.
Workday signed up for the Privacy Shield on the first day the U.S. Department of Commerce launched the Privacy Shield certification process, demonstrating our strong, ongoing commitment to privacy and protecting our customers’ data. Even though the Privacy Shield is no longer a valid data transfer framework, Workday continues to certify to the Department of Commerce that we adhere to the Privacy Shield Principles. While companies can self-certify to the Privacy Shield, Workday uses TRUSTe as our third-party verification agent to further demonstrate our compliance.Read more about our TRUSTe verification status to Privacy Shield.
Workday was the first cloud service provider to declare adherenceto the EU Cloud Code of Conduct (CCoC), which consists of a set of requirements that enable cloud service providers (CSPs) to demonstrate their capability to comply with GDPR. Annual reviews take place by the independent monitoring body.Verify Workday’s adherence to the CCoC.
Workday has certified to both the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) and Privacy Rules for Processors (APEC PRP). The APEC certifications are a voluntary set of privacy standards developed for data controllers and processors, respectively, to facilitate data transfers among APEC economies. These certifications demonstrate compliance with high standards of privacy compliance throughout the Asia-Pacific region.
Workday was one of the first companies to be certified to the APEC CBPR in March 2014 and the first to be certified for APEC PRP in September 2018.We have received a third-party certification from TRUSTe, which is the APEC Accountability Agent for the United States.
Today’s technology leaders are charged with securing and protecting the customer, employee and intellectual property data of their companies in an environment of increasingly complex security threats. Companies are also responsible for complying with all applicable laws, including those related to data privacy and transmission of personal data, even when a service provider holds and processes a company’s data on its behalf.
Workday maintains a formal and comprehensive security programme designed to ensure the security and integrity of customer data, protect against security threats or data breaches, and prevent unauthorised access to our customers’ data. The specifics of our security programme are detailed in our third-party security audits and international certifications.
To help your compliance and legal teams understand and validate the compliance requirements for your organisation, we’ve gathered the following compliance resources.
Service Organization Controls (SOC 1) reports provide information about a service organisation’s control environment that may be relevant to the customer's internal controls over financial reporting.
The Workday SOC 2 Type II report is an independent assessment of our control environment performed by a third party.
The American Institute of Certified Public Accountants (AICPA) has developed the Service Organization Control (SOC 3) framework for safeguarding the confidentiality and privacy of information that is stored and processed in the cloud.
ISO 27001 is a globally recognised, standards-based approach to security that outlines requirements for an organisation’s Information Security Management System (ISMS).
ISO 27017, published in 2015, is a complementary standard to ISO 27001.
ISO 27018, published in 2014, is a complementary standard to ISO 27001.
ISO 27701, published in 2019, is a complementary standard to ISO 27001.
Workday supports PCI DSS compliance within the scope of the Workday Secure Credit Card Environment, which is an isolated environment that stores, processes and transmits unmasked cardholder data through predefined integrations.
Workday has completed a Health Insurance Portability and Accountability Act (HIPAA) third-party attestation for Workday enterprise cloud applications, which provides assurance that Workday has a HIPAA-compliance programme with adequate measures for saving, accessing and sharing individual medical and personal information.
The NIST Cybersecurity Framework (CSF) provides guidance for organisations on how to improve their ability to prevent, detect and respond to cybersecurity risks. The NIST 800-171 standard relates to protecting Controlled Unclassified Information in non-federal Information Systems and Organisations.
The G-Cloud framework is an agreement between the UK government and cloud-based service providers.
The Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Self-Assessment consolidates current information regarding security risks and controls into one industry-standard questionnaire (CSA STAR CAIQ).
Workday is an active Privacy Shield participant. TRUSTe is Workday’s third-party verification agent for the Privacy Shield.
The EU Cloud Code of Conduct (CCoC) consists of a set of requirements that enable cloud service providers (CSPs) to demonstrate their capability to comply with GDPR.
Workday is a participant under the TRUSTe Enterprise Privacy & Data Governance Practices Program.
The Standardized Information Gathering (SIG) questionnaire is a compilation of information technology and data security questions across a broad spectrum of control areas into one industry standard questionnaire.
Cyber Essentials is a UK government-backed scheme to help organisations protect against cyber-security threats by setting out baseline technical controls.