In early October, the Court of Justice of the European Union (CJEU) struck down the 15-year-old Safe Harbor agreement — the most common way to legally transfer data between Europe and the U.S. — after determining the agreement was not sufficient to ensure the protection of Europeans' personal data. The U.S. and EU have since been working on a new Safe Harbor agreement, but there's no telling how long a conclusion may take.
The Safe Harbor news comes as data security concerns are on the rise, and in this time of uncertainty, we want to assuage any doubts about the safety of Cornerstone clients' data. Despite the Safe Harbor ruling, our European clients have no reason to be concerned. Our team was well prepared for the potential decision against Safe Harbor, and had previously taken every necessary step to ensure your information is safe with us — as always.
The Safe Harbor agreement was known as the most common way to safely transfer personal data to the US, but it was not the only legal transfer mechanism available. As such, the CJEU ruling does not impact Cornerstone's ability to operate in Europe or continue serving our international clients.
In fact, we can continue operating as before: EU data is stored in the U.K., and only accessed from the U.S. on an as-needed basis. In lieu of Safe Harbor, all data transfers will be fully protected under EU Model Clauses — a simple, easy-to-deploy solution. (You can find the Model Clauses on our website here.)
In addition to the Model Clauses, Cornerstone implements a multi-layer approach to security and constantly monitors our system to guarantee our clients' sensitive workforce data is safe.
A Higher Level of Security
As the leading unified talent management software company to operate in the cloud and offer its products solely via SaaS, data security has always been part of our DNA — not just an afterthought. We have a state-of-the-art multi-tenant, multi-database architecture that meets the highest compliance and uptime standards. With clients across industries, our infrastructure has also been audited and certified to meet the most rigorous compliance requirements.
Our processes are aligned with EU regulations, including the ISO 27001 certification, and even when Safe Harbor was in place, Cornerstone was providing a higher level of protection than that assured by the now-defunct agreement.
Physical and Virtual Protection
The Cornerstone infrastructure is protected on the ground and in the cloud. We have four secure data centers — two in North American and two in Europe, each with 24-hour manned security, biometric hand scanners, video surveillance, motion detectors and alarms. Access is restricted to select personnel, and non-Cornerstone visitors must be escorted at all times.
In addition, all data in our application is encrypted in transit. On the user end, unique usernames and passwords are required to access the application, with single sign-on support — requiring all clients to be authenticated. Last but not least, the information available to users is entirely rights- and role-driven; users only see what they have permission to see.
A Dedicated Team
We have a world-class IT Security and Compliance team (that averages 10+ years of direct security experience) dedicated to maintaining and developing our infrastructure. Our culture of continuous improvement includes both product and employee development — we consistently update our infrastructure with the latest technology, and our team members strive to achieve the highest level of industry expertise. All team members hold one or more professional security or compliance certifications.
We are committed to providing a reliable and secure system to our clients, and will continue to diligently follow the development of international data transfer laws. The security and privacy of our clients' data remains our top priority.
Respect for Sovereignty
Finally, we want to make it clear that, as a global business, we have utmost respect for data sovereignty. While data may be accessed if needed from anywhere (this is, of course, how we are able to support our many global clients) data is never copied outside of the jurisdiction of the data center. This is an important point and it is precisely why we support disaster recovery at our data centers in both England and the US. Even backup tapes are fully encrypted before leaving the data center and are secured at Iron Mountain facilities in the respective countries.
If you want to learn more about Cornerstone's data protection policy and practices, please visit our website, and don't hesitate to reach out to your account manager with any questions.
Want to keep learning? Explore our products, customer stories, and the latest industry insights.
DisasterReady: Ordinary people responding to extraordinary circumstances
In a world where disasters, both natural and man-made, continue to pose a constant threat, a beacon of hope has been shining for the past decade. DisasterReady.org, an online learning platform built and managed by the Cornerstone OnDemand Foundation, has been a silent force behind the scenes, empowering humanitarian and development professionals worldwide. As it marks its 10th anniversary, let's take a closer look at how DisasterReady has made a lasting impact and why its mission is more crucial now than ever.
Cornerstone and Chelsea FC Women: two titans team up for talent
Cornerstone is the official learning and talent partner of Chelsea FC Women for the 2023/2024 season! We're so excited to help the Blues power potential on and off the pitch as they strive to repeat their domestic Double with a fourth-straight FA Cup triumph and fifth-consecutive Women's Super League Championship.
Laying the foundation for a standout year – Everything Cornerstone was up to in Q1
In 2022, we were intentional about setting ourselves and our customers up for greater success and an even deeper innovation roadmap. So, you can imagine our excitement when we say that 2023 is already gearing up to be a standout year.