Service Organisation Controls (SOC 1) reports provide information about a service organisation’s control environment that may be relevant to the customer's internal controls over financial reporting. Our SOC 1 Type II report is issued in accordance with Statements on Standards of Attestation Engagements (SSAE) No. 18 (Reporting on Controls at a Service Organisation) and the International Standard on Assurance Engagements (ISAE) 3402 (Assurance Reports on Controls at a Service Organisation). The SOC 1 report covers the design and operating effectiveness of controls relevant to Workday Adaptive Planning for the period October 1 2018 through September 30 2019.
Workday Adaptive Planning provides enterprise-class protection, service, and resiliency you can rely on and trust. Workday Adaptive Planning is SOC 2 Type II compliant. SOC 2 is the AICPA standard for reporting on controls at service organisations, including Software-as-a-Service providers (SaaS). The SOC 2 attestation covers the security, confidentiality, processing integrity, and availability trust service principles.
The American Institute of Certified Public Accountants (AICPA) has developed the Service Organisation Control (SOC 3) framework for safeguarding the confidentiality and privacy of information that is stored and processed in the cloud. The Workday SOC 3 report, an independent assessment of our control environment performed by a third party, is publicly available and provides a summary of our control environment relevant to the security, availability, confidentiality and processing integrity of customer data. Access the Workday Adaptive Planning SOC 3 report.
ISO 27001 is a globally recognised, standards-based approach to security that outlines requirements for an organisation’s Information Security Management System (ISMS), which includes all legal, physical and technical controls involved in an organisation's information risk management processes. Workday Adaptive Planning obtained ISO 27001 certification in 2019. Certification is achieved following an independent assessment of Workday Adaptive Planning conformity to the ISO standard.
With customers in more than 50 countries, Workday Adaptive Planning regards data privacy and adherence to regional regulations with the utmost importance. TrustArc performs annual certification of our services to ensure compliance with EU-US and Swiss-US Privacy Shield Frameworks and the APEC Cross Border Privacy Rules (CBPR) system covering the collection, use, and retention of data. Our practices are also consistent with Canada's PIPEDA and the Australian Privacy Principles.
On May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (GDPR) went into effect in the European Union (EU). The GDPR establishes global privacy requirements governing how you manage and protect personal data of EU citizens and residents while respecting individual choice—regardless of where data is sent, processed, or stored. This expansion of the privacy rights of EU individuals places new obligations on any company that markets, tracks, or handles EU personal data.
At Workday Adaptive Planning, we believe that the GDPR is an important step toward strengthening data protection laws across the European Union and enabling individual privacy rights. We are committed to GDPR‑readiness now that enforcement has begun on May 25, 2018. To access a copy of the Workday Adaptive Planning Data Processing Agreement, Contact Us.
Workday Adaptive Planning is only available over HTTPS, and all application data, logins, session cookies, etc., are transported using industry-standard TLS encryption. Furthermore, all tape backup media, including on-site and off-site vaulting, is encrypted with at least 128-bit AES encryption. Using a true secure multi-tenant architecture, each customer's data is logically segmented from one another. Passwords are secured via one-way encryption using salted hashes and key-stretching algorithms. Organisations may opt instead to integrate with their existing identity and access management solutions (including cloud providers) by leveraging our SAML2 support. Administrators also have the option to lock down access to their accounts from only specified IP addresses.
Workday Adaptive Planning allows quick and simple management of permissions using a role-based access control model. Customer administrators define the specific permissions for each role and assign those roles to users. These controls can be made as granular as desired all the way down to the row level of a sheet. Sheets and reports will display only data within a particular user's or role's security permissions. The platform provides a comprehensive audit trail that records all interactions and lets administrators understand what changes were made, by whom, and when they happened.
All production systems and data operations are hosted in top-tier data centres within secure cages, with redundant power supplies, diverse carrier access, and robust physical security. Only limited authorised personnel have access to these systems using multi-factor authentication. Redundant firewalls with active failover and in-line intrusion detection/prevention systems enforce strong perimeter security. Continuous internal and third-party scans, including regular penetration testing, are performed to validate network, system, and application security.
Data centres are strategically placed to provide broad geographic coverage and great application performance to our customers worldwide. Organisations can easily maintain data sovereignty and know exactly where their data is at all times with the choice of hosting in our USA, Europe, Canada, or Australia data centres. To further protect against any possible case of failure, we maintain secondary and tertiary local databases and continuously replicate database transactions to geographically diverse disaster recovery (DR) sites within each country/region. DR plans are tested and updated regularly to ensure fast failover capabilities and to minimise any service disruption.
Workday Adaptive Planning has a proven track record of providing high availability, reliable performance, and secure access to a globally dispersed user base. We commit to a contractual uptime SLA (for a given month, excluding scheduled maintenance). We believe in transparency and continuously monitor our system availability and performance, and make these metrics available on our website.