Privacy Policy

Workfront's privacy policy outlines how information about you is collected, used, and protected.




Workfront Inc. (“Workfront”) takes the protection of our customer’s privacy seriously. This privacy policy (the “Privacy Policy”) informs you of our policies regarding the collection, use, and disclosure of all personally identifiable information (“Personal Data") and other data that is provided to us through use of each of our websites and mobile applications on which a link to this Privacy Policy is displayed and all products and services made available through those websites, including, without limitation our SaaS offerings (collectively, the “Service”).

Responsible Workfront Entity

Workfront Inc. (“Workfront”) is the processor of your Personal Data and is responsible for its processing, unless expressly specified otherwise in a contractual agreement between both parties. This Privacy Statement does not apply to the extent we offer to our customers various cloud products and services through which our customers create their own websites and applications running on our platforms, sell or offer their own products and services, send electronic communications to other individuals or collect and analyze Personal Data from individuals.

EU-US & SWISS-US Privacy Shield Compliance

Workfront complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework(s) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom and/or Switzerland, (as applicable) to the United States in reliance on Privacy Shield. Workfront has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in our privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. For more information on Privacy Shield compliance, please visit

Workfront commits to resolve complaints about our collection or use of your Personal Data. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Workfront at: [email protected] Workfront has chosen to cooperate with EU data protection authorities (DPAs) and comply with the information and advice provided to it by an informal panel of DPAs in relation to such unresolved complaints (as further described in the Privacy Shield Principles). Please contact us to be directed to the relevant DPA contacts. As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means. Workfront is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Personal Data Collection

The following Personal Data may be collected in the course of using the Service or visiting our web sites:

  • Family and Given names
  • Email Address
  • IP Address
  • Company name
  • Job role/title
  • Phone number

Does Workfront process any Special Categories of Data for its customers?

Workfront does not process any Special Categories of data as a Processor entity. Workfront as a processor for its customers will not transfer special categories unless expressly stated. Customers may submit special categories of data into the Workfront platform, to the extent of which is determined and controlled by the customer in its sole discretion except as limited in contract: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Purposes for which we may process Personal Data

Workfront’s legal basis for processing and collecting your personal data is to deliver performance of a contract in the course of providing SaaS services as specified in the Services Agreement/DPA with our customers by providing explicit consent upon mutual contractual agreement.

Personal Data could be used for the following purposes:

  • Administer the Service
  • Personalize the Services for you
  • Enable your access to and use of the Service
  • Supply you access to the services that you purchase
  • Send you statements and invoices
  • Marketing communications, with an opt-out option for users who wish to exercise their choice to decline to participate in these communications

Data Security

We take reasonable and appropriate measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. These measures are appropriate to the risks involved and the nature of the Personal Data. Although Workfront seeks to protect the privacy of others who use our Service, there is inherent risk in internet based activities so there is no 100% guarantee of absolute security.

Passively Collected Information

When you interact with us through the Service, we and third parties that provide functionality on the Service, may engage, receive, collect and store certain types of information through automatic data collection tools including cookies, encrypted authentication tokens and similar technology. Such information, which is collected passively using various technologies, may include but is not limited to information about your device, referring/exit pages and URLs and number of clicks. Workfront may store such information itself or such information may be included in databases owned and maintained by Workfront affiliates, agents or third party service providers. The Service may use such information and pool it with other information to track, for example, the total number of visitors to our Service, the number of visitors to each page of our Service, and the domain names of our visitors’ Internet service providers. Such information that we collect will allow Workfront to make decisions on how to provide better products and better services for our users.


In operating the Service, we may use cookies. Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer’s hard drive. Like many sites, we use “cookies” to collect some of the information detailed above. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. We may use Google Analytics, a web analytics service provided by Google, Inc. (“Google”) to help us analyze how users use our Service. Google will use this information it collects for the purpose of evaluating your use of our Service, compiling reports on Service activity and providing other related services. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. To modify cookie preferences, please visit our Cookie Policy page.

Do Not Track

We may (and we may allow third party service providers to) use cookies or similar technologies to collect information about your browsing activities over time and across different websites following your use of our Service. Our Service currently does not respond to “Do Not Track” (DNT) signals and operate as described in this Privacy Policy whether or not a DNT signal is received. If we do so in the future, we will describe how we do so in this Privacy Policy.


Workfront does not knowingly collect Personal Data from children under the age of 16. If you are under the age of 16, please do not submit any Personal Data through the Service. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce our Privacy Policy by instructing their children never to provide Personal Data on the Service without their permission. If you have reason to believe that a child under the age of 16 has provided Personal Data to Workfront, please contact us, and we will delete that information.

Third Party Sites

This Privacy Policy applies only to the Service. The Service may contain links to other web sites and/or services not operated or controlled by Workfront (the “Third Party Sites”). The policies and procedures we described here do not apply to the Third Party Sites. The links from the Site do not imply that we endorse or have reviewed the Third Party Sites. We suggest contacting those sites directly for information on their privacy policies.

Personal Data Sharing

There are certain circumstances in which we may share your Personal Data with certain third parties without further notice to you, as set forth below: Business Transfers: As we develop our business, we might decide to sell or buy businesses or assets. In connection with any potential or actual corporate sale, merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, dissolution or similar event or transaction, Personal Data may be disclosed to third parties as it may be part of the assets potentially transferred or otherwise relevant to the transaction. Agents, Consultants and Third Parties: Like many businesses, Workfront sometimes hires other companies to perform certain business-related functions, including to help us understand and improve the use of our Service. We may share any information we receive with vendors and service providers retained in connection with the operation of our business. With respect to Personal Data that is subject to our Privacy Shield registration, before disclosing Personal Data to a subcontractor or third-party agent, Workfront will obtain assurances from the recipient that it will: (a) use the Personal Data only to assist Workfront in providing the Service; (b) provide at least the same level of protection for Personal Data as required by the Privacy Shield Principles; and (c) notify Workfront if the recipient is no longer able to provide the required protections. Upon notice, Workfront will act promptly to stop and remediate unauthorized processing of Personal Date by a recipient. Workfront will remain liable for onward transfers to its subcontractors and third-party agents. Legal Requirements: Workfront may disclose your Personal Data if requested, subpoenaed and/or if we are required to do so by law, regulation, legal process, or by any court of competent jurisdiction or any inquiry or investigation by any governmental, official or regulatory body which is lawfully entitled to require any such disclosure, or otherwise in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of Workfront or a third party, (iii) act in urgent circumstances to protect the personal safety of users of the Service or the public, or (iv) protect Workfront against potential legal liability.

Do Not Sell My Personal Information

We do not sell, rent, or share personal data we collect directly from you or about you from third parties with third party Advertisers for their own marketing purposes, unless you choose in advance to have such information shared for this purpose.

Right of Choice for Individuals

Individuals have the right to choose (opt out) whether your personal data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you.

  • Workfront processes personal data when requesting a ‘demo’ of our product to register you as a new customer and provide administration of our website and Products. “Opt-in” boxes are provided for explicit consent upon direct marketing and email subscriptions.
  • Workfront may use the Personal Data collected to occasionally provide newsletters, marketing or promotional materials, and other information that is relevant to the users and administrators of our Service. You have the choice to select not to participate in these communications. An “Opt Out” option is available via link in email communications or you by sending us an email request at [email protected].
  • Workfront’s Cookies tracking requires explicit consent given by the ‘Accept’ button on our Cookie Banner. These can be managed by accessing the Cookie preference centre, where Cookie categories are explained for purpose and can be ‘unselected’ to opt-out.
  • Workfront maintains a fully compliant data processing agreement and ensures requirements are met by third parties and sub processors. The choice to an objection to a sub-processor can be made by contacting Workfront. The Data Controller authorises the Data Processor to engage the sub-processors in the country locations for the Service-related activities specified as described, Data Processor shall inform the Data Controller of any addition or replacement of such sub-processors giving the Data Controller an opportunity to object to such changes.
  • Changes/Updates

    The Service and our business may change from time to time. As a result, at times it may be necessary for Workfront to make changes to this Privacy Policy. We reserve the right to update or modify this Privacy Policy at any time and from time to time without prior notice. Please review this policy periodically, and especially before you provide any Personal Data. This Privacy Policy was last updated on the date indicated below. Your use of the Service after any changes or revisions to this Privacy Policy shall indicate your agreement with the terms of such revised Privacy Policy.

    Effective Date: January 2, 2019

    EU Data Privacy


    General Data Protection Regulation (GDPR)

    The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. Workfront fully complies with all relevant data privacy requirements under EU General Data Protection Regulation (GDPR) regulations:

    Workfront Compliance:

    • Employee training on compliant security and privacy procedures.
    • Published Privacy Policies and Notices to inform customers of Workfront’s compliance capacities and posture.
    • Configurable privacy and compliance features to our customers.
    • Privacy Impact Assessments
    • Records of data processing activities.

    International transfer of Personal Data

    Workfront is located in the United States. Your Personal Data may be collected, transferred to and stored by us in the United States and by our affiliates in other countries where we operate. Our office locations are listed on our website.

    Therefore, your Personal Data may be processed outside the European Economic Area (EEA), and in countries which are not subject to an adequacy decision by the European Commission and which may not provide for the same level of data protection as the EEA. In this event, we are self-certified with the EU-US & SWISS-U Privacy Shield otherwise we ensure that the recipient of your Personal Data offers an adequate level of protection, for instance by entering into standard contractual clauses for the transfer of data as approved by the European Commission (Art. 46 GDPR), or we will ask you for your prior consent to such international data transfers.

    Rights as Data Subjects

    Under GDPR you have certain rights as a data subject to exercise with the company in relation to the Personal Data we hold. Depending on the applicable laws and, in particular, if you are located in the EEA or Switzerland or the United Kingdom, these rights may include:

    • To access your Personal Data held by us (right to access);
    • To rectify inaccurate Personal Data and, taking into account the purpose of processing the Personal Data, ensure it is complete (right to rectification);
    • To erase/delete your Personal Data, to the extent permitted by applicable data protection laws (right to erasure; right to be forgotten);
    • To restrict our processing of your Personal Data, to the extent permitted by law (right to restriction of processing);
    • To transfer your Personal Data to another controller, to the extent possible (right to data portability);
    • To object to any processing of your Personal Data carried out on the basis of our legitimate interests (right to object). Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection;
    • Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects ("Automated Decision-Making"). Automated Decision-Making currently does not take place on our websites; and
    • To the extent we base the collection, processing and sharing of your Personal Data on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal.

    To exercise your rights, please contact us using the Privacy Request Portal below. As the data processor, Workfront has the obligation to “assist the controller” in responding to requests of Data Subjects to exercise their rights under applicable Data Protections Laws and shall not respond to any such requests or complaints unless expressly authorised to do so by the Data Controller.

    If you are a resident of California, under the age of 18 and have registered for an account with us, you may ask us to remove content or information that you have posted to our websites. Please note that your request does not ensure complete or comprehensive removal of the content or information, because, for example, some of your content may have been reposted by another visitor to our websites.

    Access to Personal Data; Privacy Request Portal

    To keep your Personal Data accurate, current, and complete, please contact us using the DSAR Portal below. Upon receipt of a verifiable request, we will update or correct Personal Data in our possession, as the Processor entity, that you have previously submitted via the Service.

    Data Retention

    Workfront’s data retention is the duration of the contract or 60 days after the data deletion has been requested by Customer via input in the application or a written request. After expiry of the applicable retention periods, your Personal Data will be deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of such data.

    Workfront’s Sub-Processors

    Workfront’s maintains a current list of sub-processors authorized to process personal data for Workfront’s services. For purposes of transparency and clarity, Workfront performs due diligence on the information security practices and data protection compliance of all third-party sub-processors and requires each to commit to written obligations regarding their security controls and applicable regulations for the protection of personal data, including safeguards to govern international transfers of data.

    What is a Subprocessor

    A subprocessor is a third party data processor engaged by Workfront who has or potentially will have access to or process Service Data (which may contain Personal Data) as listed on the Workfront Data Processing Agreement (DPA). Workfront engages different types of sub-processors to perform various functions as explained in the tables below.

    Name Related Workfront Service Source (Data Repository) Corporate Location Website
    Amazon Web Services, Inc. (AWS) Cloud hosting provider and Data Storage Data Centers in North America (California & Virginia) & EU (Ireland & Germany) United States AWS
    Google Analytics Customer usage tracking and website traffic monitoring Workfront Hub, and Workfront website United States Google Analytics
    Google Cloud Platform (GCP) Cloud hosting provider and Data Storage Data Centers United States GCP
    Marketo Marketing and Campaign Management Workfront Website United States Marketo
    Pendo Application Usage Analytics Workfront Applications United States Pendo
    Salesforce Customer Relationship Management tool and ticketing System Workfront Hub United States Salesforce
    Totango Customer Support Workfront Website United States Totango

    Due Diligence

    Workfront undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to or process Service Data.


    As our business grows and evolves, the Subprocessors we engage may also change. We will endeavor to provide notice of any new Subprocessors to the extent required under Agreements, along with posting such updates here. Please check back frequently for updates.

    Requesting More Information about a Sub-processor

    Submit a request via the privacy portal below to receive more information on a sub-processor regarding its role for Workfront and its security controls, including third party security reports or certifications.

    After reviewing information related to a particular sub-processor obtained through the above link, an objection to a sub-processor can be made by also following the link above and specifying ‘Sub-processor objection’. The Data Controller authorizes the Data Processor to engage the sub-processors in the country locations for the Service-related activities specified as described Data Processor shall inform the Data Controller of any addition or replacement of such sub-processors giving the Data Controller an opportunity to object to such changes.

    For further information please contact us below.

    Data Processing Agreement (DPA)

    Workfront maintains a fully compliant data processing agreement and ensures requirements are met by third parties and sub processors. For a copy of our Customer DPA, please download document below:

    Data Processing Agreement (DPA)

    Data Protection Officer

    Workfront has appointed a chief privacy officer responsible for overseeing the implementation of the privacy program within the organization. Please find information below.

    Last Updated January 28, 2019

    Contact US


    Please feel free to contact us if you have any questions about our Privacy Policy or the information practices of the Service.

    Workfront, Inc

    Attn: Data Protection Officer/Privacy Office

    3301 Thanksgiving Way, Suite 100,

    Lehi, Utah 84043


    Email: [email protected]

    Additional Resources