In early October, the Court of Justice of the European Union (CJEU) struck down the 15-year-old Safe Harbor agreement — the most common way to legally transfer data between Europe and the U.S. — after determining the agreement was not sufficient to ensure the protection of Europeans' personal data. The U.S. and EU have since been working on a new Safe Harbor agreement, but there's no telling how long a conclusion may take.
The Safe Harbor news comes as data security concerns are on the rise, and in this time of uncertainty, we want to assuage any doubts about the safety of Cornerstone clients' data. Despite the Safe Harbor ruling, our European clients have no reason to be concerned. Our team was well prepared for the potential decision against Safe Harbor, and had previously taken every necessary step to ensure your information is safe with us — as always.
The Safe Harbor agreement was known as the most common way to safely transfer personal data to the US, but it was not the only legal transfer mechanism available. As such, the CJEU ruling does not impact Cornerstone's ability to operate in Europe or continue serving our international clients.
In fact, we can continue operating as before: EU data is stored in the U.K., and only accessed from the U.S. on an as-needed basis. In lieu of Safe Harbor, all data transfers will be fully protected under EU Model Clauses — a simple, easy-to-deploy solution. (You can find the Model Clauses on our website here.)
In addition to the Model Clauses, Cornerstone implements a multi-layer approach to security and constantly monitors our system to guarantee our clients' sensitive workforce data is safe.
A Higher Level of Security
As the leading unified talent management software company to operate in the cloud and offer its products solely via SaaS, data security has always been part of our DNA — not just an afterthought. We have a state-of-the-art multi-tenant, multi-database architecture that meets the highest compliance and uptime standards. With clients across industries, our infrastructure has also been audited and certified to meet the most rigorous compliance requirements.
Our processes are aligned with EU regulations, including the ISO 27001 certification, and even when Safe Harbor was in place, Cornerstone was providing a higher level of protection than that assured by the now-defunct agreement.
Physical and Virtual Protection
The Cornerstone infrastructure is protected on the ground and in the cloud. We have four secure data centers — two in North American and two in Europe, each with 24-hour manned security, biometric hand scanners, video surveillance, motion detectors and alarms. Access is restricted to select personnel, and non-Cornerstone visitors must be escorted at all times.
In addition, all data in our application is encrypted in transit. On the user end, unique usernames and passwords are required to access the application, with single sign-on support — requiring all clients to be authenticated. Last but not least, the information available to users is entirely rights- and role-driven; users only see what they have permission to see.
A Dedicated Team
We have a world-class IT Security and Compliance team (that averages 10+ years of direct security experience) dedicated to maintaining and developing our infrastructure. Our culture of continuous improvement includes both product and employee development — we consistently update our infrastructure with the latest technology, and our team members strive to achieve the highest level of industry expertise. All team members hold one or more professional security or compliance certifications.
We are committed to providing a reliable and secure system to our clients, and will continue to diligently follow the development of international data transfer laws. The security and privacy of our clients' data remains our top priority.
Respect for Sovereignty
Finally, we want to make it clear that, as a global business, we have utmost respect for data sovereignty. While data may be accessed if needed from anywhere (this is, of course, how we are able to support our many global clients) data is never copied outside of the jurisdiction of the data center. This is an important point and it is precisely why we support disaster recovery at our data centers in both England and the US. Even backup tapes are fully encrypted before leaving the data center and are secured at Iron Mountain facilities in the respective countries.
If you want to learn more about Cornerstone's data protection policy and practices, please visit our website, and don't hesitate to reach out to your account manager with any questions.