// Trust & Security Report
Workday, Inc.
Workday Adaptive Planning — enterprise performance management (EPM) software for financial planning, workforce planning, operational planning, and close/consolidation. Part of the Workday suite of cloud applications.
Certifications held
9
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on workday.com“SOC 2 Type II: independent assessment of our control environment performed by a third party covering Security, Availability, Confidentiality, Processing Integrity, and Privacy. Applies to Enterprise Products, Adaptive Planning, Strategic Sourcing, Peakon Employee Voice, VNDLY, and contract management solutions.”
Verify on workday.com“ISO 27001: Information Security Management System certification. Covers Enterprise Products, Adaptive Planning, Strategic Sourcing, VNDLY, and Peakon Employee Voice.”
Verify on workday.com“ISO 27017 & ISO 27018: Cloud-specific security standards. Both apply to Enterprise Products and Adaptive Planning.”
Verify on workday.com“ISO 27017 & ISO 27018: Cloud-specific security standards. Both apply to Enterprise Products and Adaptive Planning.”
Verify on workday.com“ISO 27701: Privacy Information Management System extension. Applies to Enterprise Products and Adaptive Planning.”
Verify on workday.com“ISO 42001: AI management system standard. Covers multiple products including HCM, Financial Management, Adaptive Planning, and others.”
Verify on workday.com“Workday Adaptive Planning is part of Workday's program designed to demonstrate that their privacy and data governance practices comply with standards based on the EU General Data Protection Regulation (GDPR). Workday adheres to the EU Cloud Code of Conduct, confirming that its technical and organizational measures meet the stringent requirements of the EU GDPR.”
Verify on workday.com“Workday is STAR Level 1 Certified on the CSA STAR Registry”
Verify on workday.com“Enterprise Privacy & Data Privacy Governance Practices Certification, designed to demonstrate compliance with standards based on recognized laws including the OECD Privacy Guidelines, GDPR, HIPAA, APEC Privacy Framework, and ISO 27001.”
> Show 3 unconfirmed / not-held certifications
source: workday.comHIPAA attestation listed for Enterprise Products only; Adaptive Planning not explicitly included in HIPAA scope
source: workday.comNo public evidence of PCI DSS certification for Workday or Adaptive Planning
source: workday.comFedRAMP Moderate listed for Government Cloud only; not applicable to standard Adaptive Planning offering
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multiple regions: US standard cloud; EU Sovereign Cloud (AWS Brandenburg, Germany) launching 2026; Australia, Singapore, Germany, Canada deployments on AWS
Workday privacy policy explicitly states: 'does not sell our customers' users' data or monetize that data by selling advertising. Instead, we sell subscriptions to our services.' For enterprise customers using Adaptive Planning, the organization is the data controller, not Workday. Workday does not train AI models on enterprise customer data.
// Security controls
Encryption in transit
TLS (Transport Layer Security) for all data in transit over internet
workday.comKey management
Workday Key Management Service (KMS) for cryptographic key lifecycle management; optional bring-your-own-key (BYOK) for customer-managed keys
workday.comData center security
24/7 security monitoring, camera surveillance, redundant systems, N+1 redundancy for environmental controls (fire suppression, HVAC, power)
workday.comNetwork security
Global Security Operations Center 24/7/365; perimeter defense; threat prevention tools; third-party vulnerability assessments
workday.comApplication security
Secure Software Development Life Cycle (SSDLC); static/dynamic code analysis; third-party penetration testing before major releases
workday.comAccess control
Role-based authentication; SAML single sign-on; x509 certificates; OpenID Connect; secure password hashing; configurable password complexity; automatic session timeouts. Adaptive Planning: levels, versions, accounts, sheets, permissions, and access rules for data protection
workday.comData processing agreement
Standard Data Protection Exhibit (DPE) included in Master Subscription Agreement (MSA); incorporates latest EU Standard Contractual Clauses (SCCs); approved processor Binding Corporate Rules (BCRs)
workday.comInternational data transfer safeguards
EU-U.S. Data Privacy Framework, UK Extension to EU-U.S. DPF, Swiss-U.S. Data Privacy Framework compliance
workday.com// Products & data scope
data: Budget, forecast, scenario planning, financial reporting
Flexible, AI-driven budgeting, scenario planning, and reporting
data: Hiring plans, skill requirements, headcount forecasting
Plan for the skills needed; align finance, sales, HR, marketing, and IT
data: Companywide collaborative planning, real-time data, resource deployment
Resource allocation to meet business goals
data: Consolidation processes, close tasks
Streamline close and consolidation for accuracy and efficiency
// What to watch
- HIPAA attestation is for Workday Enterprise Products only; Adaptive Planning is not explicitly listed in HIPAA scope. Healthcare customers should confirm HIPAA coverage separately.
- Adaptive Planning is a Workday product, not an independent vendor. All security, compliance, and privacy commitments are Workday's, not a separate entity.
// At a glance
Pricing model
Subscription-based cloud SaaS (exact pricing not public; contact sales)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Workday, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
compliance.workday.com