// Trust & Security Report

    Workday, Inc. (HiredScore AI Division) logo

    Workday, Inc. (HiredScore AI Division)

    HiredScore AI for Recruiting and HiredScore AI for Talent Mobility — AI-driven talent acquisition and employee mobility tools integrated with Workday's talent management suite. Provides candidate prioritization, sourcing, and hiring guidance using machine learning.

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    The SOC 2 Type II report is an independent assessment of our control environment performed by a third party. (Workday-level attestation; the compliance page does not separately enumerate HiredScore AI products in its SOC 2 scope statement, but HiredScore now runs as a Workday product on the Workday platform.)

    Verify on workday.com
    GDPR Compliance
    HELD

    HiredScore AI for Recruiting and HiredScore AI for Talent Mobility are listed within Workday's TRUSTe Enterprise Privacy & Data Privacy Governance Practices Certification, its Data Privacy Framework participation, and its Global CBPRs and PRP Certification, which address EU GDPR requirements. A DPA is available.

    Verify on workday.com
    CSA STAR Level 1
    HELD

    Workday is STAR Level 1 Certified on the CSA STAR Registry. (Workday-level self-assessment; HiredScore AI products are not separately enumerated.)

    Verify on workday.com
    TRUSTe Enterprise Privacy & Data Privacy Governance
    HELD

    HiredScore AI for Recruiting and HiredScore AI for Talent Mobility hold TRUSTe Enterprise Privacy & Data Privacy Governance Practices Certification.

    Verify on workday.com
    EU-U.S. Data Privacy Framework
    HELD

    Workday adheres to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework with TRUSTe as verification agent.

    Verify on workday.com
    > Show 8 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence that HiredScore AI products are within the ISO 27001 certificate scope. Workday's ISO 27001 ISMS certification enumerates specific Workday products and does not list HiredScore AI for Recruiting or HiredScore AI for Talent Mobility. (TRUSTe Enterprise Privacy certification does not demonstrate ISO 27001 compliance.)

    source: workday.com
    HIPAA
    NOT CONFIRMED

    No public evidence that HiredScore AI products are covered by Workday's HIPAA attestation. Workday states it has completed a HIPAA third-party attestation for the Workday Enterprise Products; HiredScore AI for Recruiting and Talent Mobility are not named in that scope, and TRUSTe Enterprise Privacy certification does not demonstrate HIPAA compliance.

    source: workday.com
    FedRAMP Moderate
    NOT CONFIRMED

    Workday is FedRAMP Authorized status at the Moderate security impact level, but there is no public evidence that HiredScore AI products fall within the FedRAMP authorization boundary (Workday Government Cloud). HiredScore inclusion in the FedRAMP scope is not documented.

    source: workday.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on vendor-domain sources for HiredScore products.

    source: security-profiles.nudgesecurity.com
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found on vendor-domain sources for HiredScore products.

    source: workday.com
    ISO 27018 (Personal Data Protection in Cloud)
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found on vendor-domain sources for HiredScore products.

    source: workday.com
    ISO 27701 (Privacy Information Management)
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found on vendor-domain sources for HiredScore products.

    source: workday.com
    ISO/IEC 42001 (AI Management Systems)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 AI governance certification found on vendor-domain sources. Workday emphasizes responsible AI governance but does not claim ISO 42001 certification.

    source: workday.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    AWS-hosted; multi-region deployment with Standard Contractual Clauses for EU/UK/Switzerland data transfers. No specific EU-only data residency option documented on vendor pages.

    Workday emphasizes that it does not sell customer data or monetize it through advertising. However, Workday's use of customer applicant data to train and evaluate HiredScore Spotlight's AI grading model has been the subject of litigation. An independent audit by Secretariat (March 20, 2026) found no evidence of disparate impact in HiredScore Spotlight's grading system when tested on Workday's own applicant data. Customer data use for model improvement is not explicitly prohibited in public documentation. See litigation flag below.

    // Security controls

    Encryption in Transit

    Implied through SOC 2 Type II certification; no specific protocol details published

    workday.com

    Encryption at Rest

    Implied through SOC 2 Type II and ISO 27001 certifications; no specific protocol details published

    workday.com

    Authentication

    Supports Single Sign-On (Okta, Google, Microsoft); email and SMS two-factor authentication available

    security-profiles.nudgesecurity.com

    Infrastructure

    Hosted on Amazon Web Services (AWS) with multi-region deployment for redundancy

    security-profiles.nudgesecurity.com

    Status Monitoring

    Operational status available at status.hiredscore.com

    security-profiles.nudgesecurity.com

    Third-Party Dependencies

    Integrates with 18+ vendors (AWS, Google Workspace, Atlassian, HubSpot, Zoom, etc.); supply chain risk inherent

    security-profiles.nudgesecurity.com

    // Products & data scope

    HiredScore AI for RecruitingTalent Acquisition / Recruiting

    data: Candidate applications, resumes, job descriptions, recruiter/hiring manager interaction data

    Provides AI-driven candidate grading, sourcing, and prioritization. Subject to independent audit for bias (Secretariat, March 2026). Integrated with Workday Recruiting platform.

    HiredScore AI for Talent MobilityInternal Talent Management / Succession Planning

    data: Employee skills, internal job postings, career history, employee mobility data

    Helps identify internal talent for open positions and support career mobility. Part of Workday's talent management suite.

    // What to watch

    • IDENTITY: HiredScore is now fully part of Workday, Inc. (acquired). The hiredscore.com domain redirects to workday.com. No dedicated trust center; uses Workday's shared compliance documentation. This is not a vendor over-claim but important context: HiredScore compliance is inseparable from Workday's broader security posture.
    • CERT-SOURCING: On Workday's own compliance page, HiredScore AI for Recruiting and HiredScore AI for Talent Mobility are explicitly enumerated ONLY under the Data Privacy Framework, the TRUSTe Enterprise Privacy & Data Privacy Governance Practices Certification, and the Global CBPRs and PRP Certification. Workday holds SOC 2 Type II, ISO 27001, HIPAA (Enterprise Products), FedRAMP Moderate, and CSA STAR at the organization level, but the page does NOT name HiredScore products within the ISO 27001 certificate scope, the HIPAA attestation scope, or the FedRAMP authorization boundary. QA correction: the first-pass draft's held=true proof quotes for ISO 27001, HIPAA, and FedRAMP were fabricated (they conflated the TRUSTe Enterprise Privacy certification with ISO 27001 / HIPAA compliance, and asserted HiredScore FedRAMP inclusion). Those three are downgraded to held=false with no-public-evidence wording. SOC 2 (org-wide) and CSA STAR (org-wide self-assessment) are retained as held=true at the Workday level with corrected proof quotes; GDPR is retained because HiredScore is explicitly listed under TRUSTe/DPF/CBPR.
    • AI-TRAINING-OPACITY: Workday states it does not sell customer data, but does not explicitly document whether customer applicant data is used to train or improve HiredScore Spotlight's grading model. Court litigation (2026) has required Workday to disclose customer lists for HiredScore use, indicating regulatory scrutiny of AI training practices.
    • LITIGATION: Workday has been ordered by a court (2026) to provide a customer list of organizations that enabled HiredScore AI features during a relevant period. This reflects ongoing legal challenges regarding algorithmic fairness, transparency, and potential bias in AI hiring tools. Independent audit (Secretariat, March 2026) found no disparate impact in one test scenario, but applicability is limited to Workday's own applicant data.
    • EU-DATA-RESIDENCY: No option for EU-only data residency documented. HiredScore uses Standard Contractual Clauses for GDPR compliance, but data processing may occur in multiple regions on AWS. Organizations with strict residency requirements should clarify with Workday.
    • HIPAA-SCOPE: HIPAA is NOT confirmed for HiredScore. Workday's HIPAA third-party attestation is scoped to the Workday Enterprise Products; HiredScore AI products are not named, and TRUSTe Enterprise Privacy certification does not demonstrate HIPAA compliance. HiredScore is a recruiting/talent tool, not a healthcare platform. Any healthcare customer processing PHI would need to confirm HIPAA coverage and a Business Associate Agreement (BAA) directly with Workday.
    • NO-DEDICATED-TRUST-CENTER: HiredScore has no standalone trust center or security page. All compliance information is hosted on Workday's pages. This is not unusual for acquired products but reduces direct vendor transparency.
    • ISO-42001-ABSENT: As an AI-driven recruiting product, HiredScore does not have published ISO/IEC 42001 (AI governance) certification. Workday emphasizes responsible AI practices but has not pursued formal AI governance certification.

    // At a glance

    Pricing model

    Workday subscription model; HiredScore AI features included as add-on to Workday Recruiting and Talent Management subscriptions. Not independently priced.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Workday, Inc. (HiredScore AI Division)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    workday.com

    > Browse all vendor trust reports