Laserfiche WebLink
00453086.0 -Confidential <br />UNIVERSAL SECURITY EXHIBIT <br />©2019 Workday 19.5 Page 1 of 2 <br />This Workday Universal Security Exhibit applies to the Covered Service and Covered Data. Capitalized terms used herein <br />have the meanings given in the Agreement, including attached exhibits, that refers to this Workday Universal Security <br />Exhibit. <br />Workday maintains a comprehensive, written information security program that contains administrative, technical, and <br />physical safeguards that, taking into account the state of the art, the costs of implementation and the nature, scope, context <br />and purposes of processing of Covered Data as well as the associated risks, are appropriate to (a) the type of information that <br />security program is designed to: <br />which Workday has access; <br />Protect against any anticipated threats or hazards to the confidentiality, integrity, and availability of Covered Data; <br />Protect against unauthorized or unlawful access, use, disclosure, alteration, or destruction of Covered Data; <br />Protect against accidental loss or destruction of, or damage to, Covered Data; and <br />Safeguard information as set forth in any local, state or federal regulations by which Workday may be regulated. <br />1. Security Awareness and Training. Mandatory employee security awareness and training programs, which include: <br />a) Training on how to implement and comply with its information security program; and <br />b) Promoting a culture of security awareness. <br />2. Access Controls. Policies, procedures, and logical controls: <br />a) To limit access to its information systems and the facility or facilities in which they are housed to properly <br />authorized persons; <br />b) To prevent those workforce members and others who should not have access from obtaining access; and <br />c) To remove access in a timely basis in the event of a change in job responsibilities or job status. <br />3. Physical and Environmental Security. Controls that provide reasonable assurance that access to physical servers at the <br />data centers housing Covered Data is limited to properly authorized individuals and that environmental controls are <br />established to detect, prevent and control destruction due to environmental extremes. <br />4. Security Incident Procedures. A security incident response plan that includes procedures to be followed in the event of <br />any security breach of any application or system directly associated with the accessing, processing, storage or <br />transmission of Covered Data. <br />5. Contingency Planning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, <br />vandalism, system failure, pandemic flu, and natural disaster) that could damage Covered Data or production systems <br />that contain Covered Data. <br />6. Audit Controls. Technical or procedural mechanisms put in place to promote efficient and effective operations, as well <br />as compliance with policies. <br />7. Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of Covered Data and to <br />protect it from disclosure, improper alteration, or destruction. <br />8. Storage and Transmission Security. Security measures to guard against unauthorized access to Covered Data that is <br />being transmitted over a public electronic communications network or stored electronically. <br />Docusign Envelope ID: B7B2CF4A-C414-47B2-BF08-2BCDA4573B8E