Workday Inc.: 10-K Risk Factor Changes

The markets for enterprise cloud applications, including AI-powered solutions, are highly competitive, with relatively low barriers to entry for some applications or services. Some of our competitors are larger and have greater name recognition, significantly longer operating histories, access to larger customer bases, larger marketing budgets, and significantly greater resources to devote to the research, development, promotion, and sale of their products and services than we do. This may allow our competitors to respond more effectively than us to new or emerging technologies and changes in market conditions. Our primary competitors are Oracle and SAP, well-established providers of financial management and HCM applications, which have long-standing relationships with customers and partners. Some customers may be hesitant to switch vendors or to adopt cloud applications such as ours and may prefer to maintain their existing relationships with competitors. We also face competition from other enterprise software vendors, from regional competitors that only operate in certain geographic markets, and from vendors of specific applications that address only one or a portion of our applications, some of which offer cloud-based or AI-powered solutions. These vendors include, without limitation: Anaplan, Inc., ADP, Coupa Software Inc., Dayforce, Inc., Microsoft, ServiceNow, Inc., and UKG Inc. We may also face greater competition from non-specialist solutions relying on generic large language models (“LLMs”), generative AI, and general-purpose agents to address a broad range of business needs. In order to take advantage of customer demand for cloud and AI-powered applications, legacy vendors are expanding their cloud or AI-powered applications through acquisitions, strategic alliances, and organic development. In addition, other cloud or AI platform companies that provide services in different target markets or industries may develop applications or acquire companies that operate in our target markets or industries, and some potential customers may elect to develop their own internal applications. As the market evolves and as existing and new market participants introduce new types of technologies, such as generative and agentic AI, and different approaches that enable organizations to address their HCM and financial needs, our ability to maintain market differentiation may affect our competitive position. Furthermore, our current or potential competitors may be acquired by, or merge with, third parties with greater available resources and the ability to initiate or withstand substantial price competition. Our competitors may also establish cooperative relationships among themselves or with third parties that may further enhance their offerings, integrations, or resources. Many of our competitors also have major distribution agreements with consultants, system integrators, and resellers and such partners may prefer to maintain their existing relationships with competitors. With the introduction of new technologies, such as generative AI, we expect competition to intensify in the future. As we attempt to sell our products and solutions to potential and current customers, we must demonstrate that our products and solutions are superior to other solutions available to their organizations, including generic LLMs, software created using natural language prompts and generative AI (referred to as vibe coding) and other emerging technologies. If our competitors’ products, services, or technologies, including generative and agentic AI capabilities, become more accepted than our products, if their customer support efforts are preferred by customers, if they are successful in bringing their products or services to market earlier than ours, if they scale at a faster rate, or if their products or services are more technologically capable or resonate more with the market than ours, including having more or easier to use integrations for software solutions used and preferred by our customers, then our revenues could be adversely affected. In addition, our competitors may offer their products and services at a lower price, or may offer price concessions, delayed payment terms, financing terms, or other terms and conditions that are more enticing to potential customers. Due to the complex nature of implementing financial management solutions, the lifecycle of the contracts for such solutions tends to be long. Therefore, if we lose a current customer to a competitor or fail to secure a prospective customer for financial management solutions, there is a long duration before we will be able to approach that customer again with our sales efforts for such solutions. Pricing pressures and increased competition could result in reduced sales, reduced margins, losses, or a failure to maintain or improve our competitive market position, any of which could adversely affect our business and operating results. 11 11 11 Table of Contents Table of Contents

The markets for enterprise cloud applications, including AI-powered solutions, are highly competitive, with relatively low barriers to entry for some applications or services. Some of our competitors are larger and have greater name recognition, significantly longer operating histories, access to larger customer bases, larger marketing budgets, and significantly greater resources to devote to the development, promotion, and sale of their products and services than we do. This may allow our competitors to respond more effectively than us to new or emerging technologies and changes in market conditions. Our primary competitors are Oracle and SAP, well-established providers of financial management and HCM applications, which have long-standing relationships with customers and partners. Some customers may be hesitant to switch vendors or to adopt cloud applications such as ours and may prefer to maintain their existing relationships with competitors. We also face competition from other enterprise software vendors, from regional competitors that only operate in certain geographic markets, and from vendors of specific applications that address only one or a portion of our applications, some of which offer cloud-based or AI-powered solutions. These vendors include, without limitation: Anaplan, Inc., ADP, Coupa Software Inc., Dayforce, Inc., Infor, Inc., Microsoft Corporation, and UKG Inc. In order to take advantage of customer demand for cloud and AI-powered applications, legacy vendors are expanding their cloud or AI-powered applications through acquisitions, strategic alliances, and organic development. In addition, other cloud or AI platform companies that provide services in different target markets or industries may develop applications or acquire companies that operate in our target markets or industries, and some potential customers may elect to develop their own internal applications. As the market matures and as existing and new market participants introduce new types of technologies, such as generative and agentic AI, and different approaches that enable organizations to address their HCM and financial needs, we expect this competition to intensify in the future. Furthermore, our current or potential competitors may be acquired by, or merge with, third parties with greater available resources and the ability to initiate or withstand substantial price competition. Our competitors may also establish cooperative relationships among themselves or with third parties that may further enhance their offerings or resources. Many of our competitors also have major distribution agreements with consultants, system integrators, and resellers and such partners may prefer to maintain their existing relationships with competitors. With the introduction of new technologies, such as generative AI, we expect competition to intensify in the future. If our competitors’ products, services, or technologies become more accepted than our products, if they are successful in bringing their products or services to market earlier than ours, or if their products or services are more technologically capable than ours, then our revenues could be adversely affected. In addition, our competitors may offer their products and services at a lower price, or may offer price concessions, delayed payment terms, financing terms, or other terms and conditions that are more enticing to potential customers. Due to the complex nature of implementing financial management solutions, the lifecycle of the contracts for such solutions tends to be long. Therefore, if we lose a current customer to a competitor or fail to secure a prospective customer for financials management solutions, there is a long duration before we will be able to approach that customer again with our sales efforts for such solutions. Pricing pressures and increased competition could result in reduced sales, reduced margins, losses, or a failure to maintain or improve our competitive market position, any of which could adversely affect our business and operating results.

We have share repurchase programs under which we are authorized to repurchase shares of our Class A common stock. Such repurchases may be made through open market transactions, including through the use of trading plans intended to qualify under Rule 10b5-1, through privately negotiated transactions, or by other means, in each case in accordance with applicable securities laws and other restrictions. The share repurchase programs do not have an expiration date, may be suspended or discontinued at any time, and do not obligate us to acquire any amount of our Class A common stock. Any failure to repurchase stock after we have announced our intention to do so may negatively impact our reputation and investor confidence in us and may negatively impact our stock price. Since first authorizing a share repurchase program, there have been periods of time during which we have been unable to repurchase shares, for example, due to the possession of material nonpublic information. The existence of our share repurchase programs could cause our stock price to trade higher than it otherwise would and could potentially reduce the market liquidity for our stock. Our share repurchase programs may not enhance long-term stockholder value because the market price of our common stock may decline below the levels at which we repurchased shares and short-term stock price fluctuations could reduce the effectiveness of this program. Repurchasing our common stock will reduce the amount of cash we have available to fund working capital, repayment of debt, capital expenditures, strategic acquisitions or business opportunities, and other general corporate purposes, and we may fail to realize the anticipated long-term stockholder value of our share repurchase programs. Furthermore, the timing and amount of any repurchases, if any, will be subject to liquidity, market and economic conditions, compliance with applicable legal requirements such as Delaware surplus and solvency tests, and other relevant factors.

In February 2024, our Board of Directors authorized a program under which we were authorized to repurchase up to $500 million of our outstanding shares of Class A common stock. In the third quarter of fiscal 2025, we had completed the repurchase authorization under this program. In August 2024, our Board of Directors authorized the repurchase of up to $1.0 billion of our outstanding shares of Class A common stock (“August 2024 Share Repurchase Program”). Such repurchases may be made through open market transactions, including through the use of trading plans intended to qualify under Rule 10b5-1, through privately negotiated transactions, or by other means, in each case in accordance with applicable securities laws and other restrictions. The August 2024 Share Repurchase Program has no expiration date, may be suspended or discontinued at any time, and does not obligate us to acquire any amount of Class A common stock. Any failure to repurchase stock after we have announced our intention to do so may negatively impact our reputation and investor confidence in us and may negatively impact our stock price. Since first authorizing a share repurchase program, there have been periods of time during which we have been unable to repurchase shares, for example, due to the possession of material nonpublic information. The existence of our share repurchase programs could cause our stock price to trade higher than it otherwise would and could potentially reduce the market liquidity for our stock. Our share repurchase programs may not enhance long-term stockholder value because the market price of our common stock may decline below the levels at which we repurchased shares and short-term stock price fluctuations could reduce the effectiveness of this program. Repurchasing our common stock will reduce the amount of cash we have available to fund working capital, repayment of debt, capital expenditures, strategic acquisitions or business opportunities, and other general corporate purposes, and we may fail to realize the anticipated long-term stockholder value of our share repurchase programs. Furthermore, the timing and amount of any repurchases, if any, will be subject to liquidity, market and economic conditions, compliance with applicable legal requirements such as Delaware surplus and solvency tests, and other relevant factors. 27 27 27 Table of Contents Table of Contents

We believe that developing and maintaining widespread positive awareness of our brand is critical to our growth and that the importance of maintaining positive brand awareness will increase as competition in our markets increases. Successfully promoting and maintaining our brand will depend on our ability to provide reliable solutions that meet the needs of our customers, our ability to successfully differentiate our products and solutions from those of our competitors, and the effectiveness of our marketing efforts. However, brand promotion activities may not generate the awareness or increased revenues we anticipate, and even if they do, any increase in revenues may not offset the significant expenses we incur in promoting our brand. If we fail to successfully promote and maintain positive awareness of our brand, or we fail to expand positive awareness of our newer solutions or products, we may fail to attract or retain customers necessary to realize a sufficient return on our brand-building investments. We have and may continue to experience reputational harm from, among other things, the introduction of new products, features, or services that do not meet customer expectations; our use of new and evolving technologies, including AI; service outages or disruptions; issues with product quality or performance; backlash from customers, government entities, or other stakeholders that disagree with our product offering decisions or public policy, ethical, or political positions; significant litigation or regulatory or government actions that negatively reflect on our business practices; and data security breaches or compliance failures. Additionally, the performance of our partners may affect our brand and reputation if customers do not have a positive experience with our partners’ solutions or services. Any unfavorable publicity or perception of our brand or our applications, including any unfavorable candidate or end user experience, could negatively impact our ability to attract and retain customers and also make it more difficult to hire and retain employees. 17 17 17 Table of Contents Table of Contents

We believe that developing and maintaining widespread positive awareness of our brand is critical to our growth. However, brand promotion activities may not generate the awareness or increased revenues we anticipate, and even if they do, any increase in revenues may not offset the significant expenses we incur in building our brand. If we fail to successfully promote and maintain positive awareness of our brand, or we fail to expand positive awareness of our newer solutions or products, we may fail to attract or retain customers necessary to realize a sufficient return on our brand-building efforts, or to achieve the widespread positive brand awareness that is critical for broad customer adoption of our applications and for the end user experience. We have and may continue to experience reputational harm from, among other things, the introduction of new products, features, or services that do not meet customer expectations; our use of new and evolving technologies, including AI; service outages or disruptions; issues with product quality or performance; backlash from customers, government entities, or other stakeholders that disagree with our product offering decisions or public policy, ethical, or political positions; significant litigation or regulatory actions that negatively reflect on our business practices; and data security breaches or compliance failures. Any unfavorable publicity or perception of our brand or our applications, including any unfavorable candidate or end user experience, could negatively impact our ability to attract and retain customers and also make it more difficult to hire and retain employees.

We are increasingly building and integrating AI into the Workday product suite, including generative and agentic AI, and we are increasingly using AI products and technologies in the course of running our business at Workday. As with many cutting-edge innovations, these technologies can present new risks and challenges. A quickly evolving technical, legal, and regulatory environment may cause us to incur increased research and development costs, or divert resources from other development efforts, to address ethical, legal, operational, or compliance requirements or other issues related to AI. For example, the European Union’s (“EU”) AI Act (“EU AI Act”) puts new requirements on providers and deployers of AI technologies and we are currently working to ensure compliance with corresponding deadlines. Additionally, existing laws and regulations apply to the development and deployment of AI in new ways, the nature and extent of which are difficult to predict and subject to change over time. The risks and challenges presented by these technologies could undermine public confidence in AI and could increase costs and burdens to us and our customers, which could slow its adoption and affect our business. Many of our products are powered by AI, some of which include the use of generative and agentic AI, for use cases that could potentially impact human, civil, privacy, or employment rights and dignities. To the extent that the products and technologies we develop and deploy rely on the use of generative or agentic capabilities provided by third parties, we face additional uncertainties and liabilities, especially where such third-party capabilities may be insufficient, biased, inaccurate, or of poor quality. Any failure to accurately identify and address our responsibilities and liabilities in this uncertain environment, including with respect to third-party capabilities, and to adequately address relevant ethical and social issues that may arise with such technologies and use cases, as well as failure by others in our industry or actions taken by our customers, employees, suppliers, or end users (including misuse of these technologies), could negatively affect the adoption of our offerings and subject us to reputational harm, regulatory action, or litigation, which may harm our financial condition and operating results. We are currently defending against a lawsuit alleging that certain of our AI-related products and services enable discrimination, and although we believe that such claims lack merit, and the majority of the claims have been dismissed, legal proceedings can be lengthy, expensive, and disruptive to our operations and customers (particularly where, as in the present litigation, the plaintiff may seek to also litigate against certain of Workday’s customers). We may be subject to other litigation and regulatory actions that may cause financial, competitive, and developmental impacts, and could lead to legal liability. Regardless of outcome, these types of claims have and could continue to cause reputational harm to our brand, including our ability to sell newly acquired products that use AI. Our employees, customers, or customers’ employees who are dissatisfied with our public statements, policies, practices, or solutions related to the development and use of AI may express opinions that could introduce reputational or business harm, or cease their relationship with us.

We are increasingly building AI into the Workday product suite and have recently made announcements about our plans to embrace agentic AI. As with many cutting-edge innovations, these technologies can present new risks and challenges. A quickly evolving technical, legal, and regulatory environment may cause us to incur increased research and development costs, or divert resources from other development efforts, to address ethical, legal, operational, or compliance requirements or other issues related to AI. For example, the European Union’s (“EU”) AI Act (“EU AI Act”) puts new requirements on providers of AI technologies and we are currently analyzing the EU AI Act to ensure compliance in alignment with various deadlines in the coming years. Additionally, existing laws and regulations may apply to us in new ways, the nature and extent of which are difficult to predict and subject to change over time. The risks and challenges presented by these technologies could undermine public confidence in AI, which could slow its adoption and affect our business. Many of our products are powered by AI, some of which include the use of large language models and generative AI, for use cases that could potentially impact human, civil, privacy, or employment rights and dignities. To the extent that our products and technologies rely on the use of large language models provided by third parties, we may face additional uncertainties and liabilities. Any failure to accurately identify and address our responsibilities and liabilities in this uncertain environment, and adequately address relevant ethical and social issues that may arise with such technologies and use cases, as well as failure by others in our industry, or actions taken by our customers, employees, or end users (including misuse of these technologies), could negatively affect the adoption of our offerings and subject us to reputational harm, regulatory action, or litigation, which may harm our financial condition and operating results. We already are defending against a lawsuit alleging that our products and services enable discrimination, and although we believe that such claims lack merit, and the majority of the claims have been dismissed, legal proceedings can be lengthy, expensive, and disruptive to our operations and customers (particularly where, as in the present litigation, the plaintiff may seek to also litigate against certain of Workday’s customers). We may be subject to other litigation and regulatory actions that may cause financial, competitive, and developmental impacts, and could lead to legal liability. In addition, regardless of outcome, these types of claims could cause reputational harm to our brand, including our ability to sell newly acquired products that use AI. Our employees, customers, or customers’ employees who are dissatisfied with our public statements, policies, practices, or solutions related to the development and use of AI may express opinions that could introduce reputational or business harm, or cease their relationship with us.

Our success and future growth depend largely upon the continued services of our executive officers, other members of senior management, and other key employees. We do not have employment agreements with our executive officers or other key employees that require them to continue to work for us for any specified period, and they could terminate their employment with us at any time. We have and may continue to execute our growth plan through strategic investments to attract and retain executive officers, senior management, or other key employees that may not be offset by increased performance or revenues. In February 2026, Aneel Bhusri, formerly Executive Chair, assumed the role of CEO and Carl Eschenbach ceased to serve as CEO. Key employee and executive leadership changes have the potential to disrupt our business, impact our ability to preserve our culture, negatively affect our ability to attract and retain talent, or otherwise have a serious adverse effect on our business and operating results. To execute our growth plan, we must attract, enable, develop, and retain highly qualified talent. Our ability to compete and succeed in a highly competitive environment is directly correlated to our ability to recruit and retain highly skilled and experienced employees, especially in the areas of product development, cybersecurity, senior sales executives, and engineers with significant experience in designing and developing software and internet-related services, especially in AI and emerging technologies. The expansion of our sales infrastructure, both domestically and internationally, is necessary to grow our customer base and business. Our business may be adversely affected if our efforts to attract and enable new members of our direct sales force do not generate a corresponding increase in revenues. We have experienced, and we expect to continue to experience, significant competition in hiring and retaining employees with appropriate qualifications. We must also continue to retain, develop, and motivate existing employees through our compensation practices, company culture, and career development opportunities. The compensation and incentives we have available to attract, retain, and motivate employees may not meet the expectations of current and prospective employees as the competition for talent intensifies. For example, our equity awards may become less effective if our stock price decreases or increases at a slower rate than our talent competitors. Further, our current and future office environments and our current hybrid work policy may not meet the expectations of our employees or prospective employees, and may amplify challenges in recruiting and retention. We believe that a critical component of our success has been our corporate culture and our core values. As we continue to grow and change, we may find it difficult to maintain our corporate culture among a larger number of employees who are dispersed throughout various geographic regions, including difficulties due to managing the complexities of communicating with all employees. Efforts to restructure our workforce may be disruptive and adversely impact employee morale or our corporate culture. Failure to maintain or adapt our culture could negatively affect our ability to attract new employees or to retain our current employees and our business and future growth prospects could be adversely affected.

Our success and future growth depend largely upon the continued services of our executive officers, other members of senior management, and other key employees. Effective February 1, 2024, the start of our fiscal 2025, in accordance with an established succession plan, Aneel Bhusri stepped down from his role as Co-CEO and assumed the role of Executive Chair, and Carl Eschenbach, formerly Co-CEO alongside Mr. Bhusri, assumed the role of sole CEO. We do not have employment agreements with our executive officers or other key employees that require them to continue to work for us for any specified period, and they could terminate their employment with us at any time. Key employee changes have the potential to disrupt our business, impact our ability to preserve our culture, negatively affect our ability to attract and retain talent, or otherwise have a serious adverse effect on our business and operating results. To execute our growth plan, we must attract, enable, develop, and retain highly qualified talent. Our ability to compete and succeed in a highly competitive environment is directly correlated to our ability to recruit and retain highly skilled employees, especially in the areas of product development, cybersecurity, senior sales executives, and engineers with significant experience in designing and developing software and internet-related services, including in AI. The expansion of our sales infrastructure, both domestically and internationally, is necessary to grow our customer base and business. Our business may be adversely affected if our efforts to attract and enable new members of our direct sales force do not generate a corresponding increase in revenues. We have experienced, and we expect to continue to experience, significant competition in hiring and retaining employees with appropriate qualifications. In February 2025, we announced the Fiscal 2026 Restructuring Plan, which is intended to prioritize our investments and advance our growth and is currently expected to result in the reduction of approximately 8% of our workforce. We expect this plan to be substantially complete by the second quarter of fiscal 2026, subject to local law and consultation requirements. The Fiscal 2026 Restructuring Plan could negatively impact our ability to attract, retain, and motivate employees. We must also continue to retain, develop, and motivate existing employees through our compensation practices, company culture, and career development opportunities. Further, our current and future office environments and our current hybrid work policy may not meet the expectations of our employees or prospective employees, and may amplify challenges in recruiting and retention. We believe that a critical component of our success has been our corporate culture and our core values. As we continue to grow and change, we may find it difficult to maintain our corporate culture among a larger number of employees who are dispersed throughout various geographic regions, including managing the complexities of communicating with all employees. Efforts to restructure our workforce, such as the Fiscal 2026 Restructuring Plan, may be disruptive and adversely impact employee morale or our corporate culture. Failure to maintain or adapt our culture could negatively affect our ability to attract new employees or to retain our current employees and our business and future growth prospects could be adversely affected. 10 10 10 Table of Contents Table of Contents

Our applications include software covered by open source licenses, which may include, by way of example, the GNU General Public License and the Apache License. Furthermore, our strategy includes acquiring and investing in open-source AI platforms and utilizing AI models that may be governed by novel or untested licenses with ambiguous terms, use-based restrictions, or uncertain legal interpretation. Few terms used in either traditional or new AI-focused open source licenses have been interpreted by U.S. courts, and there is a risk that such licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to market our applications. We attempt to comply with all open source licensing conditions that apply to our use of open source software. By the terms of certain open source licenses, we could be required to release the source code of our proprietary software, and to make our proprietary software available under open source licenses, if we combine our proprietary software with open source software in a certain manner. Our increasing integration of proprietary AI agents and platforms with open source components may heighten this “copyleft” risk. In addition, the license terms for certain previously open source software or models that we use have changed and the license terms for future versions of open source software that we use might change, requiring us to pay for a commercial license or re-engineer all or a portion of our technologies. In addition to risks related to open source license requirements, usage of open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of the software. Many of the risks associated with usage of open source software cannot be eliminated and could negatively affect our business. Beyond licensing compliance, our use of and investment in open source AI models and platforms create distinct and significant risks. Open source AI models may be trained on data of unknown or uncertain provenance, which could include copyrighted or otherwise proprietary, confidential, or private information. If our applications or the agents our customers build using our platforms incorporate such models, we could face claims for copyright infringement and other violations. Open source AI components may also be subject to “data poisoning” and other security vulnerabilities. Many of the risks associated with usage of open source software, particularly in the rapidly evolving field of AI, cannot be eliminated and could negatively affect our business. 23 23 23 Table of Contents Table of Contents

Our applications include software covered by open source licenses, which may include, by way of example, GNU General Public License and the Apache License. Few terms used in open source licenses have been interpreted by United States courts, and there is a risk that such licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to market our applications. We attempt to comply with all open source licensing conditions that apply to our use of open source software. By the terms of certain open source licenses, we could be required to release the source code of our proprietary software, and to make our proprietary software available under open source licenses, if we combine our proprietary software with open source software in a certain manner. In the event that portions of our proprietary software are determined to be impacted by an open source license, we could be required to publicly release portions of our source code, re-engineer all or a portion of our technologies, or otherwise be limited in the use or licensing of our technologies, which could reduce or eliminate the value of our technologies, products, and services. In addition, the license terms for certain previously open source software that we use have changed and the license terms for future versions of open source software that we use might change, requiring us to pay for a commercial license or re-engineer all or a portion of our technologies. In addition to risks related to open source license requirements, usage of open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of the software. Many of the risks associated with usage of open source software cannot be eliminated and could negatively affect our business.

The growth of our business and future prospects depends on our ability to further expand our operations and increase our sales outside of the U.S. as a percentage of our total revenues. Operating globally requires significant resources and management attention and subjects us to regulatory, economic, and political risks that are different from those in the U.S. Our investments and efforts to further expand internationally may not be successful in creating additional demand for our applications outside of the U.S. or in effectively selling subscriptions to our applications in all of the markets we enter. Risks associated with doing business on a global scale that could adversely affect our business, include: •the need to develop, localize, and adapt our applications and customer support for specific countries; •the need to successfully develop and execute on a localized go-to-market strategy; •the need to adhere to local laws and regulations, including those related to data localization, privacy, and anti-corruption, which may make it more difficult to penetrate certain international market segments with highly specialized compliance, contracting, and data sovereignty requirements; •difficulties in appropriately staffing and managing foreign operations and providing appropriate compensation and benefits for local markets; •difficulties in leveraging executive presence, maintaining company culture globally, and conforming with local cultural contexts and customs; •increased travel, real estate, infrastructure, and legal and regulatory compliance costs associated with international operations; •different pricing environments, longer sales cycles, and longer trade receivables payment cycles, and collections issues; •new and different sources of competition; •potentially weaker protection for intellectual property and other legal rights than in the U.S. and practical difficulties in enforcing intellectual property and other rights; •laws, contracting approaches, customs, and business practices favoring local vendors over U.S.-based companies, which may be increased by geopolitical tensions; •restrictive governmental actions focused on cross-border trade, such as import and export restrictions, duties, quotas, potential or imposed tariffs, trade disputes, and barriers or sanctions, as well as any retaliatory actions, that may prevent us from offering certain portions of our products or services to a particular market, may increase our operating costs, or may subject us to monetary fines or penalties; •compliance challenges related to the complexity of multiple, conflicting, and changing governmental laws and regulations, including employment, tax, privacy, intellectual property, financial services, AI, and data protection laws and regulations, as well as challenges with differing legal, alternative dispute, and regulatory systems; •increased compliance costs related to government regulatory reviews or audits, including those related to international cybersecurity and sustainability requirements; •increased financial accounting and reporting burdens and complexities; •the effects of currency fluctuations on our revenues and expenses and customer demand for our services; •restrictions on the transfer of funds; •adverse tax consequences and tax rulings; and •unstable economic and political conditions. Certain of the above factors have and may continue to negatively impact our ability to sell our applications and offer services globally, reduce our competitive position in foreign markets, increase our costs of global operations, reduce demand for our applications and services from global customers, or subject us to legal or regulatory liability. Additionally, the majority of our international costs are denominated in local currencies and we anticipate that over time an increasing portion of our sales contracts may be outside the U.S. and will therefore be denominated in local currencies. Fluctuations in the value of foreign currencies, which may be amplified by macroeconomic events, may impact our operating results when translated into U.S. dollars. Such fluctuations may also impact our ability to predict our future results accurately. If we are not able to successfully hedge against the risks associated with foreign currency fluctuations, our financial condition and operating results could be adversely affected.

The growth of our business and future prospects depends on our ability to increase our sales outside of the United States as a percentage of our total revenues. Operating globally requires significant resources and management attention and subjects us to regulatory, economic, and political risks that are different from those in the United States. Our investments and efforts to further expand internationally may not be successful in creating additional demand for our applications outside of the United States or in effectively selling subscriptions to our applications in all of the markets we enter. Risks associated with doing business on a global scale that could adversely affect our business, include: •the need to develop, localize, and adapt our applications and customer support for specific countries; •the need to successfully develop and execute on a localized go-to-market strategy; •the need to adhere to local laws and regulations, including those related to data localization, privacy, and anti-corruption; •difficulties in appropriately staffing and managing foreign operations and providing appropriate compensation for local markets; •difficulties in leveraging executive presence and maintaining company culture globally; •different pricing environments, longer sales cycles, and longer trade receivables payment cycles, and collections issues; •new and different sources of competition; •potentially weaker protection for intellectual property and other legal rights than in the United States and practical difficulties in enforcing intellectual property and other rights; •laws, customs, and business practices favoring local competitors; •restrictive governmental actions focused on cross-border trade, such as import and export restrictions, duties, quotas, tariffs, trade disputes, and barriers or sanctions, that may prevent us from offering certain portions of our products or services to a particular market, may increase our operating costs or may subject us to monetary fines or penalties; •compliance challenges related to the complexity of multiple, conflicting, and changing governmental laws and regulations, including employment, tax, privacy, intellectual property, financial services, AI, and data protection laws and regulations; •increased compliance costs related to government regulatory reviews or audits, including those related to international cybersecurity and environmental, social, and governance (“ESG”) requirements; •increased financial accounting and reporting burdens and complexities; •the effects of currency fluctuations on our revenues and expenses and customer demand for our services; •restrictions on the transfer of funds; •adverse tax consequences and tax rulings; and •unstable economic and political conditions. Certain of the above factors have and may continue to negatively impact our ability to sell our applications and offer services globally, reduce our competitive position in foreign markets, increase our costs of global operations, reduce demand for our applications and services from global customers, or subject us to legal or regulatory liability. Additionally, the majority of our international costs are denominated in local currencies and we anticipate that over time an increasing portion of our sales contracts may be outside the U.S. and will therefore be denominated in local currencies. Fluctuations in the value of foreign currencies, which may be amplified by macroeconomic events, may impact our operating results when translated into U.S. dollars. Such fluctuations may also impact our ability to predict our future results accurately. If we are not able to successfully hedge against the risks associated with foreign currency fluctuations, our financial condition and operating results could be adversely affected. 12 12 12 Table of Contents Table of Contents

Legal requirements related to collecting, storing, handling, retaining, and transferring (collectively, “processing”) personal data are rapidly evolving at both the national and international level in ways that require our business to adapt to comply with applicable laws and support customer compliance. As the complexity of our products grows, the regulatory focus on privacy intensifies worldwide, and jurisdictions increasingly consider and adopt privacy laws, the risks related to our business’s processing of personal data also grow. In addition, possible adverse interpretations of existing privacy-related laws and regulations by regulators in jurisdictions where our customers operate, as well as the potential adoption of new privacy-related requirements, could impose significant obligations affecting our business or prevent us from offering certain services in jurisdictions where we operate. Over the past five years, the global data privacy compliance landscape has grown increasingly complex, fragmented, and financially relevant to business operations. As a result, our data processing creates current and prospective risks related to increased regulatory compliance costs, government enforcement actions and/or financial penalties for non-compliance, and reputational harm. For example, the EU-U.S. Data Privacy Framework (“DPF”) is in place under which EU data can legally be transferred to the U.S. However, it is facing legal challenges. As legal challenges to the DPF remain unresolved, uncertainty may continue regarding the legal requirements for transferring personal data from Europe, an integral aspect of our business that remains governed by, and subject to, General Data Protection Regulation (“GDPR”) requirements. Failure to comply with the GDPR data processing requirements by either ourselves or our subprocessors could lead to regulatory enforcement actions, which can result in monetary penalties of up to 4% of worldwide revenue, private lawsuits, reputational damage, and loss of customers. Other new EU laws, including the EU Data Act, which primarily governs access to and use of non-personal data generated by digital services, have been, and may continue to be implemented, interpreted, and enforced in ways that impose additional rules and restrictions on the deployment, operation, or use of our products and services and may require us to adapt our business practices or contractual arrangements to comply with such requirements. Other countries such as Russia, China, Vietnam, and India have also passed or are in the process of passing laws imposing new requirements, including requirements related to consent and varying degrees of restrictive data residency or localization. 21 21 21 Table of Contents Table of Contents Regulatory developments in the U.S. present additional risks. For example, the California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020, and the California Privacy Rights Act (“CPRA”), which expands upon the CCPA, came into effect on January 1, 2023. The CCPA and CPRA give California consumers, including employees, certain rights similar to those provided by the GDPR, and also provide for statutory damages or fines on a per violation basis that could be very large depending on the severity of the violation. In addition, numerous states have enacted, or are considering, comprehensive privacy laws and other laws that touch on the processing of personal data in specific contexts, including in connection with artificial intelligence and automated systems, further contributing to a fragmented and evolving regulatory landscape that has and may continue to create compliance challenges. Additionally, a final rule issued by the U.S. Department of Justice establishing a “Data Security Program” came into effect on April 8, 2025. The rule prohibits or restricts certain transactions that could result in access to bulk U.S. sensitive personal data or U.S. government-related data by countries of concern, including China (which includes Hong Kong and Macau). The rule imposes certain diligence, security, audit and record-keeping requirements, and may adversely impact certain of our global business operations, including by restricting or conditioning certain data access or transfers involving subsidiaries, affiliates, and vendors. Furthermore, the U.S. Congress is considering numerous privacy bills, and the U.S. Federal Trade Commission continues to bring enforcement actions for unfair or deceptive data protection practices and may undertake its own privacy-related rulemaking. In addition to government activity, privacy advocacy and other industry groups have established or may establish various new, additional, or different self-regulatory standards that customers may require us to adhere to, which may place additional burdens on us. Increasing sensitivity of individuals to the unauthorized processing of personal data, whether real or perceived, and an increasingly uncertain trust climate has and may continue to create negative public reaction to technologies, products, and services such as ours or otherwise expose us to liability. In addition, as AI technologies are increasingly used across the industry, including in connection with data analytics, automation, customer service, and decision-support features, the speed, scale, and complexity of data processing may increase, which may heighten data privacy risks. AI-enabled or agentic AI features may be targeted, misused, or produce outputs or inferences that implicate personal data in ways that are difficult to anticipate or control, potentially resulting in regulatory scrutiny, litigation, or reputational harm, even in the absence of a data breach. Taken together, the costs of compliance with and other obligations imposed by data protection laws and regulations have and may continue to require modification of our services and operations, limit use or adoption of our services, slow the pace at which we close sales transactions, or otherwise adversely affect our business. In addition, data protection laws, regulations and related enforcement activities may lead to significant fines, penalties, or liabilities for noncompliance. These requirements may impact how personal data must be stored, accessed, and deleted within the products and services and impose certain limitations on how it may be used or shared. Further, the perception of privacy concerns, whether or not valid, may inhibit the adoption, effectiveness, or use of our applications or otherwise impact our business. Compliance with applicable laws and regulations regarding personal data may require changes in services, business practices, or internal systems that result in increased costs, lower revenue, reduced efficiency, or greater difficulty competing with foreign-based firms which could adversely affect our business and operating results.

Legal requirements related to collecting, storing, handling, retaining, and transferring (collectively, “processing”) personal data are rapidly evolving at both the national and international level in ways that require our business to adapt to support customer compliance. As the complexity of our products grow, the regulatory focus on privacy intensifies worldwide, and jurisdictions increasingly consider and adopt privacy laws, the risks related to processing personal data by our business also grow. In addition, possible adverse interpretations of existing privacy-related laws and regulations by governments in countries where our customers operate, as well as the potential implementation of new legislation, could impose significant obligations in areas affecting our business or prevent us from offering certain services in jurisdictions where we operate. Following the EU’s passage of the General Data Protection Regulation (“GDPR”), which became effective in May 2018, the global data privacy compliance landscape has grown increasingly complex, fragmented, and financially relevant to business operations. As a result, our data processing creates current and prospective risks related to increased regulatory compliance costs, government enforcement actions and/or financial penalties for non-compliance, and reputational harm. For example, a new EU-U.S. Data Privacy Framework (“DPF”) is in place under which EU data can legally be transferred to the United States. However, it is expected to face legal challenges. Until challenges to the DPF make their way through the court system, uncertainty may continue about the legal requirements for transferring customer personal data to and from Europe, an integral process of our business that remains governed by, and subject to, GDPR requirements. Failure to comply with the GDPR data processing requirements by either ourselves or our subcontractors could lead to regulatory enforcement actions, which can result in monetary penalties of up to 4% of worldwide revenue, private lawsuits, reputational damage, and loss of customers. Other countries such as Russia, China, and India have also passed laws imposing varying degrees of restrictive data residency requirements. Regulatory developments in the United States present additional risks. For example, the California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020, and the California Privacy Rights Act (“CPRA”), which expands upon the CCPA, came into effect on January 1, 2023. The CCPA and CPRA give California consumers, including employees, certain rights similar to those provided by the GDPR, and also provide for statutory damages or fines on a per violation basis that could be very large depending on the severity of the violation. Numerous states have enacted, or are considering, privacy laws as well, creating a patchwork of state laws that may create compliance challenges. Furthermore, the U.S. Congress is considering numerous privacy bills, and the U.S. Federal Trade Commission continues to fine companies for unfair or deceptive data protection practices and may undertake its own privacy rulemaking exercise. In addition to government activity, privacy advocacy and other industry groups have established or may establish various new, additional, or different self-regulatory standards that customers may require us to adhere to and which may place additional burdens on us. Increasing sensitivity of individuals to unauthorized processing of personal data, whether real or perceived, and an increasingly uncertain trust climate has and may continue to create a negative public reaction to technologies, products, and services such as ours or otherwise expose us to liability. Taken together, the costs of compliance with and other obligations imposed by data protection laws and regulations may require modification of our services, limit use and adoption of our services, reduce overall demand for our services, lead to significant fines, penalties, or liabilities for noncompliance, or slow the pace at which we close sales transactions, or otherwise cause us to modify our operations, any of which could harm our business. The data protection laws set forth requirements impacting how personal data must be stored, accessed, and deleted within the products. The perception of privacy concerns, whether or not valid, may inhibit the adoption, effectiveness, or use of our applications or otherwise impact our business. Compliance with applicable laws and regulations regarding personal data may require changes in services, business practices, or internal systems that result in increased costs, lower revenue, reduced efficiency, or greater difficulty competing with foreign-based firms which could adversely affect our business and operating results. 20 20 20 Table of Contents Table of Contents

Our customers have no obligation to renew their subscriptions for our applications after the expiration of either the initial or renewed subscription period and it is difficult to predict attrition rates given our varied customer base and the number of multi-year subscription contracts. Our customers’ renewal rates fluctuate as a result of a number of factors, including our mix of customer base and their level of satisfaction with our offerings and pricing, their awareness and adoption of the benefits and features of our applications, their ability to continue their operations and spending levels, reductions in their headcount, the evolution of their business, and the macroeconomic environment. Acquisitions of our customers by other companies have led, and could continue to lead, to cancellation of our contracts with those customers, thereby reducing the number of our existing and potential customers. If our customers do not renew their subscriptions for our applications on similar pricing terms or renew for fewer elements of our offerings or for a lower headcount, our revenues may decline, and we may not be able to meet our revenue projections, which could negatively impact our business and the market price of our Class A common stock. Our future success also depends, in part, on our ability to sell additional products to our current customers, and the success rate of such endeavors is difficult to predict, especially with regard to any new lines of business that we may introduce from time to time. This has and may continue to require increasingly costly marketing and sales efforts that are targeted at senior management, and if these efforts are not successful, our business and operating results may suffer. Similarly, the rate at which our customers purchase new or enhanced services depends on a number of factors, including general economic conditions and customer receptiveness to any price changes related to these additional features and services. The markets and monetization strategies for certain of our offerings, including our agentic AI solutions and Workday Data Cloud, remain relatively new and uncertain and as a result, our expansion into such offerings, and related investments, may present additional risks and challenges. For example, we offer certain capabilities, including our AI agents, through Flex Credits, our new subscription-based flexible pricing model for certain AI solutions and platform capabilities, and may increase the number of products through which we do so. We have limited experience with determining optimal pricing for Flex Credits-based contracts and may face customer resistance to new pricing models or have lower levels of customer adoption of our AI solutions than we expect, which could negatively impact our business and operating results. 16 16 16 Table of Contents Table of Contents

Our customers have no obligation to renew their subscriptions for our applications after the expiration of either the initial or renewed subscription period. Our customers’ renewal rates fluctuate as a result of a number of factors, including their level of satisfaction with our applications and pricing, their awareness and adoption of the benefits and features of our applications, their ability to continue their operations and spending levels, reductions in their headcount, and the evolution of their business. If our customers do not renew their subscriptions for our applications on similar pricing terms or renew for fewer elements of our applications, our revenues may decline, and we may not be able to meet our revenue projections, which could negatively impact our business and the market price of our Class A common stock. Our future success also depends, in part, on our ability to sell additional products to our current customers, and the success rate of such endeavors is difficult to predict, especially with regard to any new lines of business that we may introduce from time to time. This has and may continue to require increasingly costly marketing and sales efforts that are targeted at senior management, and if these efforts are not successful, our business and operating results may suffer. Additionally, acquisitions of our customers by other companies have led, and could continue to lead, to cancellation of our contracts with those customers, thereby reducing the number of our existing and potential customers. 13 13 13 Table of Contents Table of Contents

Our contracts with federal, state, local, and foreign government entities are subject to various procurement regulations and other requirements relating to their formation, award, administration, and performance, which present certain risks and challenges not present in private commercial agreements. These risks and challenges include varying governmental budgeting processes and appropriations, contracting policies and requirements, changes in governmental administrations and policies, fluctuations due to government spending cuts and shutdowns, pressure to reduce deficits through spending reductions, highly competitive and lengthy bidding processes, and adherence to complex regulatory requirements and executive orders, and may impact government spending or result in termination of government contracts or delays in contract awards, which could adversely affect our business and operating results. Further, we have experienced and may in the future experience challenges by third parties to contracts awarded with government entities, and our contracting with certain government entities may result in negative publicity or reputational harm. Laws and regulations provide public sector customers with various rights, many of which are not typically found in commercial contracts. For example, some governmental contracts provide for termination by the government at any time, with or without cause, which can adversely affect our business and operating results and impact other existing or prospective government contracts. U.S. federal, state, and local government and foreign government contracts are generally subject to government funding authorizations and appropriations, and contracts may also be terminated due to a lack of government funds. Changes in government procurement policies, priorities, regulations, or technology initiatives may negatively impact our potential for growth in the government sector. 24 24 24 Table of Contents Table of Contents We have made, and may continue to make, significant investments to support our efforts to sell to government entities, including obtaining various authorizations and certifications. For example, we have obtained authorization under FedRAMP, which allows us to participate in the U.S. federal government market. Such authorization is subject to rigorous compliance and if we were to lose our authorization, it could inhibit or preclude our ability to contract with certain U.S. federal and state government customers. If we fail to maintain FedRAMP authorization, we may fail to retain existing customers or attract new customers that rely on our authorization under FedRAMP, which could subject us to liability, result in reputational harm, and adversely impact our financial condition or operating results. Government certification requirements applicable to our products and services may change, which could restrict our ability to sell into the public sector until we have received a certification or until we can account for these changes in our service or corporate controls. We may be subject to additional audits and investigations relating to our government contracts, and any violations could result in various civil and criminal penalties and administrative sanctions, including termination of contracts, suspension of payments, payment of fines, and suspension or debarment from future government business, as well as harm to our reputation and financial results.

Our contracts with federal, state, local, and foreign government entities are subject to various procurement regulations and other requirements relating to their formation, administration, and performance, which could adversely impact our business and operating results. Government certification requirements applicable to our platform may change and, in doing so, restrict our ability to sell into the governmental sector until we have attained the authorization to use or certification. These laws and regulations provide public sector customers with various rights, many of which are not typically found in commercial contracts. For example, some federal contracts provide for delays, interruptions, or termination by the government at any time, with or without cause, which can adversely affect our business and operating results and impact other existing or prospective government contracts. Additionally, we have obtained authorization under FedRAMP, which allows us to participate in the U.S. federal government market. Such authorization is subject to rigorous compliance and if we were to lose our authorization, it could inhibit or preclude our ability to contract with certain U.S. federal government customers. In addition, some customers may rely on our authorization under FedRAMP to help satisfy their own legal and regulatory compliance requirements. If we fail to maintain FedRAMP authorization, we may fail to retain existing customers or attract new customers that rely on our authorization under FedRAMP, which could subject us to liability, result in reputational harm, and adversely impact our financial condition or operating results. We may be subject to additional audits and investigations relating to our government contracts, and any violations could result in various civil and criminal penalties and administrative sanctions, including termination of contracts, refunding or suspending of payments, forfeiture of profits, payment of fines, and suspension or debarment from future government business.

The positions we take on corporate responsibility and sustainability-related matters, human capital management initiatives, and ethical issues from time to time may impact our brand, reputation, or ability to attract or retain customers. In particular, our brand and reputation are associated with our environmental sustainability commitments (including our science-based targets), strong corporate governance practices, inclusivity, and ethical use, and any perceived changes in our dedication to these commitments could impact our relationships with potential and current customers, employees, stockholders, and other stakeholders. Standards and requirements for tracking and reporting corporate responsibility and sustainability-related matters continue to evolve. Our failure to accomplish stated commitments or accurately track and report on these matters on a timely basis, or at all, could adversely affect our reputation and could expose us to increased scrutiny from the investment community as well as enforcement authorities. In addition, our processes and controls may not always comply with evolving standards for identifying, measuring, and reporting sustainability metrics, including sustainability-related disclosures that may be required by various regulatory bodies, and such standards have and may continue to change over time. If our sustainability or other corporate responsibility practices do not align with or meet evolving investor or other stakeholder expectations and standards, then our reputation, our ability to attract or retain employees, and our attractiveness as an investment, business partner, acquirer, or service provider could be negatively impacted. Conflicting laws, regulations, and executive orders and a lack of harmonization of legal and regulatory environments and stakeholder expectations across the jurisdictions in which we operate may create enhanced compliance risks and costs.

The positions we take on ESG matters, human capital management initiatives, and ethical issues from time to time may impact our brand, reputation, or ability to attract or retain customers. In particular, our brand and reputation are associated with our public commitments to environmental sustainability (including our science-based targets), strong corporate governance practices, equality, inclusivity, and ethical use, and any perceived changes in our dedication to these commitments could impact our relationships with potential and current customers, employees, stockholders, and other stakeholders. These commitments reflect our current plans and aspirations and are not guarantees that we will be able to achieve them. Our failure to accomplish or accurately track and report on these goals on a timely basis, or at all, could adversely affect our reputation, financial performance, and growth, and expose us to increased scrutiny from the investment community as well as enforcement authorities. Our ability to achieve any ESG objective is subject to numerous risks, many of which are outside of our control. Examples of such risks include: •the availability and cost of low- or non-carbon-based energy sources; •the evolving regulatory requirements affecting ESG standards or disclosures; •the ability of suppliers to meet our sustainability and other ESG standards; •our ability to recruit, develop, and retain diverse talent in our global labor markets; •the availability and cost of high-quality verified emissions reductions and renewable energy credits; and •the ability to renew existing or execute on new virtual power purchase agreements. 17 17 17 Table of Contents Table of Contents Standards for tracking and reporting ESG matters continue to evolve. In addition, our processes and controls may not always comply with evolving standards for identifying, measuring, and reporting ESG metrics, including ESG-related disclosures that may be required of public companies by the SEC or other regulatory bodies, and such standards may change over time, which could result in significant revisions to our current goals, reported progress in achieving such goals, or ability to achieve such goals in the future. It is likely that increasing regulatory requirements and regulatory scrutiny related to ESG matters will continue to expand globally and result in higher associated compliance costs. Further, we may rely on data and calculations provided by third parties to measure and report our ESG metrics and if the data input or calculations are incorrect or incomplete, our brand, reputation, and financial performance may be adversely affected. If our ESG practices do not align with or meet evolving investor or other stakeholder expectations and standards, then our reputation, our ability to attract or retain employees, and our attractiveness as an investment, business partner, acquirer, or service provider could be negatively impacted. For example, an increasing number of stakeholders, regulators, and lawmakers have expressed or pursued contrary views towards ESG initiatives, including the proposal or enactment of “anti-ESG” policies, legislation, executive orders, or initiatives or the issuance of related legal opinions. Conflicting regulations and a lack of harmonization of ESG legal and regulatory environments across the jurisdictions in which we operate may create enhanced compliance risks and costs. We may also face increasing scrutiny from our investors, customers, employees, and other stakeholders relating to the appropriate role of ESG practices and disclosure. Further, our failure or perceived failure to pursue or fulfill our goals and objectives or to satisfy various reporting standards on a timely basis, or at all, could have similar negative impacts or expose us to government enforcement actions and private litigation.