This document provides information to assist Workday customers in conducting a transfer impact assessment in relation to Workday’s Adaptive Planning (Adaptive Insights)’s software-as-a-service applications.
What is Adaptive Insights’ role and how does Adaptive Insights process personal data?
Adaptive Insights acts as a processor for the personal data our customers submit electronically into our software-as-a-service applications (“Personal Data”). As such, Adaptive Insights processes Personal Data on behalf of and according to our customers’ instructions. Our customers are the data controllers.
Adaptive Insights’ basic processing activities are storing Personal Data in secure data centers, operating and maintaining the applications and implementing customers' instructions when they are using the applications.
What types of Personal Data does Adaptive Insights process?
Adaptive Insights’ customers determine if and to what extent Personal Data is entered and processed within the Adaptive Insights software-as-a-service applications.
Is Personal Data transferred outside of the European Economic Area?
In order to provide its software-as-a-service applications, Adaptive Insights may use subprocessors located outside the European Economic Area (e.g. to provide 24/7/365 customer support and to monitor and maintain the software-as-a-service applications and their underlying infrastructure). Any subprocessor undergoes a thorough information security and data protection due diligence review and agrees to abide by data protection terms no less protective than our customer-facing Data Processing Exhibit. Adaptive Insights publishes a subprocessor list that identifies the location of each subprocessor. The subprocessor lists can be accessed here.
Which data transfer mechanisms does Adaptive Insights make available to its customers?
Adaptive Insights makes available the following data transfer mechanisms to legalize transfers of Personal Data outside of the European Economic Area, the United Kingdom and Switzerland:
Binding Corporate Rules
Workday has obtained approval from EU data protection supervisory authorities for global Processor Binding Corporate Rules (or “BCRs”) which cover Personal Data Adaptive Insights processes on behalf of its customers as a processor. BCRs are a detailed code of conduct that governs the processing of personal data within a multinational company.
Standard Contractual Clauses
Customers may also choose to leverage the European Commission’s controller-to-processor Standard Contractual Clauses (Commission Decision 2010/87/EU) to transfer Personal Data outside of the European Economic Area. The Standard Contractual Clauses are model contracts developed by the European Commission to legalize transfers of personal data from the European Economic Area to processors located in other countries.
What technical and organizational measures does Adaptive Insights have in place to protect Personal Data?
Adaptive Insights has implemented robust technical and organizational measures designed to protect our customers’ Personal Data against accidental or unlawful destruction, and loss, alteration, unauthorized disclosure or access. Adaptive Insights is certified against ISO 27001. See Adaptive Insights’ Business Planning SOC 2 report for more information on our technical and organizational measures.
Furthermore, Workday has been independently verified as compliant with the European Data Protection Code of Conduct for Cloud Service Providers (EU Cloud CoC).
What is section 702 of the Foreign Intelligence Surveillance Act (FISA)?
The U.S. government uses section 702 to obtain foreign intelligence information about foreign adversaries, including the plans and identities of terrorists and terrorist organizations, the intentions and capabilities of weapons proliferators and spies, and cybersecurity efforts by foreign actors against the United States. Data submitted into Adaptive Insights’ enterprise software-as-a-service applications is unlikely to constitute "foreign intelligence" information under section 702 because it is not the type of information the U.S. government appears to be primarily seeking under section 702.
Is Adaptive Insights subject to section 702 FISA?
Like any U.S.-based cloud service provider, Workday, Inc., Adaptive Insights’ ultimate parent company, will likely qualify as a "remote computing service" for certain services it provides to customers, and therefore be considered an "electronic communications service provider" under section 702 FISA. But this status does not mean that Adaptive Insights has or is likely to receive a request under FISA.
In practice, the U.S. government most commonly targets personal electronic communications (e.g. personal email, chat, text and social networking data) hosted by consumer-facing email providers and social media platforms. Given the types of Personal Data Adaptive Insights processes, Adaptive Insights’s role as an enterprise cloud service provider, and Adaptive Insights’ history of no prior government requests, we believe the number of any such requests in the future is likely to be very small.
How would Adaptive Insights respond to a government request?
Adaptive Insights has a robust policy in place setting out how Adaptive Insights would respond to a request from a law enforcement or government authority. Each request (if and when received) would be carefully reviewed by Adaptive Insights’ Legal Department to determine if it is lawful, valid and enforceable. If we believe a request is overly broad, we would seek to narrow it. Further, as the compelled disclosure section in Adaptive Insights’ Master Subscription Agreement commits, we would promptly notify our customer of the request, unless prohibited by law.
In addition, where Workday’s Processor Binding Corporate Rules apply, Adaptive Insights will, unless prohibited, inform its competent data protection supervisory authority if communication with the customer is prohibited. If notification to the data protection supervisory authority is prohibited, Adaptive Insights will use its best efforts to challenge this prohibition.
How does Executive Order 12333 affect Adaptive Insights?
Executive Order 12333 authorizes intelligence agencies to conduct surveillance outside the United States by collecting foreign intelligence information from communications transmitted by radio, wire and other electromagnetic means. However, it does not authorize the U.S. government to compel U.S. data importers like Adaptive Insights to assist the government or to provide it with customer information. Adaptive Insights does not voluntarily provide information or assistance to the U.S. government for surveillance under Executive Order 12333.
To protect data against an interception in transit, Adaptive Insights encrypts all Personal Data in transit over public networks between customer and Adaptive Insights and between Adaptive Insights data centers using Transport Layer Security (TLS).