Master Agreement, Last updated: December 3, 2020
Last updated: December 3, 2020
This Master Agreement (“Agreement”) governs one or more Orders executed by you, an individual or entity that purchases Cornerstone Services and/or Software, and Cornerstone OnDemand (“Cornerstone”).
a) “Active User” means a user established on the Software with a designation of “active,” as determined by you.
b) “Affiliate” means a party that partially (at least 50%) or fully controls, is partially or fully controlled by, or is under partial (at least 50%) or full common control with, another party.
c) “Client Content” means any and all courses, learning objects, certifications, quizzes, tests, materials, instructor-led sessions, documents, or URLs created and/or introduced by you or your Affiliates that reside in the Software.
d) “Client Data” means personal data regarding your or your Affiliates’ users which is uploaded to the Software pursuant to the Agreement or an Order.
e) "Confidential Information" means any non-public information of you or Cornerstone disclosed by either party to the other party, either directly or indirectly, in writing, orally or by inspection of tangible objects, or to which the other party may have access, which a reasonable person would consider confidential and/or which is marked “confidential” or “proprietary” or some similar designation by the disclosing party. Confidential Information shall not, however, include the existence of the Agreement or any information which the recipient can establish: (i) was or has become generally known or available or is part of the public domain without direct or indirect fault, action, or omission of the recipient; (ii) was known by the recipient prior to the time of disclosure, according to the recipient’s prior written documentation; (iii) was received by the recipient from a source other than the discloser, rightfully having possession of and the right to disclose such information; or (iv) was independently developed by the recipient, where such independent development has been documented by the recipient.
f) “Order” means a purchase made by you hereunder in an order, schedule, statement of work, addendum, or amendment signed by both you and Cornerstone.
g) “Service” means any service rendered by Cornerstone specifically to you, including, but not limited to: (i) hosting and making available the Software; (ii) hosting, delivery, and/or distribution of eLearning content; and/or (iii) provision of customer and/or technical support for the Software.
h) “Software” means: (i) any and all of Cornerstone’s and its Affiliates’ proprietary web-based applications, including, without limitation, all updates, revisions, bug-fixes, upgrades, and enhancements thereto whether or not requested by a client; and (ii) application functionality and eLearning content provided by Cornerstone and/or Cornerstone-contracted third parties.
i) “Third Party” means any party that is not either of the parties, its Affiliates, applicants, employees, shareholders, directors, officers, contractors, customers, or Active Users.
2. Rights; Usage. In accordance with the Agreement, Cornerstone gives you the non-transferable and non-assignable right for the duration of the applicable Order to use, and to permit your Active Users and your Affiliates’ Active Users to use, the Software items listed therein on a non-exclusive basis via the Internet, subject to the maximum quantities set forth therein. Cornerstone may review your compliance with the terms of each Order and, for clarity, reserves the right to charge for any quantity overages.
3. Use Restrictions. The Software and Services may be used only for your and your Affiliates’ own lawful business purposes.You shall not: (a) use or deploy the Software in violation of applicable laws or the Agreement; (b) store, process, publish or transmit any threatening, infringing or offensive material, or material that constitutes a security risk or a violation of any party’s privacy, intellectual property or other rights; (c) if you have any operations or users in the United States, upload any Protected Health Information subject to the Health Insurance Portability and Accountability Act (“HIPAA”) to the Software; (d) resell any Software or Service except as expressly permitted by Cornerstone; (e) create any derivative works based upon the Software; (f) reverse engineer, reverse assemble, decompile or otherwise attempt to derive source code from the Software or any part thereof (except to the extent that such restriction is not permitted under applicable law); (g) upload any data not required to use the Software as generally intended; (h) make any Software or Service available to any unauthorized parties; (i) perform penetration or similar tests on the Software or Service; or (j) publicly release the results of benchmark tests or other comparisons of any Software or Service with other software, services, or materials.You will be responsible for Active Users’ compliance with the Agreement and liable for Active Users’ breach thereof.You will ensure that you have obtained all necessary consents and approvals for Cornerstone to access Client Data for the purposes permitted under the Agreement. Upon expiration or termination of the applicable Order, you shall cease using all Software and Services.
4. Privacy and Security. Cornerstone will: (a) according to ISO 27001 and 27701 (or successor/equivalent) standards and solely its security policies, maintain appropriate safeguards for protection of Client Data, including regular back-ups, security and incident response protocols, and application and infrastructure monitoring; (b) process Client Data in accordance with the parties’ data processing agreements, Regulation (EU) 2016/679 (General Data Protection Regulation), and applicable law to which it is subject; and (c) not access, modify, or disclose Client Data, except as compelled by law, to prevent or address service or technical issues, or if otherwise permitted by you.You may retrieve Client Data any time during the term of the Agreement.If requested, at a scope and price to be agreed, Cornerstone will assist with such data retrieval.
5. Support. Cornerstone shall provide the technical support stated in the applicable Order.Only the number of administrators set forth in the applicable support package description (i.e., not all Active Users) who have completed the requisite training may contact Cornerstone for support.You agree to promptly provide Cornerstone with sufficient documentation, data and assistance with respect to any reported errors, and to reasonably cooperate with Cornerstone, in order for Cornerstone to comply with its support obligations hereunder.In no event shall Cornerstone be responsible or liable for any errors, bugs or other problems contained in or originating from hardware or software not provided by Cornerstone.Should use of the Software result in denial of service (DoS) with respect to the Software, Cornerstone may disable the implicated Client Content and/or deny access to your portal only if and for so long as necessary to restore service.
6. Fees and Payment. You will be invoiced for fees according to the applicable Order.Payment of fees will be due upon receipt, except where the Order expressly prescribes other payment dates.Except where otherwise stated, all fees set forth in an Order are in U.S. dollars and must be paid in the currency set forth in the Order.Late payments hereunder will incur a late charge of 1.5% (or the highest rate allowable by law, whichever is lower) per month on the outstanding balance from the date due until the date of actual payment.In addition, following notice and a reasonable time to cure, Services are subject to suspension for failure to timely remit payment therefor.
a) Termination for Cause.Either party may immediately terminate the Agreement if the other party materially breaches the Agreement, and, where capable of remedy, such breach has not been materially cured within thirty (30) days of the breaching party’s receipt of written notice describing the breach in reasonable detail.
b) Bankruptcy Events.A party may immediately terminate the Agreement if the other party: (i) has a receiver appointed over it or over any part of its undertakings or assets; (ii) passes a resolution for winding up (other than for a bona fide scheme of solvent amalgamation or reconstruction), or a court of competent jurisdiction makes an order to that effect and such order is not discharged or stayed within ninety (90) days; or (iii) makes a general assignment for the benefit of its creditors.
c) Effect of Termination.Immediately following termination of a given Order, you shall cease using all Software and Services purchased in that Order.You may retrieve Client Data any time prior to termination or expiration of the given Order.If requested, Cornerstone will assist with such data retrieval at a scope and price to be agreed.
8. Confidentiality. Each of the parties agrees: (i) not to disclose any Confidential Information to any third parties except as mandated by law and except to those Affiliates and subcontractors of Cornerstone providing Services hereunder who agree to be bound by confidentiality obligations no less stringent than those set forth in the Agreement; (ii) not to use any Confidential Information for any purposes except carrying out such party’s rights and responsibilities under the Agreement; and (iii) to keep the Confidential Information confidential using the same degree of care such party uses to protect its own confidential information; provided, however, that such party shall use at least reasonable care.These obligations shall survive termination of the Agreement.If either party breaches any of its obligations with respect to confidentiality or the unauthorized use of Confidential Information hereunder, the other party shall be entitled to seek equitable relief to protect its interest therein, including but not limited to, injunctive relief, as well as money damages.
9. Intellectual Property.As between the parties, Cornerstone and its Affiliates will and do retain all proprietary and intellectual property rights, title and interest in and to the Software and Services.You retain all proprietary and intellectual property rights, title and interest in and to Client Data and Client Content.
a) Indemnification by Cornerstone. Cornerstone agrees to indemnify, defend, and hold you harmless from and against any and all Third Party claims and causes of action, as well as related losses, liabilities, judgments, awards, settlements, damages, expenses and costs (including reasonable attorney’s fees and related court costs and expenses) (collectively, “Damages”) that you incur or suffer which directly relate to or directly arise out of the violation or infringement of any third-party intellectual property rights by your authorized use of the Software.The foregoing provisions of this section shall not apply to the extent the Damages relate to or arise out of: (i) Client Data; (ii) Client Content; or (iii) your or your users’ unauthorized use and/or alteration of the Software.
b) Indemnification by Client. You agree to indemnify, defend, and hold harmless Cornerstone from and against any and all Damages incurred or suffered by Cornerstone which directly relate to or directly arise out of the violation or infringement of any third-party intellectual property rights by Client Data or Client Content.The foregoing provisions of this section shall not be applicable to the extent the Damages relate to or arise from Cornerstone’s use of Client Data or Client Content in violation of the Agreement.
c) Indemnification Procedures. To obtain indemnification, indemnitee shall: (i) give written notice of any claim promptly to indemnitor; (ii) give indemnitor, at indemnitor’s option, sole control of the defense and settlement of such claim, provided that indemnitor may not, without the prior consent of indemnitee (not to be unreasonably withheld), settle any claim unless it unconditionally releases indemnitee of all liability; (iii) provide to indemnitor all available information and assistance; and (iv) not take any action that might compromise or settle such claim.
d) Infringement Cures. Should the Software or any part thereof become, or in Cornerstone’s reasonable opinion be likely to become, the subject of a claim for infringement of a third party intellectual property right, then Cornerstone may, at its sole option and expense: (i) procure for you the right to use and access the infringing or potentially infringing item(s) of the Software free of any liability for infringement; or (ii) replace or modify the infringing or potentially infringing item(s) of the Software with a non-infringing substitute otherwise materially complying with the functionality of the replaced system.
e) Exclusive Remedies.The remedies set forth in this section shall be exclusive with respect to any infringement claim hereunder.
11. Warranties.Each party represents and warrants to the other party that, as of the date hereof: (i) it has full power and authority to execute and deliver each Order; (ii) each Order has been duly authorized and executed by an appropriate employee of such party; (iii) each Order is legally valid and a binding obligation of such party; (iv) its execution, delivery and/or performance of an Order does not conflict with any agreement, understanding or document to which it is a party; and (v) it will not introduce into the Software any virus, worm, Trojan horse, time bomb, or other malicious or harmful code.CORNERSTONE WARRANTS THAT THE SOFTWARE WILL PERFORM SUBSTANTIALLY IN MATERIAL ACCORDANCE WITH THE AGREEMENT AND APPLICABLE DOCUMENTATION REGARDING EXISTING FUNCTIONALITY PROVIDED BY CORNERSTONE; NO NEW OR DIFFERENT FUNCTIONALITY IS PROMISED HEREUNDER.TO THE EXTENT PERMITTED BY APPLICABLE LAW, CORNERSTONE DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
a) Liability Cap. EXCEPT FOR (i) A PARTY’S INTELLECTUAL PROPERTY INDEMNIFICATION OBLIGATIONS; (ii) A PARTY’S WILLFUL MISCONDUCT; OR (iii) LIABILITY WHICH CANNOT BE LIMITED BY APPLICABLE LAW, EACH PARTY’S MAXIMUM AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THE AGREEMENT, REGARDLESS OF THE THEORY OF LIABILITY, WILL BE LIMITED TO THE TOTAL FEES PAID OR PAYABLE BY YOU TO CORNERSTONE UNDER THE AFFECTED ORDER(S) FOR THE TWELVE-MONTH PERIOD IMMEDIATELY PRECEDING THE DATE THE CAUSE OF ACTION AROSE.THE EXISTENCE OF MORE THAN ONE CLAIM SHALL NOT EXPAND SUCH LIMIT.THE PARTIES ACKNOWLEDGE THAT THE FEES AGREED UPON BETWEEN YOU AND CORNERSTONE ARE BASED IN PART ON THESE LIMITATIONS, AND THAT THESE LIMITATIONS WILL APPLY NOTWITHSTANDING ANY FAILURE OF ANY ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.THE FOREGOING LIMITATION SHALL NOT APPLY TO A PARTY’S PAYMENT OBLIGATIONS UNDER AN ORDER.
b) Exclusion of Consequential Damages.NEITHER PARTY WILL BE LIABLE FOR LOST PROFITS, LOST REVENUE, LOST BUSINESS OPPORTUNITIES, LOSS OF DATA, INTERRUPTION OF BUSINESS, PROVIDING REPLACEMENT SOFTWARE (EXCEPT AS SET FORTH IN SECTION “INFRINGEMENT CURES”), OR ANY OTHER INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATING TO THE AGREEMENT, REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
13. Communications.Neither party shall issue any press release using the name of the other party as a customer or provider without the other party’s consent (not to be unreasonably withheld or delayed).Notwithstanding the foregoing, the parties agree that either party can promote this strategic relationship internally, to existing customers, and in marketing material to potential customers, and that Cornerstone shall have the right to list you as a client of Cornerstone on the Cornerstone websites and in marketing materials.
14. Miscellaneous Provisions.
a) Governing Law; Jurisdiction.The Agreement will be governed by and construed in accordance with the laws of the State of California and the federal laws of the United States of America, without regard to conflict of law principles.You and Cornerstone agree that any suit, action or proceeding arising out of, or with respect to, the Agreement or any judgment entered by any court in respect thereof shall be brought exclusively in the state or federal courts of the State of California located in the County of Los Angeles, and each of you and Cornerstone hereby irrevocably accepts the exclusive personal jurisdiction and venue of those courts for the purpose of any suit, action or proceeding.
b) Force Majeure.Neither party will be liable for any failure or delay in its performance under the Agreement due to any cause beyond its reasonable control, including without limitation acts of war, acts of God, earthquake, flood, weather conditions, embargo, riot, epidemic, acts of terrorism, sabotage,governmental act, failure of the Internet or other acts beyond such party’s reasonable control, provided that the delayed party: (i) gives the other party prompt notice of such cause; and (ii) uses reasonable commercial efforts to correct promptly such failure or delay in performance.
c) Counterparts; Facsimile.Each Order may be executed in any number of counterparts and in facsimile or electronically, each of which shall be an original but all of which together shall constitute one and the same instrument.
d) Entire Agreement. The Agreement, any and all Orders, and any schedules and/or exhibits attached to the Orders, contains the entire understanding of the parties in respect of its subject matters and supersedes all prior agreements and understandings (oral or written) between the parties with respect to such subject matters.Purchase orders or policies submitted by you are for your internal administrative purposes only, and the terms and conditions contained in those purchase orders or policies will have no force and effect.Any modification, amendment, or addendum to the Agreement and/or an Order must be in writing and signed by both parties.
e) Assignment. Neither party may assign the Agreement or any of its rights, obligations, or benefits hereunder, by operation of law or otherwise, without the other party’s prior written consent; provided, however, either party, without the consent of the other party, may assign the Agreement to an Affiliate or to a successor (whether direct or indirect, by operation of law, and/or by way of purchase, merger, consolidation or otherwise) to all or substantially all of the business or assets of such party, where the responsibilities or obligations of the other party are not increased by such assignment and the rights and remedies available to the other party are not adversely affected by such assignment.Subject to that restriction, the Agreement will be binding on, inure to the benefit of, and be enforceable against the parties and their respective successors and permitted assigns.
f) No Third Party Beneficiaries.The representations, warranties and other terms contained herein are for the sole benefit of the parties hereto and their respective successors and permitted assigns, and shall not be construed as conferring any rights on any other persons.
g) Statistical Data. Without limiting the confidentiality rights and intellectual property rights protections set forth in the Agreement, Cornerstone has the perpetual right to use aggregated, anonymized, statistical data (“Statistical Data”) derived from the operation of the Software, and nothing herein shall be construed as prohibiting Cornerstone from utilizing the Statistical Data for business and/or operating purposes, provided that Cornerstone does not share with any third party Statistical Data which reveals the identity of you, your users, or your Confidential Information.
h) Suggestions. Cornerstone shall have a royalty-free, worldwide, perpetual, irrevocable license to use or incorporate into the Software and Services any suggestions, ideas, enhancement requests, feedback, recommendations, or other information provided by your or your users relating to the operation of the Software and Services.
i) Third-Party Applications and Service Providers.
i) External Applications. Cornerstone shall not be responsible for your access to, or operation of, third-party applications purchased by you separately from a third party, including without limitation those that may be capable of interoperating with the Software.
ii) Optional Features. Cornerstone’s Software may include certain optional features provided by third parties (“Optional Features”).A list of such Optional Features, including information regarding the security, privacy, and/or support policies of those third parties, is available upon request.
iii) Service Providers. Cornerstone offers a certification program to certify third-party service providers that implement, configure, and/or administer Software (“Certified Consultants”).A list of Certified Consultants is available upon request. You may not permit any non-Certified Consultant to implement and/or configure Software. None of the warranties or support obligations hereunder shall apply to any Software implemented or configured by any non-Certified Consultant.
j) Export Controls. You understand that use of the Software and Services is subject to U.S. export controls and trade and economic sanctions laws and agrees to comply with all such applicable laws and regulations, including without limitation the Export Administration Regulations maintained by the U.S. Department of Commerce, and the trade and economic sanctions maintained by the Treasury Department’s Office of Foreign Assets Control.
k) Rule 10b-5 Limitations. Each party acknowledges that United States securities laws prohibit any person who has material, non-public information about a publicly-traded company from purchasing or selling securities of such company, or from communicating such information to any other person under circumstances in which it is reasonably foreseeable that such person is likely to purchase or sell securities of such company.
l) Severability. If any provision of the Agreement is held by a court or arbitrator of competent jurisdiction to be contrary to law, such provision shall be changed by the court or by the arbitrator and interpreted so as to best accomplish the objectives of the original provision to the fullest extent allowed by law, and the remaining provisions of the Agreement shall remain in full force and effect.
m) Notices. Any notice or communication required or permitted to be given hereunder may be delivered by hand, deposited with an overnight courier, sent by facsimile, or mailed by registered or certified mail, return receipt requested and postage prepaid to the address for the other party first written above or at such other address as may hereafter be furnished in writing by either party hereto to the other party. Such notice will be deemed to have been given as of the date it is delivered, if by personal delivery; the next business day, if deposited with an overnight courier; upon receipt of confirmation of facsimile delivery (if followed up by such registered or certified mail); and five days after being so mailed.
n) Independent Contractors. You and Cornerstone are independent contractors, and nothing in the Agreement shall create any partnership, joint venture, agency, franchise, sales representative or employment relationship between you and Cornerstone. Each party understands that it does not have authority to make or accept any offers or make any representations on behalf of the other. Neither party may make any statement that would contradict anything in this section.
o) Waiver. failure or delay on the part of either party in exercising any right, power or remedy under the Agreement shall operate as a waiver, nor shall any single or partial exercise of any such right, power or remedy preclude any other or further exercise or the exercise of any other right, power or remedy.
p) Survival. Sections of the Agreement intended by their nature and content to survive termination of the Agreement shall so survive.
DATA PROCESSING ADDENDUM
(applicable only if and to the extent your organization has users located in the EU)
This Data Processing Addendum (the “Addendum”) forms part of and is subject to the terms of the master agreement executed by you and Cornerstone (the “Master Agreement”) concerning the provisioning of human capital management software by Cornerstone (hereinafter also the “Processor”) to you (hereinafter also the “Controller”). It applies to all activities carried out by the Processor within the framework of the Master Agreement whereby the Processor's employees or third parties commissioned by the Processor might Process Personal Data of the Controller and/or its users. In the event of any conflict between the terms of the Master Agreement and the terms of this Addendum, the terms of this Addendum shall prevail.
“GDPR” means Regulation (EU) 2016/679 of 27 April 2016.
“CCPA” means the California Consumer Privacy Act of 2018
"Personal Data" means any information Processed by Cornerstone on your behalf relating to an identified or identifiable natural person; see Article 4(1) GDPR.
"Personal Data Breach" means, according to Article 4(12) GDPR, a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (see Article 4(2) GDPR).
“Subprocessors” has the meaning as being defined in section 5.1 of this Addendum.
The terms “business”, “service provider”, “consumer” and “verifiable consumer request” shall each have their respective meanings under the CCPA.
"Third Country" means a country without a system of ensuring adequate protection within the meaning of Article 45 GDPR.
Capitalized terms used, but not otherwise defined, herein shall have the same meanings assigned to those terms in the Master Agreement.
2. Scope of the Addendum
Cornerstone acts as a processor for you, who acts as the controller. Personal Data may include the categories of Personal Data, the categories of data subjects and the purposes of the Processing set out in Annex 1.
3. Processing of Personal Data
3.1 Cornerstone shall Process Personal Data for the purposes of providing services under the Master Agreement only in accordance with the Master Agreement and this Addendum, and in accordance with documented instructions listed in this Addendum and the Master Agreement. You may issue further documented instructions consistent with and in the scope of this Addendum and the Master Agreement. Cornerstone shall immediately inform you if, in Cornerstone’s opinion, an instruction infringes GDPR or other Union or Member State data protection provisions. In case Cornerstone is required to Process Personal Data by Union or Member State law to which Cornerstone is subject, Cornerstone shall inform you of that legal requirement before Processing, unless that law prohibits such informing on grounds of important public interest.
3.2 Cornerstone must limit the access to Personal Data to its employees and Subprocessors for whom access to said data is reasonably necessary to fulfill Cornerstone's obligations to you. Cornerstone must ensure that persons authorized to Process Personal Data are bound by the same or equivalent confidentiality obligations as Cornerstone and/or are under an appropriate statutory obligation of confidentiality.
3.3 Cornerstone shall implement and maintain appropriate technical and organizational measures in line with Article 32 GDPR. For this purpose, the parties agree on the security measures set forth in Annex 2 for the Processing of Personal Data.
3.4 The appropriate technical and organizational security measures must be determined with due regard to:
(i) the state of the art,
(ii) the cost of their implementation, and
(iii) the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.5 Cornerstone shall make available to you upon request information necessary to demonstrate compliance with Processor’s obligations set forth in Article 28 GDPR, and allow for and reasonably assist with audits, including inspections, conducted by the Controller or an independent third party auditor appointed by the Controller, as follows:
(i) Cornerstone shall at its own cost obtain and make available upon your request an audit report from an independent auditor regarding Cornerstone's compliance with the data security requirements of the controls defined in SSAE 18 or ISO 27001 (or equivalent standard). Such audit report must be issued on the basis of a recognized standard for such reports.
(ii) In addition, you are entitled, at a time and scope to be agreed by the parties, to conduct or have conducted an annual audit, including an inspection, if and to the extent the audit report set forth in the preceding paragraph does not meet the requirements set forth in Article 28 GDPR. Any third party auditor shall not be a competitor of Cornerstone, and shall, upon Cornerstone's request, sign a customary non-disclosure agreement to treat all information obtained or received from Cornerstone confidentially, and may share any such information obtained or received only with you and Cornerstone. You shall be responsible for costs of the audit, and agree to pay Cornerstone a reasonable fee per audit to be mutually agreed by the parties to cover Cornerstone assistance with the audit. An additional audit may take place: (i) if required by your competent legal supervisory authority; or (ii) following a Personal Data Breach.
3.6 Cornerstone shall without undue delay, unless such notification is prohibited under applicable law, notify you about any:
(i) request by a legal authority for disclosure of Personal Data Processed under the Agreement; or
(ii) request for access to Personal Data received regarding an identified data subject.
3.7 Cornerstone shall notify you without undue delay after becoming aware of a Personal Data Breach. The notification shall at least describe the nature of the Personal Data Breach (including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned) and the measures taken or proposed by Cornerstone to address the Personal Data Breach.
3.8 Cornerstone shall provide reasonable and timely assistance to you to help enable you to respond to: (i) any request from a data subject to exercise any of the data subject’s rights under applicable data protection laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the Processing of the Personal Data.
In the event that any such request, correspondence, enquiry or complaint is made directly to Cornerstone, Cornerstone shall promptly inform you and provide full details of the same, except to the extent prohibited by law.
3.9 Cornerstone shall, upon your request, reasonably assist the Controller in ensuring compliance with Controller’s obligations pursuant to Articles 32 to 36 GDPR (including security of Processing, notification of Personal Data breach, data protection impact assessment and prior consultation), based on the nature of Processing and the information available to Cornerstone
3.10 In the event your designated account manager at Cornerstone cannot assist with a data privacy enquiry, you may contact Cornerstone’s data protection officer at firstname.lastname@example.org.
3.11 Assistance contemplated by this Section 3 shall be provided to you at no charge if the request can be fulfilled by providing information via your portal and/or by supplying readily available documentation in Cornerstone’s possession.
3.12 If Processing is subject to CCPA, Cornerstone may not sell, use, retain, collect, or disclose personal information, outside of the direct business relationship between you and Cornerstone, for any purpose other than to provide services to you under and in accordance with the Master Agreement. Cornerstone confirms that it understands the CCPA’s restrictions and prohibitions on selling personal information and retaining, using, or disclosing personal information outside of the parties’ direct business relationship, and it will comply with the CCPA.
4 Client’s General Obligations
You will comply with all its obligations under applicable data protection laws and regulations.
5 Other Data Processors
5.1 Cornerstone may engage other processors (“Subprocessors”) for the Processing of Personal Data under this Addendum, provided Cornerstone ensures such Subprocessors’ compliance with the terms of this Addendum. As of the effective date of the Addendum, Cornerstone relies on the Subprocessors listed in the Order as well as on https://go.cornerstoneondemand.com/sub-processors.html and https://go.cornerstoneondemand.com/3rd-party-applications-and-service-providers.html to provide the Services.
5.2 Prior to the engagement of another Subprocessor, Cornerstone shall inform your administrator and your contact registered on https://go.cornerstoneondemand.com/sub-processors.html and https://go.cornerstoneondemand.com/3rd-party-applications-and-service-providers.html of the intended subprocessing at least 30 days prior thereto, thereby giving you the opportunity to object to such change on reasonable grounds, as set forth in Article 28 GDPR.
5.3 You authorize Cornerstone to transfer Client Data to Cornerstone Affiliates and/or other Subprocessors located in locations outside the European Economic Area, as is reasonably required to provide support, perform technical projects or perform other types of services under the Master Agreement, provided that, to the extent applicable, either: (i) such locations are recognized by the European Commission as providing adequate data protection; (ii) Cornerstone has executed on your behalf the EU Standard Contractual Clauses with such Affiliates and/or other Subprocessors (you hereby grant such proxy to Cornerstone); or (iii) upon your request, you execute the EU Standard Contractual Clauses directly with such Affiliates and/or other Subprocessors.
5.4 Cornerstone shall remain fully liable to you for the performance of its Subprocessors’ obligations hereunder.
6 Data Retrieval and Deletion
6.1 You may retrieve your Personal Data at any time prior to termination of the Master Agreement as set forth therein.
6.2 Promptly upon the expiration or earlier termination of the Master Agreement, or earlier upon your request, Cornerstone shall securely destroy or render unreadable or undecipherable, each and every original and copy in every media of all Personal Data in Cornerstone’s possession, custody or control.
6.3 Notwithstanding section 6.2, backups of Personal Data are to be deleted according to and in compliance with Cornerstone’s general backup cycle, which means that backups will be deleted at the latest within approximately six (6) months from the decommissioning of your portal, which occurs no later than 30 days following termination or expiration of the Agreement.
6.4 Cornerstone shall provide to you, upon your request, written confirmation that deletion has occurred in accordance with this section 6.
6.5 In the event applicable law does not permit Cornerstone to comply with delivery or destruction of Personal Data as set forth herein, Cornerstone shall ensure the privacy, confidentiality and security of Personal Data in accordance with the standards agreed in this Addendum and shall not use or disclose any Personal Data after termination of the Master Agreement.
The parties may agree in good faith on any reasonable amendment to the Addendum required to maintain compliance with the applicable law. Such amendment may include additional fees to be reasonably agreed by the parties.
I. Categories of data, categories of data subjects and purposes of the Processing
a) Categories of Personal Data
The Personal Data being Processed by Processor may concern the following categories of data:
- Learning, performance, recruiting, and/or HR data
b) Categories of data subjects
The Personal Data Processed by Processor may concern the following categories of data subjects:
- Employees, suppliers, contractors, agents, directors, officers, customers, members, and/or partners of the Controller and/or its affiliates
c) Purpose and nature of the Processing operations
- Personal Data may be Processed by Processor for the following purposes:
- Delivery and use of human capital management software;
- Implementation services related to configuration of human capital management software;
- Product support; and
- Technical projects
as further described in Processor’s audit reports and IT security policy.
d) Special categories of data
(1) Processor shall Process Personal Data in accordance with applicable law to which Processor is subject and in accordance with the data security requirements of the controls defined by latest available SSAE 18 SOC 2 or ISO 27001 implemented controls (or equivalent standard).
(2) Processor shall appoint a fixed contact point for you to carry out any matters in relation to the Processing of Personal Data.
(3) Processor shall ensure that Processor's employees receive adequate training and instructions, including, but not limited to, education on general safety awareness, relevant security policies and procedures, and Personal Data Processing.
(4) Processor shall maintain organizational and technical measures to ensure separation of data between clients and systems.
(5) Access Control of Processing Areas
Processor shall maintain suitable measures in order to prevent unauthorized persons from gaining access to the data Processing equipment (namely telephones, database and application servers and related hardware) where the Personal Data is Processed or used.This is accomplished by measures like:
- establishing security areas;
- protection and restriction of access paths;
- securing the decentralized telephones, data Processing equipment and personal computers;
- establishing access authorizations for employees and third parties, including the respective documentation;
- regulations on card-keys;
- restriction on card-keys;
- all access to the data centre where Personal Data is hosted is logged, monitored, and tracked;
- the data centre where Personal Data is hosted is secured by a security alarm system; and
- other appropriate security measures.
(6) Access Control to Data Processing Systems
Processor shall maintain suitable measures to prevent its Personal Data Processing systems from being used by unauthorized persons.This is accomplished by measures like:
- identification of the terminal and/or the terminal user to the Processor systems;
- automatic time-out of user terminal if left idle, with identification and password required to reopen;
- automatic turn-off of the user ID when several erroneous passwords are entered;
- log file of events (monitoring of break-in-attempts);
- issuing and safeguarding of identification codes;
- dedication of individual terminals and/or terminal users, and identification characteristics exclusive to specific functions;
- employee policies and training with respect to each employee's access rights to Personal Data (if any), including informing employees about their obligations and the consequences of any violations of such obligations, to ensure that employees will only access Personal Data and resources required to perform their job duties; and
- all access to data content is logged and monitored.
(7) Access Control to Use Specific Areas of Data Processing Systems
Processor commits that the persons entitled to use its Personal Data Processing system are only able to access the data within the scope and to the extent covered by its access permission (role or authorization) and that Personal Data cannot be read, copied or modified or removed without authorization.This shall be accomplished by:
- employee policies and training with respect to each employee’s access rights to the Personal Data;
- allocation of individual terminals and/or terminal user, and identification characteristics exclusive to specific functions;
- monitoring capability in respect of individuals who delete, add or modify the Personal Data;
- effective and measured disciplinary action against individuals who access Personal Data without authorization;
- release of Personal Data only to authorized persons;
- control of files, controlled and documented destruction of Personal Data; and
- policies controlling the retention of back-up copies.
(8) Availability Control
Processor shall maintain suitable measures to ensure that Personal Data are protected from accidental destruction or loss.This is accomplished by:
- infrastructure redundancy;
- tape backup is stored off-site and available for restore in case of failure of SAN infrastructure for database server;
- complying with Processor’s business continuity policy; and
- any detected security incident is recorded.
For all applications supported by the Processor, the following controls will be implemented:
(9) Transmission Control
Processor shall maintain suitable measures to prevent the Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media.This is accomplished by:
- use of industry standard firewall and encryption technologies to protect the gateways and pipelines through which the data travels (e.g. TLS/SSL);
- encryption of certain highly confidential data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) within system transmission; and
- logging relevant security metadata for data transmissions.
(10) Input Control
Processor implements suitable measures to ensure that it is possible to check and establish whether and by whom Personal Data has been input into Personal Data Processing systems or removed. This is accomplished by:
- an authorization policy for the input of data into memory, as well as for the reading, alteration and disposal of stored Personal Data;
- authentication of the authorized personnel;
- protective measures for the data input into memory, as well as for the reading, alteration and disposal of stored Personal Data;
- utilization of user codes (passwords);
- following a policy according to which all employees of Processor who have access to Personal Data Processed for Client shall reset their passwords at a minimum once in a 180 day period, or as defined in Processor’s IT Security Policy and in line with potential multi-factors of authentication;
- providing that entries to Data Processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked;
- automatic log-off of user IDs that have not been used for a substantial period of time;
- proof established within Processor’s organization of the input authorization; and
- electronic recording of entries.
(11) Processor system administrators (if any):
Processor shall maintain measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by:
- individual appointment of system administrators;
- adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months;
- yearly audits of system administrators’ activity to assess compliance with assigned tasks, the instructions received by importer and applicable laws;
- keeping an updated list with system administrators’ identification details (e.g. name, surname, function or organizational area) and tasks assigned.
(12) Separation of Processing for different Purposes
Processor shall maintain suitable measures to ensure that Personal Data collected for different purposes can be Processed separately. This is accomplished by:
- access to Personal Data is separated through application security for the appropriate users; and
- modules within Processor’s database separate which data is used for which purpose, i.e., by functionality and function.
You acknowledge and agree that Processor may change its security policies and related security measures, provided that Processor maintains, at all times, an overall level of security as least as stringent as the one set forth in this Addendum.