Section background

Cornerstone Client Portal Privacy Policy

Last updated: September 2023

Cornerstone OnDemand, Inc. and its global affiliates (collectively, “Cornerstone”) help organizations recruit, train, and manage their people. The entity granting you access to Cornerstone’s software (“Organization”) is a Cornerstone customer that collects and processes your personal data. This privacy policy (“Privacy Policy”) governs Cornerstone’s processing of personal data you and/or the Organization has inputted into Cornerstone’s software application (“Software”) for the purpose of recruiting, training, and/or managing you.

Collection of Information

Cornerstone does not directly collect your personal data. Cornerstone processes data you and/or the Organization inputs into the Software for the purpose of recruiting, training, and/or managing you. Such data may include, but is not necessarily limited to, candidate data, employee data, contractor data, student data, training data, and performance data.

Usage of Data

Cornerstone will process the data only in accordance with the agreement between Cornerstone and the Organization, including, but not necessarily limited to, providing technical or functional support, and ensuring the security of the Software. Please contact the Organization with any questions about its use of your personal data.

Contact and Queries

The Organization is a data controller. A (Data Controller”) determines the purposes for which and the means by which personal data is processed. Cornerstone is a data processor of your personal data. A (“Data Processor”) processes personal data only on behalf of the controller and in accordance with the Data Controller’s instructions. All queries regarding your personal data should be directed to the Organization.
Website Usage Information

1. Cookies

For information on the cookies we use, and their functionality please refer to our cookie policy.

2. IP address and Clickstream data

Our servers automatically collect data about your internet protocol (“IP”) address when you visit a Cornerstone webpage (“Website”). Our servers may log your IP address and sometimes your domain name when you request pages from a Website. Our servers may also record the referring page that linked you to us (e.g. another website or a search engine); the pages you visit on a Website; the website you visit after the Website; other information about the type of web browser, computer, platform, related software and settings you are using; any search terms you have entered on the Website or a referral website; and other data logged by our web servers. We use this information for internal system administration, to help diagnose problems with our servers, and to administer our Websites. Such information may also be used to gather broad demographic information, such as country of origin and Internet service provider. Personal data including IP addresses are not used to facilitate contact with users who have not provided their contact details to Cornerstone. Personal data is not shared with nor sold to any unauthorized third-party

Use, Disclosure, and Sharing of Personal Data

1. Service providers

We may use third-party partners to operate and maintain our Software and deliver our products and services in accordance with the agreement we have with the Organization. Third-party service providers are contractually restricted from using or disclosing your personal data except as necessary to perform services on our behalf or to comply with legal requirements. Data may be processed within or outside of the European Economic area, according to the contractual agreement and applicable laws.

2. Aggregated statistics

We may aggregate and anonymize non-personally identifiable data into statistics regarding user behavior such as overall patterns or demographic reports that do not describe or identify any individual user. This shall always be done in accordance with the agreement between the Organization and Cornerstone.

3. Legally compelled disclosures

We may disclose your personal data if required to do so by law or subpoena or if we believe that such action is necessary to: (a) conform to law applicable to Cornerstone or our partners; (b) comply with a judicial or court order, or comply with legal processes served on us or Affiliated Parties; or (c) protect and defend our rights and property, Websites, and/or the users of the Websites.

4. Worldwide transfer and processing of Personal Data (applies unless otherwise agreed in writing between you or the Organization and Cornerstone)

Cornerstone may use your data for the purposes described herein and per the agreement between Cornerstone and the Organization. Depending on contractual requirements and applicable law, your data may be processed and transferred in and to the United States and other countries and territories listed herein, which may have different privacy laws from your country of residence, and which may afford varying levels of protection for your personal data. Regardless of the laws in place in these countries, we will treat the privacy of your information in accordance with this Privacy Policy and the agreement between Cornerstone and the Organization.

Your access and correction rights

You retain the right to submit and correct or delete your personal data by contacting the Organization.

Cornerstone OnDemand, Inc. is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

Data Privacy Framework

Cornerstone OnDemand, Inc, Saba Software, Inc., EdCast L.L.C. and SumTotal Systems L.L.C has self-certified commitment with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

Cornerstone OnDemand, Inc., Saba Software, Inc., EdCast L.L.C and SumTotal Systems L.L.C. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

Cornerstone OnDemand, Inc. Saba Software, Inc., EdCast L.L.C and SumTotal Systems L.L.C. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Cornerstone OnDemand, Inc., Saba Software, Inc. and EdCast L.L.C commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Cornerstone OnDemand, Inc., Saba Software, Inc., EdCast L.L.C. and SumTotal Systems L.L.C at: DataPrivacyFramework@csod.com

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Cornerstone OnDemand, Inc., Saba Software, Inc., EdCast L.L.C and SumTotal Systems L.L.C. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

As required under the principles, when we receive information under the Data Privacy Framework and then transfer it to a third-party service provider acting as an agent on our behalf, we have certain liability under the Data Privacy Framework if the agent processes the information in a manner inconsistent with the Data Privacy Framework and we are responsible for the event giving rise to the damage.

We encourage you to contact us at DPO@csod.com should you have a Data Privacy Framework related (or general privacy-related) complaint. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact the independent recourse mechanism listed below:

UK Information Commissioner's Office (ICO)

EU Data Protection Authorities (DPAs)

We have committed to cooperating and complying with the information and advice provided by an informal panel of data protection authorities in the European Economic Area, and/or the Swiss Federal Data Protection and Information Commissioner (as applicable) in relation to unresolved complaints (as further described in the Data Privacy Framework Principles). You may also contact your local data protection authority within the European Economic Area or Switzerland (as applicable) for unresolved complaints.

Under certain conditions, more fully described on the Data Privacy Framework website, including when other dispute resolution procedures have been exhausted, you may invoke binding arbitration.

Cornerstone OnDemand, Inc, Saba Software, Inc., EdCast L.L.C. and SumTotal Systems L.L.C is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Third-party websites

When you are on this Website you may have the opportunity to visit or link to other websites, including other websites operated by us or by unaffiliated third parties. These websites may collect personal data about you, and because this Privacy Policy does not address the information practices of those other websites, you should review the privacy policies of such other websites to see how they treat your personal data.

Privacy of minors

This Website is not directed at minors, as described under applicable law, we do not knowingly collect personal data from minors, as described under applicable law, on our Websites. If we become aware that we have inadvertently received personal data from a minor, as described under applicable law, on a Website, we will delete the information from our records.

Security

The security and privacy of personal data is of utmost importance to Cornerstone. We use commercially reasonable and industry-standard physical, managerial, and technical safeguards to preserve the integrity and security of your personal data. More information can be found here: https://www.cornerstoneondemand.com/company/security.

GDPR Information Notice and Related Provisions

The General Data Protection Regulation 2016/679 (“GDPR”) is a regulation on data protection and privacy in the European Union and the European Economic Area (“E.E.A.”). It also addresses the transfer of personal data outside the E.U. and E.E.A. GDPR requires Data Processors to provide the following information.

1) Controller Identity and Contact Details

Cornerstone acts only as a processor. The Organization is the controller of your personal data and should provide you appropriate contact details.

2) Data Protection Officer

Cornerstone has appointed a Data Protection Officer who can be reached at DPO@csod.com. However, Cornerstone acts only as a processor. The Organization is the Data Controller and should provide you appropriate contact details.

3) Purposes and Legal Basis for the Processing

Cornerstone will process the data only in accordance with the agreement between Cornerstone and the Organization, including, but not necessarily limited to, providing technical or functional support, and ensuring the security of the Software. Please contact the Organization with any questions about its use of your personal data.

4) Information Sharing

We may use third-party providers to help us to deliver our products and services. Third-party service providers are contractually restricted from using or disclosing the information, except as necessary to perform services on our behalf or to comply with legal requirements.

5) International Transfers

Depending on contractual requirements and applicable law, data can be processed within or outside of outside of the European Economic area. All locations either benefit from an Adequacy Decision or from alternative suitable safeguards.

6) Data Retention

Cornerstone will retain your data only as agreed between Cornerstone and the Organization and in accordance with applicable laws to which Cornerstone is subject.

7) Data Subject Rights

Cornerstone acts only as a Data Processor. The Organization is the controller and should provide you appropriate contact details.

8) Automated Decision-making

Cornerstone acts only as a processor and does not make decisions impacting you. The Organization is the controller and should provide you appropriate information regarding its decision-making process.

U.S. Specific Provisions

Where Cornerstone is subject to U.S. privacy requirements the following applies:

1) Job Applicants and Employees

Cornerstone collects or is provided personal data such as name, address, email address, and social security numbers from job applicants, employees, and contractors for, among other things, legitimate human resource business reasons such as payroll administration, filling employment positions, maintaining accurate benefits records, meeting governmental reporting requirements, security, health and safety management, performance management, company network access, and authentication. Cornerstone does not engage in automated decision-making.

2) Customers

Personal data provided to Cornerstone by the Organization and the processing of personal data is defined in the Collection of Information and Usage of Data sections of this policy.

3) Do Not Track.

Your browser may allow you to set a “Do not track” preference. Unless otherwise stated, our sites do not honor “Do not track” requests. However, you may elect not to accept cookies by changing the designated settings on your web browser. Please note that if you do not accept cookies, you may not be able to use certain functions and features of our Webpages.

Updates to our privacy statement

This Privacy Policy may be updated periodically and without prior notice to you to reflect changes in our online information practices. We will indicate at the top of the statement when it was most recently updated.

Language

The governing language of this Privacy Policy is English, which shall prevail over any other language used in any translated document.