More than 37 million subscribers trust Cornerstone
This is not something we take lightly. We know how critical security, privacy and reliability are to both our business and yours. Have peace of mind knowing that Cornerstone has taken the security and compliance needs of our global clients seriously and supports the specific requirements of many industries across the world.
Building security in all that we make
Cornerstone maintains a state-of-the-art multi-tenant, multi-database architecture with the highest compliance and uptime standards. For your security and scalability, we do not co-mingle data, and our infrastructure has been audited and/or certified to meet the most stringent data requirements globally. Below are our key audit reports, frameworks and certifications.
Privacy, protection, and compliance for everyone
Cornerstone takes data protection and data privacy regulations very seriously. We work closely with our clients' HR, Legal and Data Protection departments to ensure compliance with Data Privacy regulations. Cornerstone has successfully deployed EU Model Clauses with many clients and is EU-US Privacy Shield certified.
A world-class security team
Cornerstone’s culture of continuous process improvement ensures that our infrastructure is based on the latest technology that is developed and maintained by our dedicated, world-class IT Security, Privacy and Compliance team. Our global team is highly accomplished – all team members hold one or more professional security or compliance certifications. It’s time to ensure that your data is kept secure and confidential.
You decide the location of your data and backups
Controlling the location of your data is an important element of data privacy and compliance. With Cornerstone, you have full transparency over your data and the location of your data. Clients can choose to store their data in a particular geography either in North America or Europe. Backup data is also stored in the same geography.
Our Unified Talent Management system is secured with 256-bit TLS, which encrypts all data in transit and ensures it is secure. Access to the Cornerstone application requires unique usernames and passwords and supports Single Sign-On (SSO), which requires clients to be authenticated. Rights and role-driven controls ensure users only see what they have been permitted to see.
More ways we keep you secure
Skyhigh Enterprise Ready
Cloud services meet data security requirements
Cornerstone has been awarded the Skyhigh Cloud Trust™ Enterprise Ready rating for its Unified Talent Management system based on fully satisfying requirements for data protection, identity verification, service security, business practices, and legal protection through the Skyhigh Enterprise-Ready program, which provides an extensive, impartial, and current analysis of security capabilities based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA).
Ensures stronger personal data protection for Europeans
The EU-US Privacy Shield replaces the Safe Harbor cross-border data transfer framework. Cornerstone meets the stronger obligations to protect personal data of Europeans and the stronger monitoring and enforcement by the US Department of Commerce (DOC) and the Federal Trade Commission (FTC). The Privacy Shield Framework was deemed adequate by the European Commission, meaning it is a recognized mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. As a participating organization, Cornerstone is deemed to provide "adequate" privacy protection, a requirement for the transfer of personal data outside of the European Union under the EU Data Protection Directive.
Proactive protection against data vulnerabilities
Cornerstone OnDemand leverages Trustwave's Trusted Commerce™ program to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) mandated by all the major credit card associations. Through Trustwave, we ensure that your credit card and identity information are secure.
Code of practice for protection of PII in public clouds
Cornerstone’s ISO 27001 auditors validated through our statement of applicability that in-scope services for the Unified Talent Management system have incorporated ISO/IEC 27018 controls for the protection of personally identifiable information (PII) in the public cloud. By adhering to this standard, Cornerstone demonstrates that its privacy policies and procedures are robust and in line with its high standards. Our customers know what’s happening with their PII, where their data is stored, and that their data won’t be used for marketing or advertising without explicit consent. These controls are audited on an annual basis to ensure Cornerstone’s Unified Talent Management system remains compliant.
Ensures secure environment for processing credit cards
Cornerstone is Level 4 SAQ D compliant with the Payment Card Industry Data Security Standards (PCI DSS), a set of requirements designed to ensure that companies who process, store or transmit credit card information maintain a secure environment. Standards include: building and maintaining a secure network, protecting cardholder data and maintaining an information security policy.
FDA 21 CFR Part 11
Learning system supports Electronic Records requirements
Cornerstone meets the control requirements of the U.S. Food and Drug Administration (FDA) Code of Federal Regulations (CFR) Title 21 CFR Part 11, and maintains applicable procedural and technical controls for Life Sciences clients to manage their compliance with these regulations. Cornerstone has documented the applicable requirements within our validation lifecycle records and associated procedures for how we develop our software and maintain applicable records within our SaaS offerings to ensure regulations are met. The document, provided to clients on request, outline the regulatory requirements, the associated predicate rules that records are subject to, and the technical and procedural controls that Cornerstone is required to meet on behalf of our Life Sciences clients.
Standards that keep information assets secure
Cornerstone achieved the ISO/IEC 27001:2013 certification for its Unified Talent Management system, demonstrating our ongoing commitment to providing a secure environment for the protection of our clients' data. The ISO 27001 certification was conducted by an independent third-party vendor and recognizes companies for establishing, implementing, maintaining and continuously improving their Information Security Management System (ISMS). Certification is an ongoing process with auditors checking requirements annually and looking for improvement. The ISO 27001 certification is the most widely recognized information security management standard certification in the world. Many companies now require cloud vendors to be ISO certified—and maintain that certification—throughout the life of a service contract.
Secure environment for U.S. government clients
Cornerstone’s Unified Talent Management system has been granted Authorization to Operate (ATO) from the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. As one of the only Talent Management systems to receive FedRAMP authorization, Cornerstone has demonstrated its commitment to ensuring a secure environment for U.S. government clients looking to effectively recruit, develop, manage and engage their employees.
CSA Security, Trust & Assurance Registry (STAR)
Powerful program for security assurance in the cloud
CSA STAR (Cloud Security Alliance Security, Trust & Assurance Registry) is the industry’s most powerful program for security assurance in the cloud. Cornerstone has completed the CSA Consensus Assessments Initiative Questionnaire (CAIQ) which is now available. This information provides customers with visibility into Cornerstone’s specific security practices. Many of the common security controls are independently audited through the year via independent sources.
AICPA SOC: SSAE16 SOC 1 Type II, SOC 2 Type II and ISAE 3402 Type II
Framework that safeguards security and data privacy
A report on Cornerstone OnDemand’s description of its information technology general controls system for our Unified Talent Management system and the suitability of the design and operating effectiveness of its controls was completed by a third party auditor. Cornerstone is committed to meeting its SSAE 16 and SOC 2 control objectives by undergoing yearly audits. By meeting the SSAE 16 and SOC 2 audit standards, Cornerstone ensures that it regularly audits operational processes that may be relevant to the audit of its clients’ internal controls. SSAE16 SOC 1 Type II and ISAE 3402 Type II The report, available upon request, was prepared pursuant to the Statement on Standards for Attestation Engagements (SSAE) 16 AT Section 801 and International Standard on Assurance Engagements (ISAE). SOC 2 Type II The report, available upon request, was prepared pursuant to AICPA, TSP section 100, Trust Services Principles and criteria for security, availability, processing integrity, confidentiality and privacy.
Schedule a personalized 1:1
Speak to an expert who can walk you through the ways Cornerstone can benefit your specific situation.