Security

Skyhigh Enterprise Ready

Cloud services meet data security requirements

Cornerstone has been awarded the Skyhigh Cloud Trust™ Enterprise Ready rating for its Unified Talent Management system based on fully satisfying requirements for data protection, identity verification, service security, business practices, and legal protection through the Skyhigh Enterprise-Ready program, which provides an extensive, impartial, and current analysis of security capabilities based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA).

Privacy Shield

Ensures stronger personal data protection for Europeans

The EU-US Privacy Shield replaces the Safe Harbor cross-border data transfer framework. Cornerstone meets the stronger obligations to protect personal data of Europeans and the stronger monitoring and enforcement by the US Department of Commerce (DOC) and the Federal Trade Commission (FTC). The Privacy Shield Framework was deemed adequate by the European Commission, meaning it is a recognized mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. As a participating organization, Cornerstone is deemed to provide "adequate" privacy protection, a requirement for the transfer of personal data outside of the European Union under the EU Data Protection Directive.

Trustwave

Proactive protection against data vulnerabilities

Cornerstone OnDemand leverages Trustwave's Trusted Commerce™ program to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) mandated by all the major credit card associations. Through Trustwave, we ensure that your credit card and identity information are secure.

ISO/IEC 27018:2014

Code of practice for protection of PII in public clouds

Cornerstone’s ISO 27001 auditors validated through our statement of applicability that in-scope services for the Unified Talent Management system have incorporated ISO/IEC 27018 controls for the protection of personally identifiable information (PII) in the public cloud. By adhering to this standard, Cornerstone demonstrates that its privacy policies and procedures are robust and in line with its high standards. Our customers know what’s happening with their PII, where their data is stored, and that their data won’t be used for marketing or advertising without explicit consent. These controls are audited on an annual basis to ensure Cornerstone’s Unified Talent Management system remains compliant.

PCI DSS

Ensures secure environment for processing credit cards

Cornerstone is Level 4 SAQ D compliant with the Payment Card Industry Data Security Standards (PCI DSS), a set of requirements designed to ensure that companies who process, store or transmit credit card information maintain a secure environment. Standards include: building and maintaining a secure network, protecting cardholder data and maintaining an information security policy.

FDA 21 CFR Part 11

Learning system supports Electronic Records requirements

Cornerstone meets the control requirements of the U.S. Food and Drug Administration (FDA) Code of Federal Regulations (CFR) Title 21 CFR Part 11, and maintains applicable procedural and technical controls for Life Sciences clients to manage their compliance with these regulations. Cornerstone has documented the applicable requirements within our validation lifecycle records and associated procedures for how we develop our software and maintain applicable records within our SaaS offerings to ensure regulations are met. The document, provided to clients on request, outline the regulatory requirements, the associated predicate rules that records are subject to, and the technical and procedural controls that Cornerstone is required to meet on behalf of our Life Sciences clients.

ISO/IEC 27001:2013

Standards that keep information assets secure

Cornerstone achieved the ISO/IEC 27001:2013 certification for its Unified Talent Management system, demonstrating our ongoing commitment to providing a secure environment for the protection of our clients' data. The ISO 27001 certification was conducted by an independent third-party vendor and recognizes companies for establishing, implementing, maintaining and continuously improving their Information Security Management System (ISMS). Certification is an ongoing process with auditors checking requirements annually and looking for improvement. The ISO 27001 certification is the most widely recognized information security management standard certification in the world. Many companies now require cloud vendors to be ISO certified—and maintain that certification—throughout the life of a service contract.

FedRAMP

Secure environment for U.S. government clients

Cornerstone’s Unified Talent Management system has been granted Authorization to Operate (ATO) from the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. As one of the only Talent Management systems to receive FedRAMP authorization, Cornerstone has demonstrated its commitment to ensuring a secure environment for U.S. government clients looking to effectively recruit, develop, manage and engage their employees.

CSA Security, Trust & Assurance Registry (STAR)

Powerful program for security assurance in the cloud

CSA STAR (Cloud Security Alliance Security, Trust & Assurance Registry) is the industry’s most powerful program for security assurance in the cloud. Cornerstone has completed the CSA Consensus Assessments Initiative Questionnaire (CAIQ) which is now available. This information provides customers with visibility into Cornerstone’s specific security practices. Many of the common security controls are independently audited through the year via independent sources.

AICPA SOC: SSAE16 SOC 1 Type II, SOC 2 Type II and ISAE 3402 Type II

Framework that safeguards security and data privacy

A report on Cornerstone OnDemand’s description of its information technology general controls system for our Unified Talent Management system and the suitability of the design and operating effectiveness of its controls was completed by a third party auditor. Cornerstone is committed to meeting its SSAE 16 and SOC 2 control objectives by undergoing yearly audits. By meeting the SSAE 16 and SOC 2 audit standards, Cornerstone ensures that it regularly audits operational processes that may be relevant to the audit of its clients’ internal controls. SSAE16 SOC 1 Type II and ISAE 3402 Type II The report, available upon request, was prepared pursuant to the Statement on Standards for Attestation Engagements (SSAE) 16 AT Section 801 and International Standard on Assurance Engagements (ISAE). SOC 2 Type II The report, available upon request, was prepared pursuant to AICPA, TSP section 100, Trust Services Principles and criteria for security, availability, processing integrity, confidentiality and privacy.