// Trust & Security Report

    Workday, Inc. logo

    Workday, Inc.

    Enterprise AI platform for HR, Finance, and IT (Workday HCM, Financial Management, Adaptive Planning) with embedded AI/agentic features marketed as Workday Illuminate and "Sana" (Workday's newly acquired agentic AI layer, announced 2026); also offers Workday Government Cloud (FedRAMP Moderate) as a separate deployment tier.

    Certifications held

    16

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    The SOC 2 Type II report is an independent assessment of our control environment performed by a third party.

    Verify on workday.com
    SOC 1 Type II
    HELD

    Service Organization Controls (SOC 1) reports provide information about a service organization's control environment that may be relevant to the customer's internal controls over financial reporting.

    Verify on workday.com
    SOC 3
    HELD

    The SOC 3 report, an independent assessment of our control environment performed by a third party, is publicly available and provides a summary of our control environment relevant to the security, availability, confidentiality, processing integrity, and privacy of customer data.

    Verify on workday.com
    ISO 27001
    HELD

    Our Information Security Management System (ISMS) meets the requirements set forth by this globally recognized, standards-based approach to security.

    Verify on workday.com
    ISO 27017
    HELD

    This standard provides controls and implementation guidance for information security controls applicable to the provision and use of cloud services.

    Verify on workday.com
    ISO 27018
    HELD

    This standard contains guidelines applicable to cloud service providers that process personal data.

    Verify on workday.com
    ISO 27701
    HELD

    This standard provides the requirements and guidelines for the implementation and continuous improvement of an organization's Privacy Information Management System (PIMS) as an extension to ISO/IEC 27001.

    Verify on workday.com
    ISO/IEC 42001 (AI Management System)
    HELD

    ISO 42001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an artificial intelligence management system (AIMS) within organizations. ... [Workday engaged] Schellman to certify our program to ISO 42001 standards.

    Verify on workday.com
    NIST AI Risk Management Framework (evaluation, not a certification)
    HELD

    [Workday engaged] Coalfire, a cybersecurity leader, to evaluate our AI processes against the NIST AI Risk Management Framework.

    Verify on workday.com
    CSA STAR (Level 1, CAIQ self-assessment)
    HELD

    Workday is STAR Level 1 Certified on the CSA STAR Registry. ... 'CSA STAR 1' badge listed on the Workday Trust Center.

    Verify on compliance.workday.com
    HIPAA (third-party attestation, BAA available)
    HELD

    Workday has completed a Health Insurance Portability and Accountability Act (HIPAA) third-party attestation for the Workday Enterprise Products, which provides assurance that Workday has a HIPAA-compliance program with adequate measures for saving, accessing, and sharing individual medical and personal information.

    Verify on workday.com
    GDPR (compliance posture, not a certification)
    HELD

    Our data processing terms incorporate the latest European Commission's Standard Contractual Clauses (SCCs)... Workday is one of the few companies worldwide with approved processor binding corporate rules (BCRs).

    Verify on workday.com
    FedRAMP Moderate (Workday Government Cloud only)
    HELD

    Workday is FedRAMP Authorized status at the Moderate security impact level for Workday Government Cloud.

    Verify on workday.com
    EU-U.S. / Swiss-U.S. / UK Extension Data Privacy Framework
    HELD

    Workday is self-certified under the EU-U.S., Swiss-U.S. and UK-U.S. Extension to the Data Privacy Framework, with certifications inspectable in the official Data Privacy Framework List of the U.S. Department of Commerce.

    Verify on workday.com
    TISAX
    HELD

    TISAX badge listed among Security & Compliance Badges on the Workday Trust Center.

    Verify on compliance.workday.com
    Cyber Essentials Plus
    HELD

    Cyber Essentials Plus badge listed among Security & Compliance Badges on the Workday Trust Center.

    Verify on compliance.workday.com
    > Show 2 unconfirmed / not-held certifications
    CSA STAR for AI
    NOT CONFIRMED

    No public evidence of a distinct CSA STAR for AI (AI-specific CAIQ/STAR) certification; Workday's AI governance proof points are ISO 42001 and NIST AI RMF, not CSA STAR for AI.

    source: workday.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of a PCI DSS attestation was found on Workday's trust center or compliance pages; Workday is an HR/Finance ERP, not a payment processor, so PCI DSS scope is unclear and not claimed by the vendor. No public evidence.

    source: compliance.workday.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Workday operates region-specific hosting (US/Canada, EU/UK, APJ) and publishes per-region security/data-processing datasheets; exact tenant data residency is contract-configurable, not a single global default.

    Workday's clear, repeated public commitment is: 'We never share customer data to train third-party public models' (responsible-ai.html, also repeated on its careers page). This rules out sending customer data to external/public LLM providers for training. However, Workday does NOT explicitly state, on any page reviewed, whether it uses (aggregated/de-identified/tenant-isolated) customer data to train its OWN proprietary in-house ML/AI models (e.g. Illuminate skills/matching models). AI deployment protocols do describe an opt-out-style control: 'Ensure data subjects are provided optionality...to request alternative procedures to that of the AI solution processing their data' and 'Design the AI feature to allow for alternative data-processing procedures, such as human review.' Because Workday's own product family recently rebranded/added 'Sana' as an agentic AI layer (per the captured homepage evidence), and no vendor page was found with a granular AI-training-per-tier breakdown, this is graded null (unresolved) rather than assumed either way.

    // Security controls

    Encryption in transit / at rest

    Not independently re-verified in this pass beyond trust center badge listing; Workday's Trust Center references rigorous technical controls across people, process, and technology but a specific encryption-standard quote was not captured.

    compliance.workday.com

    Third-party audits & penetration testing

    Annual third-party audits and penetration testing performed (per Trust Center summary).

    compliance.workday.com

    Bug bounty / vulnerability disclosure

    Bug bounty / vulnerability disclosure program in place (per Trust Center summary).

    compliance.workday.com

    Subprocessor transparency

    Workday publishes a subprocessor list: 'We hold our subprocessors to the same stringent privacy and security standards that we uphold ourselves...we maintain a comprehensive list of all subprocessors for full transparency.'

    workday.com

    Disaster recovery

    Disaster recovery plan in place (per Trust Center summary).

    compliance.workday.com

    Identity / access management

    Centralized IAM/SSO solution referenced on Trust Center.

    compliance.workday.com

    // Products & data scope

    Workday Enterprise Products (core HCM/Financial Management/Adaptive Planning cloud suite)Enterprise HR & Finance ERP

    data: Employee PII, payroll/financial records, HR case data; multi-tenant SaaS.

    Primary scope of the SOC 1/SOC 2/SOC 3, ISO 27001/27017/27018/27701, and HIPAA attestations per the vendor's compliance page, which explicitly names 'Workday Enterprise Products' as the assessed boundary.

    Workday Government CloudEnterprise HR & Finance ERP (US public sector)

    data: Same as core suite, deployed in a segregated environment for US government customers.

    Separately FedRAMP Moderate authorized; this authorization does not apply to the standard commercial cloud.

    Workday Illuminate / "Sana" agentic AI featuresEmbedded AI / agentic automation layer within HR & Finance workflows

    data: Operates on top of the same tenant data as the core suite (skills data, HR records, finance data) to power AI agents, matching, and automation.

    // What to watch

    • The homepage evidence shows Workday now marketing its AI layer as 'Sana' ('Superintelligence for work. Meet Sana.') rather than (or alongside) the previously known 'Workday Illuminate' brand -- this looks like a 2026 rebrand or acquisition-driven consolidation. The trust/compliance and responsible-AI pages fetched still reference 'Illuminate' terminology in places, so there is a possible naming lag between marketing and trust-center content that AIFOXX should re-check at the next verification pass.
    • AI-training-on-customer-data posture is stated only at the 'we do not send customer data to train third-party public models' level; no vendor page found that explicitly confirms or denies use of customer data (even de-identified/aggregated) to train Workday's own proprietary models -- graded null/unresolved rather than assumed favorable.
    • FedRAMP Moderate applies only to the separate 'Workday Government Cloud' offering, not the standard commercial multi-tenant product -- do not present FedRAMP as covering all Workday customers.
    • CSA STAR held is Level 1 (self-assessed CAIQ questionnaire), which is a lower assurance tier than a third-party-audited Level 2 STAR certification; listing should specify 'STAR Level 1' rather than an unqualified 'CSA STAR certified.'
    • PCI DSS graded held=false based on absence of evidence, not a confirmed public statement of out-of-scope; Workday is an HR/Finance ERP so PCI DSS is plausibly out of scope, but this should be treated as 'no public evidence' rather than a definitive denial.

    // At a glance

    Pricing model

    Enterprise sales-led subscription (no public self-serve pricing); not applicable/not disclosed publicly.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Workday, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    compliance.workday.com

    > Browse all vendor trust reports