Get the Security Datasheet today!
Comprehensive Security & Compliance
Cornerstone maintains a state-of-the-art multi-tenant, multi-database architecture with the highest compliance and uptime standards. For your security and scalability, we do not co-mingle data, and our infrastructure has been audited and/or certified to meet the most stringent data requirements globally. Below are our key audit reports, frameworks and certifications:
Advanced Data Protection & Data Privacy
Cornerstone takes data protection and data privacy regulations very seriously. We work closely with our clients' HR, Legal and Data Protection departments to ensure compliance with Data Privacy regulations. Cornerstone has successfully deployed EU Model Clauses with many clients and is EU-US Privacy Shield certified.
Global IT Security, Privacy & Compliance Team
Cornerstone’s culture of continuous process improvement ensures that our infrastructure is based on the latest technology that is developed and maintained by our dedicated, world-class IT Security, Privacy and Compliance team. Our global team is highly accomplished – all team members hold one or more professional security or compliance certifications. It’s time to ensure that your data is kept secure and confidential.
Controlling the location of your data is an important element of data privacy and compliance. With Cornerstone, you have full transparency over your data and the location of your data. Clients can choose to store their data in a particular geography either in North America or Europe. Backup data is also stored in the same geography.
Access Control & Physical SecurityOur infrastructure is hosted in four secure data centers with two in North America and two in Europe. Every data center has 24-hour manned security, video surveillance, motion detectors, alarms and restricted access to select personnel with appropriate identification. Servers are stored in secured caged areas with biometric hand scanner access. Non-Cornerstone visitors must be escorted at all times.
Application SecurityOur Unified Talent Management system is secured with 256-bit TLS, which encrypts all data in transit and ensures it is secure. Access to the Cornerstone application requires unique usernames and passwords and supports Single Sign-On (SSO), which requires clients to be authenticated. Rights and role-driven controls ensure users only see what they have been permitted to see.
Network ProtectionA DMZ-protected production suite ensures infrastructure security through the use of firewalls, port filtering and network address translation via multiple load balancers. Internal firewalls segregate traffic between the application and database tiers. A third-party service provider monitors the network and sends alerts for any unusual usage and equipment failure.
BackupCornerstone takes AES-256 encrypted backups daily of full client databases before being written to tape. Hourly transactional backups are sent to separate hot disks, and backup tapes are collected weekly and transported in locked boxes to secure vaults.
Disaster RecoveryDisaster recovery tests are performed twice per year at each disaster recovery data center. Our program ensures recovery within 24 hours of a major disaster with a Recovery Point Objective (RPO) of 1 hour or less. Seven days of hot backups are stored on the local SAN disk for immediate recovery.
Cornerstone has comprehensive privacy and security assessments and certifications.
Privacy Shield Back To Top
Ensures stronger personal data protection for Europeans
The EU-US Privacy Shield replaces the Safe Harbor cross-border data transfer framework. Cornerstone meets the stronger obligations to protect personal data of Europeans and the stronger monitoring and enforcement by the US Department of Commerce (DOC) and the Federal Trade Commission (FTC). The Privacy Shield Framework was deemed adequate by the European Commission, meaning it is a recognized mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. As a participating organization, Cornerstone is deemed to provide "adequate" privacy protection, a requirement for the transfer of personal data outside of the European Union under the EU Data Protection Directive.
Skyhigh Enterprise Ready Back To Top
Cloud services meet data security requirements
Cornerstone has been awarded the Skyhigh Cloud Trust™ Enterprise Ready rating for its Unified Talent Management system based on fully satisfying requirements for data protection, identity verification, service security, business practices, and legal protection through the Skyhigh Enterprise-Ready program, which provides an extensive, impartial, and current analysis of security capabilities based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA).
Trustwave Back To Top
Proactive protection against data vulnerabilities
Cornerstone OnDemand leverages Trustwave's Trusted Commerce™ program to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) mandated by all the major credit card associations. Through Trustwave, we ensure that your credit card and identity information are secure.
ISO/IEC 27001:2013 Back To Top
Standards that keep information assets secure
Cornerstone achieved the ISO/IEC 27001:2013 certification for its Unified Talent Management system, demonstrating our ongoing commitment to providing a secure environment for the protection of our clients' data.
The ISO 27001 certification was conducted by an independent third-party vendor and recognizes companies for establishing, implementing, maintaining and continuously improving their Information Security Management System (ISMS). Certification is an ongoing process with auditors checking requirements annually and looking for improvement. The ISO 27001 certification is the most widely recognized information security management standard certification in the world. Many companies now require cloud vendors to be ISO certified—and maintain that certification—throughout the life of a service contract.
ISO/IEC 27018:2014 Back To Top
Code of practice for protection of PII in public clouds
Cornerstone’s ISO 27001 auditors validated through our statement of applicability that in-scope services for the Unified Talent Management system have incorporated ISO/IEC 27018 controls for the protection of personally identifiable information (PII) in the public cloud. By adhering to this standard, Cornerstone demonstrates that its privacy policies and procedures are robust and in line with its high standards. Our customers know what’s happening with their PII, where their data is stored, and that their data won’t be used for marketing or advertising without explicit consent. These controls are audited on an annual basis to ensure Cornerstone’s Unified Talent Management system remains compliant.
FedRAMP Back To Top
Secure environment for U.S. government clients
Cornerstone’s Unified Talent Management system has been granted Authorization to Operate (ATO) from the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
As one of the only Talent Management systems to receive FedRAMP authorization, Cornerstone has demonstrated its commitment to ensuring a secure environment for U.S. government clients looking to effectively recruit, develop, manage and engage their employees.
AICPA SOC: SSAE16 SOC 1 Type II, SOC 2 Type II and ISAE 3402 Type II Back To Top
Framework that safeguards security and data privacy
A report on Cornerstone OnDemand’s description of its information technology general controls system for our Unified Talent Management system and the suitability of the design and operating effectiveness of its controls was completed by a third party auditor. Cornerstone is committed to meeting its SSAE 16 and SOC 2 control objectives by undergoing yearly audits. By meeting the SSAE 16 and SOC 2 audit standards, Cornerstone ensures that it regularly audits operational processes that may be relevant to the audit of its clients’ internal controls.
SSAE16 SOC 1 Type II and ISAE 3402 Type II
The report, available upon request, was prepared pursuant to the Statement on Standards for Attestation Engagements (SSAE) 16 AT Section 801 and International Standard on Assurance Engagements (ISAE).
SOC 2 Type II
The report, available upon request, was prepared pursuant to AICPA, TSP section 100, Trust Services Principles and criteria for security, availability, processing integrity, confidentiality and privacy.
PCI DSS Back To Top
Ensures secure environment for processing credit cards
Cornerstone is Level 4 SAQ D compliant with the Payment Card Industry Data Security Standards (PCI DSS), a set of requirements designed to ensure that companies who process, store or transmit credit card information maintain a secure environment. Standards include: building and maintaining a secure network, protecting cardholder data and maintaining an information security policy.
CSA Security, Trust & Assurance Registry (STAR) Back To Top
Powerful program for security assurance in the cloud
CSA STAR (Cloud Security Alliance Security, Trust & Assurance Registry) is the industry’s most powerful program for security assurance in the cloud. Cornerstone has completed the CSA Consensus Assessments Initiative Questionnaire (CAIQ) which is now available. This information provides customers with visibility into Cornerstone’s specific security practices. Many of the common security controls are independently audited through the year via independent sources.
FDA 21 CFR Part 11 Back To Top
Learning system supports Electronic Records requirements
Cornerstone meets the control requirements of the U.S. Food and Drug Administration (FDA) Code of Federal Regulations (CFR) Title 21 CFR Part 11, and maintains applicable procedural and technical controls for Life Sciences clients to manage their compliance with these regulations.
Cornerstone has documented the applicable requirements within our validation lifecycle records and associated procedures for how we develop our software and maintain applicable records within our SaaS offerings to ensure regulations are met. The document, provided to clients on request, outline the regulatory requirements, the associated predicate rules that records are subject to, and the technical and procedural controls that Cornerstone is required to meet on behalf of our Life Sciences clients.