Get Started

“It’s all about data security and data privacy”

Mark Goldin, CTO for Cornerstone
José Alberto Rodríguez Ruiz, EMEA Cloud Technology Director

Supporting EU Data Security and Privacy Regulations

José Rodriguez – EMEA Cloud Technology Director

This is a question we get all the time: How do you guarantee security and compliance with EU Requirements?

Cornerstone achieves this through a number of complementary ways: through certifications and standards, through application data access control features, through contractual obligations aligned with EU principles of limited, controlled and secured data processing.

We are Safe Harbor, ISO 27001, SSAE 16 Type II and PCI-DSS certified and we maintain a state-of-the-art multi-tenant, multi-database architecture with the highest compliance, security and uptime standards. For your security and scalability, we do not co-mingle data. Importantly, our infrastructure is designed with clustered servers for redundancy and reliability to ensure there is no single point of failure.

As a Global SaaS Cloud provider with 20 million subscribers in 191 countries, we work individually with each client to set up the adequate legal framework for data processing for the client’s context, like Safe Harbor, EU Model Clauses or tailored data processing agreements.

Data Protection and Data Privacy in the UK

Cornerstone takes data protection and data privacy regulations very seriously and works with legal advice locally.

Cornerstone works closely with its clients’ HR, Legal and Data Protection departments to ensure compliance with Data Privacy regulations.

Cornerstone’s European Headquarter and Data Centers are in the UK. As such, Cornerstone is subject to the UK Data Protection Act. Cornerstone is registered with the UK ICO and adheres to the principles of data processing:

  • Fair and Lawful Processing
  • Processing for Purpose
  • Data Adequacy
  • Data Accuracy
  • Data Retention
  • Rights of Data Subjects
  • Data Security (Technical and Organisational Measures)
  • Adequate Protection for International Transfer

Global IT Security and Compliance Team, European Practice

Cornerstone’s culture of continuous process improvement ensures that our infrastructure is based on the latest technology that is developed and maintained by our dedicated, world-class IT Security and Compliance team. Our global team is highly accomplished – all team members hold one or more professional security or compliance certifications.

Our global team has a European Practice to support our EU clients with local regulations and requirements.

Learn More

If your organisation requires more in-depth information, a copy of an audit report or certification, please contact your sales representative for next steps.



Our multi-tenant, multi-database SaaS architecture is designed to provide the highest security and compliance for our clients. Below are key aspects about our secure architecture.

Access Control & Physical Security

  • Our infrastructure is hosted in four secure data centers: two in North America and two in Europe.
  • Every data center has 24-hour manned security, and access is restricted to select personnel with appropriate identification.
  • Servers are stored in secured cage areas that can only be accessed through biometric hand scanners.
  • Video surveillance, motion detectors and alarms are located throughout each facility.
  • Non-Cornerstone visitors must be escorted at all times.

Application Security

  • The Cornerstone application is secured with 256-bit TLS, which encrypts all data in transit and ensures it is secure.
  • Unique usernames and passwords are required to access the Cornerstone application.
  • The application supports Single Sign-On (SSO), which requires clients to be authenticated via their identity provider with SAML assertions.
  • The application is entirely rights and role-driven. Users only see what they have been given permission to see.

Network Protection

  • Cornerstone achieves infrastructure security through the use of firewalls, port filtering and network address translation via multiple load balancers.
  • A DMZ protects the system’s production suite.
  • Internal firewalls segregate traffic between the application and database tiers.
  • A third-party service provider monitors the network and sends alerts for unusual usage and equipment failure.


  • Cornerstone takes daily backups of full client databases.
  • Hourly transactional backups are sent to separate hot disks.
  • All backups are encrypted with AES-256 before being written to tape.
  • Tapes are collected weekly and transported in locked boxes to secure vaults.

Disaster Recovery

  • Two days of hot backups are stored on the local SAN disk for immediate recovery.
  • Disaster recovery tests are performed semi-annually.