Blog Post

After Safe Harbor Ruling, Your Data Remains Protected at Cornerstone

Mark Goldin

Chief Technology Officer, Cornerstone

In early October, the Court of Justice of the European Union (CJEU) struck down the 15-year-old Safe Harbor agreement — the most common way to legally transfer data between Europe and the U.S. — after determining the agreement was not sufficient to ensure the protection of Europeans' personal data. The U.S. and EU have since been working on a new Safe Harbor agreement, but there's no telling how long a conclusion may take.

The Safe Harbor news comes as data security concerns are on the rise, and in this time of uncertainty, we want to assuage any doubts about the safety of Cornerstone clients' data. Despite the Safe Harbor ruling, our European clients have no reason to be concerned. Our team was well prepared for the potential decision against Safe Harbor, and had previously taken every necessary step to ensure your information is safe with us — as always.

The Safe Harbor agreement was known as the most common way to safely transfer personal data to the US, but it was not the only legal transfer mechanism available. As such, the CJEU ruling does not impact Cornerstone's ability to operate in Europe or continue serving our international clients.

In fact, we can continue operating as before: EU data is stored in the U.K., and only accessed from the U.S. on an as-needed basis. In lieu of Safe Harbor, all data transfers will be fully protected under EU Model Clauses — a simple, easy-to-deploy solution. (You can find the Model Clauses on our website here.)

In addition to the Model Clauses, Cornerstone implements a multi-layer approach to security and constantly monitors our system to guarantee our clients' sensitive workforce data is safe.

A Higher Level of Security

As the leading unified talent management software company to operate in the cloud and offer its products solely via SaaS, data security has always been part of our DNA — not just an afterthought. We have a state-of-the-art multi-tenant, multi-database architecture that meets the highest compliance and uptime standards. With clients across industries, our infrastructure has also been audited and certified to meet the most rigorous compliance requirements.

Our processes are aligned with EU regulations, including the ISO 27001 certification, and even when Safe Harbor was in place, Cornerstone was providing a higher level of protection than that assured by the now-defunct agreement.

Physical and Virtual Protection

The Cornerstone infrastructure is protected on the ground and in the cloud. We have four secure data centers — two in North American and two in Europe, each with 24-hour manned security, biometric hand scanners, video surveillance, motion detectors and alarms. Access is restricted to select personnel, and non-Cornerstone visitors must be escorted at all times.

In addition, all data in our application is encrypted in transit. On the user end, unique usernames and passwords are required to access the application, with single sign-on support — requiring all clients to be authenticated. Last but not least, the information available to users is entirely rights- and role-driven; users only see what they have permission to see.

A Dedicated Team

We have a world-class IT Security and Compliance team (that averages 10+ years of direct security experience) dedicated to maintaining and developing our infrastructure. Our culture of continuous improvement includes both product and employee development — we consistently update our infrastructure with the latest technology, and our team members strive to achieve the highest level of industry expertise. All team members hold one or more professional security or compliance certifications.

We are committed to providing a reliable and secure system to our clients, and will continue to diligently follow the development of international data transfer laws. The security and privacy of our clients' data remains our top priority.

Respect for Sovereignty

Finally, we want to make it clear that, as a global business, we have utmost respect for data sovereignty. While data may be accessed if needed from anywhere (this is, of course, how we are able to support our many global clients) data is never copied outside of the jurisdiction of the data center. This is an important point and it is precisely why we support disaster recovery at our data centers in both England and the US. Even backup tapes are fully encrypted before leaving the data center and are secured at Iron Mountain facilities in the respective countries.

If you want to learn more about Cornerstone's data protection policy and practices, please visit our website, and don't hesitate to reach out to your account manager with any questions.

Related Resources

Want to keep learning? Explore our products, customer stories, and the latest industry insights.

Cheers to a year of innovation – closing out Q4 strong at Cornerstone

Blog Post

Cheers to a year of innovation – closing out Q4 strong at Cornerstone

If Q4 cemented one thing, it's that our industry is ripe for reinvention. We’ve watched as talent experience continued to take on new meanings, adapting to the new world and new rules we’re living in. As leaders in the HR and talent space, we’re energized by the role we play at the forefront of this transformation, and the opportunity to create talent experiences that motivate, inspire and support people so they can reach limitless potential and success.

Schedule a personalized 1:1

Talk to a Cornerstone expert about how we can help with your organization’s unique people management needs.

© Cornerstone 2023