Data Protection in the Cloud: The Workday Way

The recent European Court of Justice (ECJ) ruling invalidating the EU-US Safe Harbor framework has created uncertainty concerning data transfers from the European Union to the United States. Workday’s customers needn’t worry though. Workday makes Standard Contract Clauses (SCCs), a Safe Harbor alternative that remains intact following the ECJ’s ruling, available to all customers. By embracing the European Commission-approved SCCs, Workday subjects itself to the highest threshold of regulatory oversight and enforcement offered by EU member states and EU data protection authorities.

The SCCs are just one aspect of Workday’s robust privacy and security program that ensures customer data is protected and relevant laws are respected.

As a leading provider of enterprise cloud applications for finance and human resources, Workday uses the cloud to deliver global financial management, human capital management, and analytics applications to forward-thinking companies. While our applications deliver industry-best capability today, our technology is built for the future. Our software is continually updated to meet our customers’ needs, anticipating and accommodating future changes in their businesses, industries, geographies, and compliance requirements.

Protecting and securing our customers’ data is fundamentally important to Workday. Privacy and security at Workday are not add-on features; they are embedded in our service and business model. All Workday, customers are always on the same version of our software. This enhances our ability to innovate and our ability to protect our customers’ data. We can respond to security threats quickly by pushing security updates to our entire customer base and ensuring common data handling standards. We also operate on a unified security model. This includes user access, system integration, reporting, mobile device, and IT access.

We’re committed to key security and privacy concepts that promote a secure, safe regulated environment:

  • Our customers own and control their data. We only use customer data to operate our service and don’t monetize the data. Each customer determines what data to enter and configures the applications to best safeguard their data and can configure business processes to further safeguard the privacy of personal data.
  • Data is encrypted when it is in transit and at rest in our persistent data store. Workday encrypts every attribute value in the application before it is stored in the database. This is a fundamental design characteristic of the Workday technology. All customer data in the persistent layer is encrypted and accessed only by the application server.
  • We are transparent about where and how customer data is processed. We provide customers with visibility to our security and privacy controls through third-party audits (SOC-1 and SOC-2), through ISO (27001 and 27018), Safe Harbor and TRUSTe Enterprise certifications, as well as our Customer Audit Program.

Workday encourages both the US and EU to find a successor system to the Safe Harbor that will honor the ECJ ruling and respect the laws and data protection needs of the US and EU Member States. As data flows are “the backbone of the economy” it is important that strong trading partners like the US and the EU can offer a range of legally sound transfer mechanisms to all companies, from SMEs to global giants, be they Safe Harbors or SCCs, to ensure a safe and prosperous digitally-enabled future for all. We anticipate that a Safe Harbor successor arrangement could continue privacy oversight by European Data Protection Authorities over US-based transferees. We’ve operated under that scrutiny successfully for years and are ready for that authority to continue as part of a Safe Harbor successor arrangement.