// Trust & Security Report
Workday, Inc. (HiredScore AI Division)
HiredScore AI for Recruiting and HiredScore AI for Talent Mobility — AI-driven talent acquisition and employee mobility tools integrated with Workday's talent management suite. Provides candidate prioritization, sourcing, and hiring guidance using machine learning.
Certifications held
5
Maturity
Enterprise
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on workday.com“The SOC 2 Type II report is an independent assessment of our control environment performed by a third party. (Workday-level attestation; the compliance page does not separately enumerate HiredScore AI products in its SOC 2 scope statement, but HiredScore now runs as a Workday product on the Workday platform.)”
Verify on workday.com“HiredScore AI for Recruiting and HiredScore AI for Talent Mobility are listed within Workday's TRUSTe Enterprise Privacy & Data Privacy Governance Practices Certification, its Data Privacy Framework participation, and its Global CBPRs and PRP Certification, which address EU GDPR requirements. A DPA is available.”
Verify on workday.com“Workday is STAR Level 1 Certified on the CSA STAR Registry. (Workday-level self-assessment; HiredScore AI products are not separately enumerated.)”
Verify on workday.com“HiredScore AI for Recruiting and HiredScore AI for Talent Mobility hold TRUSTe Enterprise Privacy & Data Privacy Governance Practices Certification.”
Verify on workday.com“Workday adheres to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework with TRUSTe as verification agent.”
> Show 8 unconfirmed / not-held certifications
source: workday.comNo public evidence that HiredScore AI products are within the ISO 27001 certificate scope. Workday's ISO 27001 ISMS certification enumerates specific Workday products and does not list HiredScore AI for Recruiting or HiredScore AI for Talent Mobility. (TRUSTe Enterprise Privacy certification does not demonstrate ISO 27001 compliance.)
source: workday.comNo public evidence that HiredScore AI products are covered by Workday's HIPAA attestation. Workday states it has completed a HIPAA third-party attestation for the Workday Enterprise Products; HiredScore AI for Recruiting and Talent Mobility are not named in that scope, and TRUSTe Enterprise Privacy certification does not demonstrate HIPAA compliance.
source: workday.comWorkday is FedRAMP Authorized status at the Moderate security impact level, but there is no public evidence that HiredScore AI products fall within the FedRAMP authorization boundary (Workday Government Cloud). HiredScore inclusion in the FedRAMP scope is not documented.
source: security-profiles.nudgesecurity.comNo public evidence of PCI DSS certification found on vendor-domain sources for HiredScore products.
source: workday.comNo public evidence of ISO 27017 certification found on vendor-domain sources for HiredScore products.
source: workday.comNo public evidence of ISO 27018 certification found on vendor-domain sources for HiredScore products.
source: workday.comNo public evidence of ISO 27701 certification found on vendor-domain sources for HiredScore products.
source: workday.comNo public evidence of ISO/IEC 42001 AI governance certification found on vendor-domain sources. Workday emphasizes responsible AI governance but does not claim ISO 42001 certification.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
AWS-hosted; multi-region deployment with Standard Contractual Clauses for EU/UK/Switzerland data transfers. No specific EU-only data residency option documented on vendor pages.
Workday emphasizes that it does not sell customer data or monetize it through advertising. However, Workday's use of customer applicant data to train and evaluate HiredScore Spotlight's AI grading model has been the subject of litigation. An independent audit by Secretariat (March 20, 2026) found no evidence of disparate impact in HiredScore Spotlight's grading system when tested on Workday's own applicant data. Customer data use for model improvement is not explicitly prohibited in public documentation. See litigation flag below.
// Security controls
Encryption in Transit
Implied through SOC 2 Type II certification; no specific protocol details published
workday.comEncryption at Rest
Implied through SOC 2 Type II and ISO 27001 certifications; no specific protocol details published
workday.comAuthentication
Supports Single Sign-On (Okta, Google, Microsoft); email and SMS two-factor authentication available
security-profiles.nudgesecurity.comInfrastructure
Hosted on Amazon Web Services (AWS) with multi-region deployment for redundancy
security-profiles.nudgesecurity.comStatus Monitoring
Operational status available at status.hiredscore.com
security-profiles.nudgesecurity.comThird-Party Dependencies
Integrates with 18+ vendors (AWS, Google Workspace, Atlassian, HubSpot, Zoom, etc.); supply chain risk inherent
security-profiles.nudgesecurity.com// Products & data scope
data: Candidate applications, resumes, job descriptions, recruiter/hiring manager interaction data
Provides AI-driven candidate grading, sourcing, and prioritization. Subject to independent audit for bias (Secretariat, March 2026). Integrated with Workday Recruiting platform.
data: Employee skills, internal job postings, career history, employee mobility data
Helps identify internal talent for open positions and support career mobility. Part of Workday's talent management suite.
// What to watch
- IDENTITY: HiredScore is now fully part of Workday, Inc. (acquired). The hiredscore.com domain redirects to workday.com. No dedicated trust center; uses Workday's shared compliance documentation. This is not a vendor over-claim but important context: HiredScore compliance is inseparable from Workday's broader security posture.
- CERT-SOURCING: On Workday's own compliance page, HiredScore AI for Recruiting and HiredScore AI for Talent Mobility are explicitly enumerated ONLY under the Data Privacy Framework, the TRUSTe Enterprise Privacy & Data Privacy Governance Practices Certification, and the Global CBPRs and PRP Certification. Workday holds SOC 2 Type II, ISO 27001, HIPAA (Enterprise Products), FedRAMP Moderate, and CSA STAR at the organization level, but the page does NOT name HiredScore products within the ISO 27001 certificate scope, the HIPAA attestation scope, or the FedRAMP authorization boundary. QA correction: the first-pass draft's held=true proof quotes for ISO 27001, HIPAA, and FedRAMP were fabricated (they conflated the TRUSTe Enterprise Privacy certification with ISO 27001 / HIPAA compliance, and asserted HiredScore FedRAMP inclusion). Those three are downgraded to held=false with no-public-evidence wording. SOC 2 (org-wide) and CSA STAR (org-wide self-assessment) are retained as held=true at the Workday level with corrected proof quotes; GDPR is retained because HiredScore is explicitly listed under TRUSTe/DPF/CBPR.
- AI-TRAINING-OPACITY: Workday states it does not sell customer data, but does not explicitly document whether customer applicant data is used to train or improve HiredScore Spotlight's grading model. Court litigation (2026) has required Workday to disclose customer lists for HiredScore use, indicating regulatory scrutiny of AI training practices.
- LITIGATION: Workday has been ordered by a court (2026) to provide a customer list of organizations that enabled HiredScore AI features during a relevant period. This reflects ongoing legal challenges regarding algorithmic fairness, transparency, and potential bias in AI hiring tools. Independent audit (Secretariat, March 2026) found no disparate impact in one test scenario, but applicability is limited to Workday's own applicant data.
- EU-DATA-RESIDENCY: No option for EU-only data residency documented. HiredScore uses Standard Contractual Clauses for GDPR compliance, but data processing may occur in multiple regions on AWS. Organizations with strict residency requirements should clarify with Workday.
- HIPAA-SCOPE: HIPAA is NOT confirmed for HiredScore. Workday's HIPAA third-party attestation is scoped to the Workday Enterprise Products; HiredScore AI products are not named, and TRUSTe Enterprise Privacy certification does not demonstrate HIPAA compliance. HiredScore is a recruiting/talent tool, not a healthcare platform. Any healthcare customer processing PHI would need to confirm HIPAA coverage and a Business Associate Agreement (BAA) directly with Workday.
- NO-DEDICATED-TRUST-CENTER: HiredScore has no standalone trust center or security page. All compliance information is hosted on Workday's pages. This is not unusual for acquired products but reduces direct vendor transparency.
- ISO-42001-ABSENT: As an AI-driven recruiting product, HiredScore does not have published ISO/IEC 42001 (AI governance) certification. Workday emphasizes responsible AI practices but has not pursued formal AI governance certification.
// At a glance
Pricing model
Workday subscription model; HiredScore AI features included as add-on to Workday Recruiting and Talent Management subscriptions. Not independently priced.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Workday, Inc. (HiredScore AI Division)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
workday.com