// Trust & Security Report
Workday, Inc.
Enterprise AI platform for HR, Finance, and IT (Workday HCM, Financial Management, Adaptive Planning) with embedded AI/agentic features marketed as Workday Illuminate and "Sana" (Workday's newly acquired agentic AI layer, announced 2026); also offers Workday Government Cloud (FedRAMP Moderate) as a separate deployment tier.
Certifications held
16
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on workday.com“The SOC 2 Type II report is an independent assessment of our control environment performed by a third party.”
Verify on workday.com“Service Organization Controls (SOC 1) reports provide information about a service organization's control environment that may be relevant to the customer's internal controls over financial reporting.”
Verify on workday.com“The SOC 3 report, an independent assessment of our control environment performed by a third party, is publicly available and provides a summary of our control environment relevant to the security, availability, confidentiality, processing integrity, and privacy of customer data.”
Verify on workday.com“Our Information Security Management System (ISMS) meets the requirements set forth by this globally recognized, standards-based approach to security.”
Verify on workday.com“This standard provides controls and implementation guidance for information security controls applicable to the provision and use of cloud services.”
Verify on workday.com“This standard contains guidelines applicable to cloud service providers that process personal data.”
Verify on workday.com“This standard provides the requirements and guidelines for the implementation and continuous improvement of an organization's Privacy Information Management System (PIMS) as an extension to ISO/IEC 27001.”
Verify on workday.com“ISO 42001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an artificial intelligence management system (AIMS) within organizations. ... [Workday engaged] Schellman to certify our program to ISO 42001 standards.”
Verify on workday.com“[Workday engaged] Coalfire, a cybersecurity leader, to evaluate our AI processes against the NIST AI Risk Management Framework.”
Verify on compliance.workday.com“Workday is STAR Level 1 Certified on the CSA STAR Registry. ... 'CSA STAR 1' badge listed on the Workday Trust Center.”
Verify on workday.com“Workday has completed a Health Insurance Portability and Accountability Act (HIPAA) third-party attestation for the Workday Enterprise Products, which provides assurance that Workday has a HIPAA-compliance program with adequate measures for saving, accessing, and sharing individual medical and personal information.”
Verify on workday.com“Our data processing terms incorporate the latest European Commission's Standard Contractual Clauses (SCCs)... Workday is one of the few companies worldwide with approved processor binding corporate rules (BCRs).”
Verify on workday.com“Workday is FedRAMP Authorized status at the Moderate security impact level for Workday Government Cloud.”
Verify on workday.com“Workday is self-certified under the EU-U.S., Swiss-U.S. and UK-U.S. Extension to the Data Privacy Framework, with certifications inspectable in the official Data Privacy Framework List of the U.S. Department of Commerce.”
Verify on compliance.workday.com“TISAX badge listed among Security & Compliance Badges on the Workday Trust Center.”
Verify on compliance.workday.com“Cyber Essentials Plus badge listed among Security & Compliance Badges on the Workday Trust Center.”
> Show 2 unconfirmed / not-held certifications
source: workday.comNo public evidence of a distinct CSA STAR for AI (AI-specific CAIQ/STAR) certification; Workday's AI governance proof points are ISO 42001 and NIST AI RMF, not CSA STAR for AI.
source: compliance.workday.comNo public evidence of a PCI DSS attestation was found on Workday's trust center or compliance pages; Workday is an HR/Finance ERP, not a payment processor, so PCI DSS scope is unclear and not claimed by the vendor. No public evidence.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Workday operates region-specific hosting (US/Canada, EU/UK, APJ) and publishes per-region security/data-processing datasheets; exact tenant data residency is contract-configurable, not a single global default.
Workday's clear, repeated public commitment is: 'We never share customer data to train third-party public models' (responsible-ai.html, also repeated on its careers page). This rules out sending customer data to external/public LLM providers for training. However, Workday does NOT explicitly state, on any page reviewed, whether it uses (aggregated/de-identified/tenant-isolated) customer data to train its OWN proprietary in-house ML/AI models (e.g. Illuminate skills/matching models). AI deployment protocols do describe an opt-out-style control: 'Ensure data subjects are provided optionality...to request alternative procedures to that of the AI solution processing their data' and 'Design the AI feature to allow for alternative data-processing procedures, such as human review.' Because Workday's own product family recently rebranded/added 'Sana' as an agentic AI layer (per the captured homepage evidence), and no vendor page was found with a granular AI-training-per-tier breakdown, this is graded null (unresolved) rather than assumed either way.
// Security controls
Encryption in transit / at rest
Not independently re-verified in this pass beyond trust center badge listing; Workday's Trust Center references rigorous technical controls across people, process, and technology but a specific encryption-standard quote was not captured.
compliance.workday.comThird-party audits & penetration testing
Annual third-party audits and penetration testing performed (per Trust Center summary).
compliance.workday.comBug bounty / vulnerability disclosure
Bug bounty / vulnerability disclosure program in place (per Trust Center summary).
compliance.workday.comSubprocessor transparency
Workday publishes a subprocessor list: 'We hold our subprocessors to the same stringent privacy and security standards that we uphold ourselves...we maintain a comprehensive list of all subprocessors for full transparency.'
workday.comIdentity / access management
Centralized IAM/SSO solution referenced on Trust Center.
compliance.workday.com// Products & data scope
data: Employee PII, payroll/financial records, HR case data; multi-tenant SaaS.
Primary scope of the SOC 1/SOC 2/SOC 3, ISO 27001/27017/27018/27701, and HIPAA attestations per the vendor's compliance page, which explicitly names 'Workday Enterprise Products' as the assessed boundary.
data: Same as core suite, deployed in a segregated environment for US government customers.
Separately FedRAMP Moderate authorized; this authorization does not apply to the standard commercial cloud.
data: Operates on top of the same tenant data as the core suite (skills data, HR records, finance data) to power AI agents, matching, and automation.
// What to watch
- The homepage evidence shows Workday now marketing its AI layer as 'Sana' ('Superintelligence for work. Meet Sana.') rather than (or alongside) the previously known 'Workday Illuminate' brand -- this looks like a 2026 rebrand or acquisition-driven consolidation. The trust/compliance and responsible-AI pages fetched still reference 'Illuminate' terminology in places, so there is a possible naming lag between marketing and trust-center content that AIFOXX should re-check at the next verification pass.
- AI-training-on-customer-data posture is stated only at the 'we do not send customer data to train third-party public models' level; no vendor page found that explicitly confirms or denies use of customer data (even de-identified/aggregated) to train Workday's own proprietary models -- graded null/unresolved rather than assumed favorable.
- FedRAMP Moderate applies only to the separate 'Workday Government Cloud' offering, not the standard commercial multi-tenant product -- do not present FedRAMP as covering all Workday customers.
- CSA STAR held is Level 1 (self-assessed CAIQ questionnaire), which is a lower assurance tier than a third-party-audited Level 2 STAR certification; listing should specify 'STAR Level 1' rather than an unqualified 'CSA STAR certified.'
- PCI DSS graded held=false based on absence of evidence, not a confirmed public statement of out-of-scope; Workday is an HR/Finance ERP so PCI DSS is plausibly out of scope, but this should be treated as 'no public evidence' rather than a definitive denial.
// At a glance
Pricing model
Enterprise sales-led subscription (no public self-serve pricing); not applicable/not disclosed publicly.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Workday, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
compliance.workday.com