PRIVACY AT WORKDAY
Committed to protecting your privacy.
At Â鶹´«Ã½, we protect your personal data and help you meet your data privacy requirements. We¡¯re transparent about our privacy practices and provide helpful privacy resources.
Our privacy principles.
We¡¯re committed to three privacy principles that reflect our core values¡ªand they drive how we train our employees, how we design and build products, and ultimately, how we process personal data. Learn more about the Â鶹´«Ã½ Privacy Program.
Privacy protections have been a fundamental component of our services from the beginning. We train our people on privacy best practices, and embed privacy into our processes and technology. And our configurable privacy tools help customers meet complex privacy needs.
We embrace the concept of privacy by design. We understand that privacy requirements may differ based on industry, geography, and approach. To help you meet your obligations, Â鶹´«Ã½ products include configurable privacy tools.
?
Â鶹´«Ã½ is a foundational supporter of the International Association of Privacy Professionals (IAPP) AI Governance Center. The IAPP AI Governance Center aims to ensure AI systems are developed, integrated, and deployed in line with emerging AI laws and policies¡ªin ways customers can trust.
A comprehensive compliance program underpins our privacy practices. We demonstrate how we protect your data through our robust third-party audits and certifications, and are often among the first to receive them.
¡°At Sun Life, the strength of our ongoing partnership with Â鶹´«Ã½ really comes down to trust.¡±
¡ªSenior Vice President, Global Talent
Global data privacy.
Â鶹´«Ã½ recognizes privacy as a fundamental human right and supports the free flow of data. As the focus on privacy grows around the world and data protection issues become more complex, you need a partner to support your organization.
At Â鶹´«Ã½, you can rest assured that we¡¯re committed to staying on top of global privacy standards. With our core principles as our guide, we develop our products, business practices, and customer agreements in accordance with global data privacy requirements.
We also monitor changing regulations and guidance that supervisory authorities issue. And we contractually commit to comply with all laws applicable to Â鶹´«Ã½ as a data processor, including data privacy laws.
Instead of chasing down your vendors to address the latest privacy laws, we make it easy to use Â鶹´«Ã½ for your global workforce. We identify opportunities to help our customers with cross-border data transfers. Whether it¡¯s being certified under the EU-U.S. Data Privacy Framework, described further below in the EMEA Region, receiving approval for our Processor Binding Corporate Rules (BCRs), or being the first company to receive approval for the APEC Privacy Rules for Processors, we find innovative ways to help you with your transfers. Our Master Subscription Agreement (MSA) includes the European Commission¡¯s (SCC), which enable the transfer of personal data from the European Economic Area to the United States.
?
We partner with our global customers as you conduct any necessary Transfer Impact Assessments (TIA), prior to transferring personal data to third-party countries. We proactively share information, such as FAQs and whitepapers, to help you navigate these assessments.
Data privacy regulations and laws vary across regions and countries. We closely monitor evolving data protection requirements in countries where we do business. Based on our analysis, we revisit and revise our administrative, technical, and operational practices.?
?
Data privacy requirements also vary by company, as they depend on a company¡¯s industry, the types of personal data collected, policy commitments, and any relevant internal compliance processes. We¡¯re ready to help you understand how our program supports your compliance needs.
The EU-U.S. Data Privacy Framework (DPF) establishes a valid mechanism for data transfers from the EU to the U.S. in compliance with the transfer provisions of the GDPR. The DPF certification can be verified by inspecting the official , which is the single source of truth.?We have also adhered to the UK extension.
?
Â鶹´«Ã½ was the first cloud service provider to declare adherence to the EU Cloud Code of Conduct (CCoC), which consists of a set of requirements that enable cloud service providers (CSPs) to demonstrate their capability to comply with GDPR. ?Annual reviews take place by the independent monitoring body. .
?
Read the European Union and United Kingdom Privacy Overview datasheet.
?
Additional resources for customers are available on Â鶹´«Ã½ Community:
?
Â鶹´«Ã½ strongly supports federal privacy laws in the United States, and we stay up to date on emerging state laws. Currently, privacy requirements within the U.S. are subject to state and sector-specific legal regimes.
?
Â鶹´«Ã½ certifies to the Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework principles. Data Privacy Framework.?
?
We also provide information to help support your compliance with the Health Information Portability Accountability Act (HIPAA).?
?
We closely follow laws across the region, such as Canada¡¯s PIPEDA, Mexico¡¯s Federal Data Privacy Law, or Argentina¡¯s Personal Data Protection Act, and provide resources to our customers to help them meet their privacy needs across the Americas.
?
Read the Canada and United States Privacy Overview datasheet.
?
Additional resources?on state privacy laws are available on Â鶹´«Ã½ Community:
?
Â鶹´«Ã½ is confident we can support our customers in APJ? with their data protection requirements. We closely monitor evolving data protection requirements in countries where our customers do business, including China, and provide information for changing compliance needs. We were one of the first companies to be certified to the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) in March 2014, and the first to be certified for Privacy Rules for Processors (APEC PRP) in September 2018. The APEC certifications are a voluntary set of privacy standards to facilitate data transfers among APEC economies. , which is the APEC Accountability Agent for the United States.
?
Read the Asia-Pacific and Japan Privacy Overview datasheet.
?
Additional resources for customers are available on Â鶹´«Ã½ Community:
?
Our commitment to our customers.
We strive to be transparent with our customers about how your data will be safeguarded and processed by Â鶹´«Ã½. Â鶹´«Ã½ deeply invests in certifying to leading industry standards and frameworks so our customers can easily verify our privacy practices. Learn more about our complete compliance program.
Know how your data is protected. Â鶹´«Ã½ describes our security and privacy obligations in the Â鶹´«Ã½ Universal Main Subscription Agreement (UMSA) and Universal Security and Privacy Exhibits. We provide a warranty for compliance with all applicable laws, including data privacy, international communications, and the transmission of personal data. Our UMSA includes our Universal Data Processing Exhibit (UDPE), providing a single set of privacy terms for all Â鶹´«Ã½ software-as-a-service as well as any professional services we deliver. The UDPE harmonizes the data processing terms across our various offerings and provides our customers a robust and future-proofed set of terms. Check out Â鶹´«Ã½ Terms and Conditions and the UMSA FAQ to learn more.
We hold our subprocessors to rigorous standards to protect privacy and personal data.?Â鶹´«Ã½ has processes in place designed to verify that subprocessors have implemented appropriate technical and organizational measures to safeguard privacy. See the list of Â鶹´«Ã½-authorized subprocessors for Â鶹´«Ã½ SaaS applications and for professional services.
We respect our customers¡¯ instructions related to the personal data they enter into our services. Â鶹´«Ã½ will not disclose customers¡¯ data in response to a government request unless required by law. We believe that any government request for data should be directed to the customer who owns and controls that data. When contacted by a government entity, Â鶹´«Ã½ will redirect the agency to make the request directly to the relevant customer. Â鶹´«Ã½ will notify the relevant customer of the request unless legally prohibited from doing so.
?
We will challenge any government request that is not valid and lawful, or does not comply with all applicable legal and statutory safeguards. Further information about Â鶹´«Ã½ policies and procedures for government requests is available in our Transparency Report and on?.
Get the power to adapt.