Skip to content

Integrity

We are committed to acting with integrity in all of our interactions with our customers, suppliers, communities and other stakeholders.

Ethics and Compliance

We are guided by our Code of Business Conduct and Ethics and our compliance policies that apply across our company and all of our subsidiaries. Cornerstone maintains a robust business ethics and anti-corruption program. Our enterprise risk management strategy provides a ‘bottoms-up’ review of current and potential risks which could impact the business, reviewed at least annually by our Board.

The Audit committee of our Board of Directors has ultimate oversight for our business ethics and compliance programs, with our Legal and Accounting departments holding day-to-day responsibility for administering our compliance programs. We use technology and automated tools to monitor and report on compliance matters.

To help ensure compliance, we maintain a whistleblower program governed by our Whistleblower Policy. Our hotline offers anonymous, confidential, independent, 24/7 reporting of any ethical concern with information and contact details provided via regular company communications, on our company intranet, in our Code of Conduct and in our Whistleblower Policy. Employees, suppliers, or other parties may report suspected or known misconduct confidentially and anonymously by telephone (1-866-292-8818) or online (https://www.whistleblowerservices.com/csod). All reported incidents are logged, investigated and tracked until resolved.

All employees receive compliance training when they join our company and must certify compliance annually with our Code of Conduct.

Supply Chain

Our commitment to responsible and ethical business practices extends to our supply chain. Our Vendor Code of Conduct sets forth our policies and requirements, applicable to all of our subsidiaries. The Code sets forth our requirements, including anti-corruption, human rights, living wage and employment practices requirements.

Data privacy and cybersecurity

SASB TC-SI-220a.1, SASB TC-SI-230a.2

We know how critical security, privacy and reliability are to both our business and our clients. We maintain a state-of-the-art multi-tenant, multi-database architecture with the highest compliance and uptime standards.

We have established a robust information security program certified to the ISO 27001 information security standard, including ISO 27701 certification for privacy information management. Our Chief Information Security Officer and Chief Data Protection Officer oversee our programs. We have established a Security Management Forum and a Privacy Management Forum, which meet quarterly, to review and ensure the strength of our programs. Our board of directors has ultimate oversight of our data privacy and security programs, with our Chief Information Security Officer and Chief Technology Officer typically having at least one data security meeting annually with our full board.

To ensure the security of our systems, we conduct regular internal and external audits of our systems. We have annual external audits of our systems against the ISO 27001 standard and follow the SOC 2 standard. Additional security measures include an internal monitoring program, monthly vulnerability scans, and quarterly penetration tests.

All employees, including contractors, receive cybersecurity and data privacy training as part of the new hire onboarding process, and relevant workers receive supplemental training at least annually.

Security and privacy are also part of our software development lifecycle, in particular ensuring the application of the principles of data protection by design and by default.

Our payment network is fully compliant with security requirements and industry regulations created to protect customer data. We invest in our technology and people to provide an evolving, multi-layered defense. Our relentless pursuit of excellence around security protects the company and its customers from impacts related to cyber events.

For further details on our application security, access control and physical security measures, see, https://www.cornerstoneondemand.com/company/security/.