At Workday, we believe enterprise applications should be easy to use, intelligent, and engaging—all while maintaining the highest standards of security.
And as new technologies emerge, such as machine learning and conversational UI, our customers can take advantage of new innovations without disruption.
With Workday, innovation is built in.


  • Human Capital Management
  • Financial Management
  • UK Payroll or Cloud Connect for Third-Party Payroll
  • Time & Absence
  • Expenses
  • Recruiting
  • Procurement and/or Inventory
  • Professional Services Automation
  • Financial and Workplace Planning
  • Prism Analytics


  • A single system for finance and HR, gives total visibility
  • An intuitive mobile and desktop experience increases productivity and adoption
  • Adapt quickly to policy changes and organisational restructuring
  • Rigorous safeguards maintain the highest security and maximum uptime
  • Every customer is on the latest version of our software
  • Better decision-making with real-time analytics
  • Save time/reduce errors with a single intelligent planning solution
  • Improve efficiency and transparency with automation and real-time audits
  • Minimise overheads and shift resources to more strategic roles
  • Rapid deployment and faster time to value


£50.96 to £545.42 per person

  • Education pricing available

Service documents


G-Cloud 11

Service ID

9 4 6 0 8 7 5 5 3 6 2 3 2 6 3



Emily Griffiths

+44 20 7150 6253

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Workday is a core standalone service in its own right where the different pricing options allow for different services to be subscribed to; e.g. Initially subscribing to Financials and at a later date adding HCM and Payroll.
Cloud deployment model Public cloud
Service constraints - Customer tenants will be unavailable during planned maintenance and unplanned outages. Planned maintenance is scheduled by tenant type and the current schedule is available to customers through Workday's Community website.
- Access to Customer Data is limited to USA, EEA countries and countries formally recognized by the European Commission as providing an adequate level of data protection.
- Additional constraints may be contained in the Workday's Supplier Terms.
System requirements Internet connection and HTML 5 compatible browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Support response time varies based on the associated severity level assigned to the support case.
Severity 1: Response Time = 30 mins
Severity 2: Response Time = 1 hour
Severity 3: Response Time = 4 hours
Severity 4/5: Response Time = 24 hours
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support No
Support levels Workday support is not tiered and operates 24 x 7 x 365. Workday's support personnel are based in one of three geographies (USA, Ireland, New Zealand). Customers submit a case via Workday's online tool. Customers assign a severity for each case and may self escalate at any time.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Workday has a formal New Customer On-boarding process, which consists of the following on-boarding activities:
- Delivery of the Welcome to Workday email to the Customer's Project Manager
- Creation of the customer scorecard
- Enabling the Customer's Project Manager and Training Coordinator in the Workday Customer Center
- Creation of the customer’s Private Community Group
- Granting the Customer's Project Manager with access to the Workday Community
- Coordinating with Workday Education to enable customer access to Workday's Learning Management system
- Delivery of the demo tenant
- Delivery of the Welcome to Workday call with the customer team

The Welcome to Workday email requests that the new customer identify a Training Coordinator. Once the customer has provided this information, Workday's Services Operations will update the customer account and the Workday Education team will be notified. Workday Education will enable the Training Coordinator in the Learning Center within 24 hours of receiving notification. The Training Coordinator has access to log a Training Support case in the Customer Center to request information or discuss any matters related to training. This includes, but is not limited to, registration, training offerings, training credits, class schedules, administrative changes and login issues.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats Video (product presentations, trainings)
End-of-contract data extraction The customer can choose to extract their data on their own via specific reports provided by Workday or the customer can engage Workday Professional Services or a Workday partner to assist in the data extraction process.
End-of-contract process Workday Support follows a customer off-boarding process to initiate the deletion of a customer’s tenant. The customer may retrieve their Customer Data from within the service. After obtaining appropriate approvals, Workday permanently deletes the customer tenant. Off-boarding activities are documented and tracked in an online tracking system or support case.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Workday Mobile Apps for iPhone, iPad and Android include some exclusive features to those platforms. As well, Workday Mobile Apps focus on key/common user experiences and transactions and may not contain the full suite of functionality available on the web platform.
Our Workday Web UI is a single web platform that is available on approved browsers for both desktop and mobile devices. There may be minor differences in capabilities based on the platform/browser you are using but, largely, the functional capabilities are identical.
Service interface Yes
Description of service interface Every type of user should get the most out of their enterprise applications. With Workday, even novice users are able to navigate the intuitive Workday experience with minimal training, while power users and administrators will find all the tools they need at their fingertips.
Accessibility standards None or don’t know
Description of accessibility Workday assesses accessibility in the Workday Service against the WCAG 2.0 AA standards. The summary of this is the "Accessibility In Workday" document, which describes in detail the areas of the Workday Service that comply with WCAG 2.0 AA, as well as functionality that partially conforms or does not yet fully conform to those standards.
Accessibility testing Workday subject matter experts and 3rd party evaluators perform assessments with assistive technologies including screen magnification, keyboard navigation or screen readers. Workday actively works to address usability defects and provides customers with updates on product and technology enhancements.
What users can and can't do using the API Users and systems can take full advantage of Workday's API functionality, which is described in detail on Workday's Community website.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available No


Independence of resources In order to manage tenant performance and availability, Workday performs system capacity planning / analysis as well as monitors / supports the Workday network and systems on a 24 x 7 basis. Workday commits to a Service Response and Availability SLA.


Service usage metrics Yes
Metrics types Workday generates monthly reports that summarize the activity in customer's Production tenant. These reports include metrics on the customer's usage of their Workday Production tenant, tenant availability (uptime), and response time (performance).
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach Workday encrypts every attribute of customer data within the application before it is stored in the database. This is a fundamental design characteristic of the Workday technology. Workday relies on the Advanced Encryption Standard (AES) algorithm with a key size of 256-bits.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach The customer can directly export data from the Workday Service through a variety of reports that are made available.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • XLS
  • XML
Data import formats
  • CSV
  • Other
Other data import formats
  • Excel
  • XML
  • Workday XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks Workday provides Enterprise Interface Builder functionality that allows customers to build secure integrations to transmit data (inbound/outbound), with Workday. Insecure transport protocols, including FTP and e-mail, require PGP file encryption by default unless configured by the customer’s designated security personnel, which is systematically enforced.
Data protection within supplier network Other
Other protection within supplier network All instances of application objects are tenant-based, so when a new object is created, it is irrevocably linked to the user’s tenant. Workday maintains these links automatically, restricting access to objects based on user ID. When a user requests data, the system automatically applies a tenancy filter to ensure it retrieves the correct data. All customer data traffic between the database and the OMS is encrypted at the application layer across the network. The OMS runs using in-memory database technology, with each tenant segregated in Java virtual memory. Workday has logical isolation between tenants in the OMS and database.

Availability and resilience

Availability and resilience
Guaranteed availability Workday’s Service Availability commitment for a given calendar month is 99.5%. The measurement point for Service Availability is the availability of the Workday production tenants at the Workday production data center’s Internet connection points.
Approach to resilience If Workday’s production data center becomes unavailable for any reason, Workday maintains a geographically distant Disaster Recovery (DR) data center with the same design, equipment, and capacity levels as production. All changes made to the production environment are also made in the DR environment to ensure consistency.
Outage reporting For wide-spread outages, customers receive notification of outages via a Workday Community alert. If a small number of customer tenants are impacted by an outage, Workday Support will open a proactive support case to work with the impacted customers directly. Historical as well as future scheduled maintenance windows are also communicated via Workday's Community website.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication Customer end users must have valid credentials to access the Workday Service. Each customer's Security Administrator(s) may configure their authentication settings and can also set up an authentication policy, which gives the customer more control over how users can sign in to Workday under different conditions. Authentication policies can be to set up to apply different authentication requirements for different user populations, and to enable access restrictions where applicable. Workday also offers a couple of mobile authentication options using a Mobile PIN or Fingerprint Authentication for our Mobile apps.
Access restrictions in management interfaces and support channels Workday's access to Customer Data is restricted to authorized personnel in order to assist with troubleshooting issues. Workday's authorized personnel access a customer tenant using two factor authentications to proxy into one of three privileged system IDs through the secure Virtual Clean Room, which prevents downloading of data or reports.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 EY CertifyPoint
ISO/IEC 27001 accreditation date 25/10/2018
What the ISO/IEC 27001 doesn’t cover The boundaries of the scope of Workday's ISO/IEC 27001 certification exclude the physical and environmental processes and controls owned and operated by the third party data center providers hosting the in-scope services and environments.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Coalfire Systems, Inc.
PCI DSS accreditation date 06/06/2018
What the PCI DSS doesn’t cover Workday supports PCI-DSS compliance only for the scope of Workday's Secure Credit Card Environment, which is the isolated environment that stores, processes and transmits unmasked cardholder data through defined integrations. If the customer does not want to utilized (or can’t utilize) the defined unmasked integrations, then the customer must use a third party to tokenize credit card holder data prior to integrating with the Workday Service. Customer tenants residing in any of Workday's US or EMEA data centers can be configured to interact with Workday's Secure Credit Card Environment, however, the customer's unmasked cardholder data never leaves Workday's Secure Credit Card Environment in the United States.
Other security certifications Yes
Any other security certifications
  • ISO 27018:2014
  • ISO 27017:2015
  • SOC1 (SSAE-18/ISAE3402)
  • SOC2
  • SOC3

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes - Information Security Policy
- Information Classification Policy and Guidelines
- Password Policy
- Acceptable Encryption Policy
- Acceptable Use Policy
- Security and Privacy Training Policy
- Security Incident Policy and Incident Response Plan
- Background Check Policy
- Logical Access to Workday Systems Policy
- Physical Security Policy

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Workday has implemented formal, documented change management processes to govern application, environment and infrastructure changes. Where applicable, all changes require documentation, tracking ticket, approvals, and testing prior to deployment into production.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Workday takes a multipronged approach to vulnerability management, which includes:
- Weekly and quarterly third party external vulnerability assessments (network/system/application);
- Semi-annual authenticated internal vulnerability network/system assessments; and
- Annual third party network penetration tests.
Regarding the release management process, Workday relies upon:
- processes/tools to verify application security prior to release;
- third party security vulnerability assessments (application level) prior to major release; and
- Monitoring of security and vulnerability alerts from security vendors/industry organizations.
Assessment results and alerts are evaluated and follow-up actions are assigned to the appropriate team for remediation based on defined Workday procedures.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Workday uses third party software tools to support and monitor the network and production systems on a 24 x 7 basis. Network Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) monitor the network for atypical network patterns. System generated alerts are sent to the Security Operations Center if suspicious network activity is detected, for further investigation, analysis, and resolution. Workday employs endpoint tools to provide advanced threat protection, anti-virus protection and to monitor for anomalous behavior.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Workday has a Security Incident policy, Incident Response plan, and Breach Disclosure plan to ensure preparedness to respond properly if an incident occurs. CIRT analyzes incidents based on the vulnerability’s risk and impact. Notification is performed in accordance with applicable laws and contracts. Workday retains incident related information.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £50.96 to £545.42 per person
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑