Workday

Workday

At Workday, we believe enterprise applications should be easy to use, intelligent, and engaging—all while maintaining the highest standards of security.
And as new technologies emerge, such as machine learning and conversational UI, our customers can take advantage of new innovations without disruption.
With Workday, innovation is built in.

Features

  • Human Capital Management
  • Financial Management
  • UK Payroll or Cloud Connect for Third-Party Payroll
  • Time & Absence
  • Expenses
  • Recruiting
  • Procurement and/or Inventory
  • Professional Services Automation
  • Financial and Workplace Planning
  • Prism Analytics

Benefits

  • A single system for finance and HR, gives total visibility
  • An intuitive mobile and desktop experience increases productivity and adoption
  • Adapt quickly to policy changes and organisational restructuring
  • Rigorous safeguards maintain the highest security and maximum uptime
  • Every customer is on the latest version of our software
  • Better decision-making with real-time analytics
  • Save time/reduce errors with a single intelligent planning solution
  • Improve efficiency and transparency with automation and real-time audits
  • Minimise overheads and shift resources to more strategic roles
  • Rapid deployment and faster time to value

Pricing

£50.96 to £545.42 per person

  • Education pricing available

Service documents

Framework

G-Cloud 11

Service ID

9 4 6 0 8 7 5 5 3 6 2 3 2 6 3

Contact

Workday

Emily Griffiths

+44 20 7150 6253

emily.griffiths@workday.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Workday is a core standalone service in its own right where the different pricing options allow for different services to be subscribed to; e.g. Initially subscribing to Financials and at a later date adding HCM and Payroll.
Cloud deployment model
Public cloud
Service constraints
- Customer tenants will be unavailable during planned maintenance and unplanned outages. Planned maintenance is scheduled by tenant type and the current schedule is available to customers through Workday's Community website.
- Access to Customer Data is limited to USA, EEA countries and countries formally recognized by the European Commission as providing an adequate level of data protection.
- Additional constraints may be contained in the Workday's Supplier Terms.
System requirements
Internet connection and HTML 5 compatible browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support response time varies based on the associated severity level assigned to the support case.
Severity 1: Response Time = 30 mins
Severity 2: Response Time = 1 hour
Severity 3: Response Time = 4 hours
Severity 4/5: Response Time = 24 hours
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
No
Support levels
Workday support is not tiered and operates 24 x 7 x 365. Workday's support personnel are based in one of three geographies (USA, Ireland, New Zealand). Customers submit a case via Workday's online tool. Customers assign a severity for each case and may self escalate at any time.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Workday has a formal New Customer On-boarding process, which consists of the following on-boarding activities:
- Delivery of the Welcome to Workday email to the Customer's Project Manager
- Creation of the customer scorecard
- Enabling the Customer's Project Manager and Training Coordinator in the Workday Customer Center
- Creation of the customer’s Private Community Group
- Granting the Customer's Project Manager with access to the Workday Community
- Coordinating with Workday Education to enable customer access to Workday's Learning Management system
- Delivery of the demo tenant
- Delivery of the Welcome to Workday call with the customer team

The Welcome to Workday email requests that the new customer identify a Training Coordinator. Once the customer has provided this information, Workday's Services Operations will update the customer account and the Workday Education team will be notified. Workday Education will enable the Training Coordinator in the Learning Center within 24 hours of receiving notification. The Training Coordinator has access to log a Training Support case in the Customer Center to request information or discuss any matters related to training. This includes, but is not limited to, registration, training offerings, training credits, class schedules, administrative changes and login issues.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
Video (product presentations, trainings)
End-of-contract data extraction
The customer can choose to extract their data on their own via specific reports provided by Workday or the customer can engage Workday Professional Services or a Workday partner to assist in the data extraction process.
End-of-contract process
Workday Support follows a customer off-boarding process to initiate the deletion of a customer’s tenant. The customer may retrieve their Customer Data from within the service. After obtaining appropriate approvals, Workday permanently deletes the customer tenant. Off-boarding activities are documented and tracked in an online tracking system or support case.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Workday Mobile Apps for iPhone, iPad and Android include some exclusive features to those platforms. As well, Workday Mobile Apps focus on key/common user experiences and transactions and may not contain the full suite of functionality available on the web platform.
Our Workday Web UI is a single web platform that is available on approved browsers for both desktop and mobile devices. There may be minor differences in capabilities based on the platform/browser you are using but, largely, the functional capabilities are identical.
Service interface
Yes
Description of service interface
Every type of user should get the most out of their enterprise applications. With Workday, even novice users are able to navigate the intuitive Workday experience with minimal training, while power users and administrators will find all the tools they need at their fingertips.
Accessibility standards
None or don’t know
Description of accessibility
Workday assesses accessibility in the Workday Service against the WCAG 2.0 AA standards. The summary of this is the "Accessibility In Workday" document, which describes in detail the areas of the Workday Service that comply with WCAG 2.0 AA, as well as functionality that partially conforms or does not yet fully conform to those standards.
Accessibility testing
Workday subject matter experts and 3rd party evaluators perform assessments with assistive technologies including screen magnification, keyboard navigation or screen readers. Workday actively works to address usability defects and provides customers with updates on product and technology enhancements.
API
Yes
What users can and can't do using the API
Users and systems can take full advantage of Workday's API functionality, which is described in detail on Workday's Community website.
API documentation
Yes
API documentation formats
HTML
API sandbox or test environment
Yes
Customisation available
No

Scaling

Independence of resources
In order to manage tenant performance and availability, Workday performs system capacity planning / analysis as well as monitors / supports the Workday network and systems on a 24 x 7 basis. Workday commits to a Service Response and Availability SLA.

Analytics

Service usage metrics
Yes
Metrics types
Workday generates monthly reports that summarize the activity in customer's Production tenant. These reports include metrics on the customer's usage of their Workday Production tenant, tenant availability (uptime), and response time (performance).
Reporting types
Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach
Workday encrypts every attribute of customer data within the application before it is stored in the database. This is a fundamental design characteristic of the Workday technology. Workday relies on the Advanced Encryption Standard (AES) algorithm with a key size of 256-bits.
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
The customer can directly export data from the Workday Service through a variety of reports that are made available.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • XLS
  • XML
Data import formats
  • CSV
  • Other
Other data import formats
  • Excel
  • XML
  • Workday XML

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
Workday provides Enterprise Interface Builder functionality that allows customers to build secure integrations to transmit data (inbound/outbound), with Workday. Insecure transport protocols, including FTP and e-mail, require PGP file encryption by default unless configured by the customer’s designated security personnel, which is systematically enforced.
Data protection within supplier network
Other
Other protection within supplier network
All instances of application objects are tenant-based, so when a new object is created, it is irrevocably linked to the user’s tenant. Workday maintains these links automatically, restricting access to objects based on user ID. When a user requests data, the system automatically applies a tenancy filter to ensure it retrieves the correct data. All customer data traffic between the database and the OMS is encrypted at the application layer across the network. The OMS runs using in-memory database technology, with each tenant segregated in Java virtual memory. Workday has logical isolation between tenants in the OMS and database.

Availability and resilience

Guaranteed availability
Workday’s Service Availability commitment for a given calendar month is 99.5%. The measurement point for Service Availability is the availability of the Workday production tenants at the Workday production data center’s Internet connection points.
Approach to resilience
If Workday’s production data center becomes unavailable for any reason, Workday maintains a geographically distant Disaster Recovery (DR) data center with the same design, equipment, and capacity levels as production. All changes made to the production environment are also made in the DR environment to ensure consistency.
Outage reporting
For wide-spread outages, customers receive notification of outages via a Workday Community alert. If a small number of customer tenants are impacted by an outage, Workday Support will open a proactive support case to work with the impacted customers directly. Historical as well as future scheduled maintenance windows are also communicated via Workday's Community website.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication
Customer end users must have valid credentials to access the Workday Service. Each customer's Security Administrator(s) may configure their authentication settings and can also set up an authentication policy, which gives the customer more control over how users can sign in to Workday under different conditions. Authentication policies can be to set up to apply different authentication requirements for different user populations, and to enable access restrictions where applicable. Workday also offers a couple of mobile authentication options using a Mobile PIN or Fingerprint Authentication for our Mobile apps.
Access restrictions in management interfaces and support channels
Workday's access to Customer Data is restricted to authorized personnel in order to assist with troubleshooting issues. Workday's authorized personnel access a customer tenant using two factor authentications to proxy into one of three privileged system IDs through the secure Virtual Clean Room, which prevents downloading of data or reports.
Access restriction testing frequency
At least every 6 months
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
You control when users can access audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
EY CertifyPoint
ISO/IEC 27001 accreditation date
25/10/2018
What the ISO/IEC 27001 doesn’t cover
The boundaries of the scope of Workday's ISO/IEC 27001 certification exclude the physical and environmental processes and controls owned and operated by the third party data center providers hosting the in-scope services and environments.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
Coalfire Systems, Inc.
PCI DSS accreditation date
06/06/2018
What the PCI DSS doesn’t cover
Workday supports PCI-DSS compliance only for the scope of Workday's Secure Credit Card Environment, which is the isolated environment that stores, processes and transmits unmasked cardholder data through defined integrations. If the customer does not want to utilized (or can’t utilize) the defined unmasked integrations, then the customer must use a third party to tokenize credit card holder data prior to integrating with the Workday Service. Customer tenants residing in any of Workday's US or EMEA data centers can be configured to interact with Workday's Secure Credit Card Environment, however, the customer's unmasked cardholder data never leaves Workday's Secure Credit Card Environment in the United States.
Other security certifications
Yes
Any other security certifications
  • ISO 27018:2014
  • ISO 27017:2015
  • SOC1 (SSAE-18/ISAE3402)
  • SOC2
  • SOC3
  • NIST CSF

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
- Information Security Policy
- Information Classification Policy and Guidelines
- Password Policy
- Acceptable Encryption Policy
- Acceptable Use Policy
- Security and Privacy Training Policy
- Security Incident Policy and Incident Response Plan
- Background Check Policy
- Logical Access to Workday Systems Policy
- Physical Security Policy

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Workday has implemented formal, documented change management processes to govern application, environment and infrastructure changes. Where applicable, all changes require documentation, tracking ticket, approvals, and testing prior to deployment into production.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Workday takes a multipronged approach to vulnerability management, which includes:
- Weekly and quarterly third party external vulnerability assessments (network/system/application);
- Semi-annual authenticated internal vulnerability network/system assessments; and
- Annual third party network penetration tests.
Regarding the release management process, Workday relies upon:
- processes/tools to verify application security prior to release;
- third party security vulnerability assessments (application level) prior to major release; and
- Monitoring of security and vulnerability alerts from security vendors/industry organizations.
Assessment results and alerts are evaluated and follow-up actions are assigned to the appropriate team for remediation based on defined Workday procedures.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Workday uses third party software tools to support and monitor the network and production systems on a 24 x 7 basis. Network Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) monitor the network for atypical network patterns. System generated alerts are sent to the Security Operations Center if suspicious network activity is detected, for further investigation, analysis, and resolution. Workday employs endpoint tools to provide advanced threat protection, anti-virus protection and to monitor for anomalous behavior.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Workday has a Security Incident policy, Incident Response plan, and Breach Disclosure plan to ensure preparedness to respond properly if an incident occurs. CIRT analyzes incidents based on the vulnerability’s risk and impact. Notification is performed in accordance with applicable laws and contracts. Workday retains incident related information.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£50.96 to £545.42 per person
Discount for educational organisations
Yes
Free trial available
No

Service documents

Return to top ↑