HRBlizz connects to Workday through every certified Global Payroll Connect feature — DCoD, APD, GPH, ExPR, and ExPD — over a single, event-driven REST architecture. One integration. 160 countries. Real-time, audited, and operated by Mercans-owned entities everywhere it runs.
If you run payroll in 30+ countries on Workday, you already know the pattern. Twenty templates. Twenty SFTP folders. Twenty different vendors hiding behind one logo. Errors surface days late, after batch runs, after gross-to-net is already locked. Compliance lives in a spreadsheet shared between three people who don't work for the same company.
A Workday certification tells you the integration meets a spec. The architecture tells you whether it will hold up at 50,000 worker records, 60 country payrolls, and a tenant migration. This section documents the reference architecture Mercans deploys for every Workday customer.
The integration runs on three logically separated planes — data plane (Workday tenant ↔ HRBlizz engine), control plane (orchestration, replay, observability), and policy plane (auth, encryption, residency rules). All three meet at a single audited channel between systems.
The integration channel runs entirely inside Mercans-owned infrastructure. There is no third-party iPaaS in the data path. Workday's PECI and REST endpoints are consumed directly by Mercans' connector code, which Mercans engineers maintain — no licensed middleware, no broker layer, no opaque scheduling.
The most useful thing about the architecture is what it does in the small. Below is the actual sequence of events for one new-hire record, from Workday entry to the moment that worker is payroll-ready in HRBlizz — and the moment their first payslip lands back in Workday.
| T+ | Component | Event |
|---|---|---|
| 00:00:00 | Workday HCM | HR enters new hire record. Worker, position, compensation, and country are committed to the Workday tenant. |
| 00:00:02 | DCoD interface | Workday emits a Data Changes on Demand event scoped to the affected worker. The HRBlizz connector receives the event and acknowledges it. |
| 00:00:04 | Connector · Data plane | Selective field extraction. Only the changed fields are pulled — not the full worker payload. Country library applied; mappings resolved. |
| 00:00:06 | APD interface | Country-specific payroll fields (e.g. social security ID, regional tax codes) collected via APD. No email forms; no template attachments. |
| 00:00:09 | HRBlizz Engine | Worker provisioned in payroll engine. Pay group assigned. Country compliance rule set loaded. Worker is now payroll-ready. |
| 00:00:09 | GPH | Global Payroll Hub state updated. Worker visible in the Workday-side payroll readiness view immediately. |
| …CYCLE | HRBlizz Engine | Pay cycle runs. Gross-to-net calculated. Statutory artefacts produced. Disbursement scheduled. |
| CYCLE+02:00 | ExPR interface | Structured payroll results (gross, net, employer cost, taxes) pushed back to Workday as JSON documents — reconciled by Finance against the same line items. |
| CYCLE+02:01 | ExPD interface | Payslip + tax forms delivered to Workday document repository. Worker accesses them through Workday Self Service. |
The same sequence runs for terminations, transfers, comp changes, and absence events. The path is the same; only the payload changes. There is no Friday-night batch window where everything catches up — because there is no batch window.
For procurement, security, and integration architects who need to enumerate the surfaces. This is the complete list of Workday interfaces the Mercans connector consumes or produces.
| Workday interface | Direction | Protocol | Mercans usage | Status |
|---|---|---|---|---|
| PECI — Payroll Effective Change Interface | Workday → HRBlizz | File · scheduled | Bulk batch ingestion of HCM deltas; primary path for regulated batch use cases. | ● Certified |
| DCoD — Data Changes on Demand | Workday → HRBlizz | REST · event-driven | Real-time delta sync. Event-scoped. The default sync mode for operational responsiveness. | ● Certified |
| APD — Additional Payroll Data | Workday → HRBlizz | REST · structured | Country-specific payroll fields captured natively in Workday and forwarded with the worker payload. | ● Certified |
| GPH — Global Payroll Hub | HRBlizz → Workday | REST · state push | Cycle status, exception flags, completion percentage. Surfaced in Workday administrator view. | ● Certified |
| ExPR — External Payroll Results | HRBlizz → Workday | REST · structured JSON | Calculated payroll results returned line-by-line to Workday for reconciliation, finance reporting, and audit. | ● Certified |
| ExPD — External Payroll Documents | HRBlizz → Workday | REST · binary upload | Payslips, tax forms, statutory documents pushed to the Workday document repository. | ● Certified |
| Workday Public REST API | Bidirectional | REST · OAuth 2.0 | Worker, position, compensation reads outside the GPC framework where customer use cases require it. | ● Live |
| Workday Documents API | HRBlizz → Workday | REST | Bulk document delivery and re-upload for payslip corrections. | ● Live |
An integration is only as enterprise-fit as its failure semantics. Below is how the channel behaves under each common failure class.
One size doesn't fit a multinational payroll. Mercans supports three deployment modes against the same Workday tenant — and customers routinely run all three concurrently.
Best for · Tech, Pharma, Finance
Best for · Banking, Defence, Energy
Best for · Most enterprises in practice
Workday Global Payroll Connect defines five integration capabilities. Most certified partners support a subset. Mercans implements every one — and operates them as a single, coherent operational surface.
DCoD is the Workday-defined mechanism for delivering worker, organisation, position, and compensation data to a payroll provider on the precise event it changes — a hire, a transfer, a salary revision, a job role change. Instead of a nightly file, the payroll engine receives a streamed delta the moment Workday commits the change.
HRBlizz subscribes to Workday change events and ingests them through a REST endpoint backed by an audited message bus. Every payload is signed, timestamped, and persisted to a replayable store before any country-payroll engine is touched. If the downstream country-payroll module is mid-cycle, the change is queued; if it conflicts with the in-flight cycle, it surfaces in the control plane for resolution rather than silently corrupting a calculation.
Payroll teams stop working from a 24-hour-old picture. A salary increase entered at 14:00 in Workday is reflected in the in-country payroll engine within minutes — not the next morning, not next cycle. For high-velocity organisations that hire, restructure, and rebadge constantly, this is the difference between catching errors before payroll runs and explaining them after.
APD is Workday's mechanism for capturing country-specific payroll data that Workday does not natively model — statutory IDs, local tax declarations, jurisdiction-specific allowance elections, garnishments, regional benefit enrolments. The form lives in the Workday UI; the data lives with the payroll provider.
For every country Mercans supports, HRBlizz exposes the statutory data model — the fields, valid values, validation rules, and effective-date behaviour — through APD. HR users see country-appropriate fields the moment they open a worker profile. There is no separate HR portal, no email back-and-forth with a country lead, no reconciling a spreadsheet against a workbook.
A single global HR operating model becomes possible. The Workday administrator does not need to know that Saudi Arabia requires GOSI registration, that France requires a numéro de sécurité sociale, or that the UAE requires Emirates ID — HRBlizz knows. The buyer gets compliant local payroll without fragmenting the HR experience.
GPH is the Workday capability that surfaces a payroll partner's data, status, and operational signals natively inside Workday — so the customer's HR and payroll teams operate from one screen, not two. Cycle status, exception counts, country-by-country progress, gross-to-net summary, all reachable inside the Workday tenant.
HRBlizz exposes the cycle state machine, exception register, and result summaries through the GPH-conformant endpoints. A customer's payroll lead can see, inside Workday, exactly which of their 60-country cycles are open, locked, calculated, approved, or paid — with timestamps, owner, and exception count — without leaving Workday. Drill-through into HRBlizz is single sign-on, never a separate credential.
Global payroll teams collapse two operating surfaces into one. The customer's centre-of-excellence runs the global cycle from Workday; Mercans operates the in-country execution. There is no toggle between vendor portals, no mismatched status views, and no hunt across tabs to find the country that is holding up the global close.
| Country | Status | Excep. | Owner |
|---|---|---|---|
| United States | Approved | 0 | SK-04 |
| United Kingdom | Approved | 2 | MK-12 |
| Germany | Calculated | 1 | AH-08 |
| France | Calculated | 0 | AH-08 |
| India | In progress | 4 | RP-22 |
| Singapore | In progress | 0 | RP-22 |
| Brazil | On hold | 3 | CN-17 |
| UAE | Approved | 0 | SK-04 |
ExPR returns worker-level payroll results into Workday in the exact pay-component shape Workday's HCM expects. Where APD captures country-specific input data, ExPR returns the country-specific output data — the worker-level gross-to-net result — into Workday for HR, comp, finance, and the worker themselves through Workday self-service.
HRBlizz holds an explicit mapping between every country-payroll component (a French cotisation patronale, a UK National Insurance, a UAE end-of-service accrual) and a Workday pay component ID. After cycle approval, worker results stream back through ExPR — consistent shape across countries, faithful to local execution.
Workday becomes the global system of truth for worker pay. No more "the comp tool says one thing and the country payroll says another." For any worker in any country, the gross-to-net history sits inside Workday — feeding analytics, comp reviews, internal mobility, and worker self-service equally.
ExPD is the certified channel for delivering a worker's payslip — generated by the in-country payroll engine and conformant to that country's regulatory format — directly into Workday's worker self-service. The worker logs into Workday, sees the statutory payslip, downloads it. No payroll portal. No second login.
HRBlizz generates each country's statutory payslip in its locally-required layout and language — a French bulletin de paie in French formatting, a Saudi WPS-compliant slip in Arabic, a UK itemised pay statement in the format HMRC expects — and posts it to Workday Documents through ExPD with the correct worker, period, and document type metadata. Retention follows the customer's policy and the country's statutory minimum, whichever is longer.
Worker experience consolidates. There is no "go to the Mercans portal for your payslip" message. Workday is the single front door. For an organisation paying people in 60 countries, that is the difference between one help desk ticket queue and sixty.
↳ Three statutory formats, one delivery channel into Workday.
The Workday GPC framework is five features for a reason: each one solves a discrete operational problem. A partner certified on three of five is a partner whose customer fills the gap with file feeds, manual reconciliations, or a second integration vendor. Mercans has chosen, deliberately, to certify and operate all five — because anything less re-introduces the latency, opacity, and reconciliation cost the integration was bought to remove.
| Feature | What it solves | If skipped | Mercans | In production since |
|---|---|---|---|---|
| DCoD Data Changes on Demand |
Real-time HCM → payroll data flow. | Falls back to nightly batch. Same-day errors land next cycle. | ✓ Certified · REST event-driven | Live · all customers |
| APD Additional Payroll Data |
Country-specific payroll data inside Workday's UI. | Local fields collected outside Workday in spreadsheets. | ✓ Certified · 160 countries | Live · all customers |
| GPH Global Payroll Hub |
Native cycle visibility inside Workday. | Two operating surfaces. Status drift. | ✓ Certified · 160+ countries | Live · all customers |
| ExPR External Payroll Results |
Worker-level results & GL-ready costs into Workday. | Comp, analytics, finance work from extracts. | ✓ Certified · component-level mapping | Live · all customers |
| ExPD External Payroll Documents |
Statutory payslip in Workday self-service. | Worker logs into a second portal. | ✓ Certified · statutory formats | Live · all customers |
The five GPC services are not five parallel pipes — they are five layers of the same payroll machine. Most lifecycle events touch more than one. A new hire flows out on DCoD as worker data, captures statutory data on APD, runs through the cycle visible on GPH, returns as a result on ExPR, and lands as a payslip on ExPD. The matrix below is the architectural map of which Workday business event lights up which service.
| Lifecycle event | DCoD | APD | GPH | ExPR | ExPD |
|---|---|---|---|---|---|
| HR data out |
Country data |
Cycle monitor |
Results back |
Payslip back |
|
| New hire · regular, fixed-term, part-time, intern | ● | ● | · | ● | ● |
| Re-hire · including rescind & no-show | ● | ● | · | ● | ● |
| Termination · voluntary, involuntary, retirement | ● | ● | · | ● | ● |
| Promotion / demotion · with cost-centre change | ● | · | · | ● | ● |
| Transfer · domestic, international, assignment | ● | ● | · | ● | ● |
| Compensation change · current, future, retro | ● | · | · | ● | ● |
| One-time payment · bonus, commission, retro | ● | · | · | ● | ● |
| Allowance plan · add, change, end | ● | ● | · | ● | ● |
| Leave of absence · start, return, correction, rescind | ● | ● | · | ● | ● |
| Personal & contact data · name, address, ID | ● | ● | · | · | · |
| Payment elections · bank account add, change, split | ● | · | · | · | · |
| Cost allocation · split, change, rescind | ● | · | · | ● | · |
| Dependent data · add, change, remove | ● | ● | · | · | · |
| Country statutory updates · tax IDs, withholding, garnishment | · | ● | · | ● | · |
| Payroll cycle run · approval, exceptions, posting | · | · | ● | ● | ● |
| Year-end & statutory documents · W-2, P60, Form 16, etc. | · | · | · | · | ● |
↳ Effective-date corrections, rescinds and past-period adjustments are supported on every event above.
A Workday integration that touches global worker records is, by definition, a privacy-grade system. Mercans architects the platform behind it, and the operations around it, to a compliance posture that holds up in front of a CISO, a DPO, and a regulator simultaneously — and we publish the audits that prove it.
The Mercans information-security and privacy programme is audited annually by independent third parties. The certifications below are not paper exercises — they are the controls under which the Workday GPC integration runs in production today.
Workday integration data is processed in customer-elected regions and persisted in Mercans' own Tier IV data-centre footprint, with disaster recovery mirroring across geographies. Residency is not a marketing claim — it is the operational default of the platform.
EU/EEA worker data is processed and stored in Tallinn. Cross-border transfer is governed by Mercans' approved EU Binding Corporate Rules — not standard contractual clauses retro-fitted to fix a transfer chain.
Middle East, Turkey, and Africa workloads are served from the Dubai Tier IV facility. Customer-defined residency policies are enforced at the platform layer, not negotiated per cycle.
Customers with regulator-imposed residency requirements can pin specific country workloads to specific data centres. The pinning is enforced by routing rules, audited monthly, and surfaced in the trust dashboard.
The cryptographic posture across the integration channel and HRBlizz platform is uniform — no legacy fall-back, no custom protocols, no exceptions for development environments.
Scoped tokens, short-lived, automatically rotated. No long-lived bearer credentials in the integration path.
Customer's identity provider is the source of truth. No separate Mercans password for any user with access.
Granular roles map to the customer's HR organisation. Country-scoped access enforced at the platform layer.
Every read, write, and admin action is logged with user, timestamp, and payload hash. Logs are append-only and exportable.
Certifications attest to controls. The DPO function, the privacy operations, and the legal-basis architecture are what those controls protect.
Mercans operates under approved EU Binding Corporate Rules — a privacy programme reviewed and authorised by an EU data protection authority. BCRs are the highest available standard for legitimising intra-group transfers of personal data outside the EEA, and few payroll providers hold them.
Mercans operates a dedicated Data Protection Officer function with direct lines to the executive. Data Subject Access Requests, regulator interactions, and privacy impact assessments are handled by the same team that audits the platform — not outsourced to legal counsel after the fact.
Customers onboarding the Workday integration receive Mercans' Data Protection Impact Assessment template populated for the integration scope, and a Records of Processing Activities (ROPA) extract scoped to GPC. The artefacts are authoritative — not generic.
The subprocessor register is published, dated, and change-notified. Customers know who touches their data, in what country, under which contract — and are notified before any change takes effect.
The incident response runbook is contractual: notification windows, root-cause delivery, regulator coordination. The runbook is exercised in quarterly tabletop drills, and outcomes are documented in the SOC 2 Type II report.
Enterprise customers retain a contractual right to audit Mercans' controls relevant to the services delivered — directly or through an independent auditor. SOC 2 Type II and ISO reports are available under NDA on day one of any engagement.
The general posture above applies to every Mercans system. The points below are specific to the integration channel — where Workday tenant and HRBlizz engine actually meet.
| Control | How it's implemented | Where it shows up |
|---|---|---|
| Tenant isolation | Each Workday tenant has a dedicated namespace, queue, and credential set in the integration channel. | No cross-tenant payload visibility. SOC 2 control evidence. |
| Payload signing | Every event from Workday is verified by signature at ingress. Outbound payloads are signed in turn. | Architecture page · § 2.4 failure model. |
| Replay store | 7-day signed replay window, customer-scoped. Replay is auditable and never silent. | Recovery from intermittent connectivity without re-issuing data. |
| Field minimisation | Only the worker fields needed for in-country payroll calculation are pulled — defined per country in advance. | DPIA artefact · ROPA scope. |
| Pseudonymisation | Where statutory identifiers are not required for calculation, pseudonymous IDs are used in transit and at rest. | Privacy programme · ISO 27701 controls. |
| Right to erasure | Erasure requests propagate from Workday through HRBlizz to country engines, with statutory retention overrides recorded explicitly. | DPO operations · regulator-facing. |
| Penetration testing | The platform and its API surface are tested by independent third parties on a scheduled basis. | Annual third-party penetration test report, available under NDA. |
| Secret management | Credentials are stored in HSM-backed vaults, never in code, configuration, or logs. | SOC 2 control evidence · code-review gates. |
Eighteen-plus payroll providers carry some form of Workday Global Payroll Connect certification. The shortlist of providers who actually operate the integration through owned in-country entities, on a proprietary platform they built and run themselves, with a privacy-grade compliance posture, is much shorter. This section is the buyer drawing up that shortlist.
Most certified GPC partners run on an aggregator model: a central platform that integrates dozens of in-country payroll vendors. It works on the demo. It strains in production — at scale, under SLA, when the audit committee asks who actually owns the calculation.
None of these are slogans. Each one is a check the buyer can run — through the analyst report, the SOC 2 letter, the BCR registration, the platform demo, the onboarding contract.
Most "global" payroll providers are aggregators of local providers. Mercans operates its own legal entity in every country where it offers payroll or EOR services. The customer signs with the entity that runs the payroll — there is no subcontracting layer to dilute the SLA, the compliance posture, or the data path.
HRBlizz is Mercans' own platform — built, owned, and operated by Mercans. It is not white-labelled software, not a customised third-party HCM, not an iPaaS layer over someone else's payroll engine. The Workday integration is built directly into the platform Mercans engineers, which is why the integration roadmap moves at Mercans' velocity, not a vendor's.
Workday's Global Payroll Connect framework defines five features. Mercans is certified across all five — DCoD, APD, GPH, ExPR, and ExPD — and each one runs in production for paying customers today. Many "certified" partners qualify on a partial set; the difference is what the buyer's payroll team has to manually fill in afterwards.
ISO 27001, ISO 27017, ISO 27018, ISO 27701 (Privacy Information Management — rare among payroll providers), ISO 9001, SOC 1 Type II and SOC 2 Type II audited by KPMG, and approved EU Binding Corporate Rules. The combination is unusual; the BCR and ISO 27701 in particular separate Mercans from the field.
Worker data is processed in Tier IV data centres in Tallinn (EU primary) and Dubai (META primary), with disaster recovery mirroring across geographies. EU/EEA workloads are GDPR-native by location of processing; META workloads sit in a sovereign region. Customer-elected residency is enforced at the platform layer, not negotiated.
If you are running a Workday GPC partner selection, these are the questions whose answers move providers up or down the shortlist. Mercans publishes its answer to every one.
| Question | Why it matters | Mercans |
|---|---|---|
| Does the company calculating my payroll in-country own a legal entity there, or is a subcontractor calculating it? | Determines who you are actually contracting with. Drives SLA, compliance, and incident accountability. | ✓ Owned entity |
| Is the platform built and operated by the same company that signs my contract? | Determines roadmap velocity and where bugs and features actually get fixed. | ✓ Built & operated |
| Are all five Workday GPC features certified? | Partial certification means the buyer fills the gap with file feeds. | ✓ 5 of 5 |
| Are all five features in production with paying customers today? | Certified on paper is not the same as live in production. | ✓ Live |
| Does the integration use REST and event-driven flow, or rely on file batches? | Drives latency between an HR change and its appearance in payroll. | ✓ REST · event-driven |
| SOC 2 Type II — audited by whom, when? | Type II means controls were tested over time, not just designed on paper. | ✓ KPMG · 2024 |
| ISO 27701 (Privacy Information Management)? | The privacy-specific extension of ISO 27001. Few payroll providers hold it. | ✓ Certified |
| EU Binding Corporate Rules — approved? | Strongest available basis for intra-group cross-border data transfer. | ✓ Approved |
| What tier are the data centres, and where? | Drives availability, residency, and sovereignty position. | ✓ Tier IV · EU + UAE |
| Is the named DPO function in-house and accountable, or contractually delegated? | Determines responsiveness on DSARs, regulator interaction, and breach. | ✓ In-house |
| Can I add a country without a new vendor onboarding cycle? | Determines time-to-coverage for organisational growth. | ✓ Capacity, not onboarding |
| Is pricing direct, or layered with subcontractor margin? | Determines economics at renewal and at scale. | ✓ Direct |
↳ Print this. Send it to every shortlisted provider. Score the answers.
Bring your Workday tenant configuration, country footprint, and a list of pain points — we'll bring the architecture diagram, the certification evidence, and a deployment timeline.