Cornerstone OnDemand

Cornerstone Full HCM for Public Sector

Unified Human Capital Management combines our 3 core functional areas of Recruiting & Onboarding, Learning and Performance Management with Cornerstone’s core HR Management solution.


  • Recruiting Management. Campus & Events Candidate Relation Management. Onboarding
  • Learning Management, Certifications Connect & Collaborate Insights
  • Performance Management, Engage Succession Management, Compensation Management.
  • Human Resources Planning View & Dashboards Benchmark
  • Compensation Planning
  • Succession Planning
  • Analytics
  • HR Admin
  • Employee Self Serve
  • Records Admin


  • Easier- low risk and intuitive user experience
  • No need to Rip & Replace existing HR system.
  • Faster to implement
  • Talent-driven solution, enabling aligning HR goals with overall business objectives.
  • Low cost deployment and ongoing fees.


£3.75 to £20.00 per user per year

Service documents


G-Cloud 11

Service ID

3 0 9 8 9 6 6 0 8 1 1 5 0 8 8


Cornerstone OnDemand

Julian Turner

07788 291438

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Full Integration with the Cornerstone Suite, which can seamlessly tie employee learning and performance metrics to give executives and managers a clear picture of how learning initiatives impact organisational success.
Cloud deployment model
Public cloud
Service constraints
No, Cornerstone is a Software-as-a-Service. Users can access the application at any time and from anywhere through the internet. In addition, Cornerstone has broad experience in developing highly stable single sign-on linkages with its clients. End users will be able to access the infrastructure seamlessly with one login and from a specified location on the client’s network.

Cornerstone are happy to provide specific hardware configurations or requirements upon request.
System requirements
  • As a SaaS Service - there are no hardware requirements.
  • Minimum Desktop Requirements: Recommendations upon request
  • Supports Mobile Device Enablement: Recommendations upon request
  • There are no software maintenance, and no network administration requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response time 1 hour. Included Level Support provide as standard in the software subscription fee at no additional cost and includes 24x5 live emergency phone support 24/7 for S1/S2 Level Tickets. Phone Support is available M-F, 24 Hours. In addition, clients can submit an unlimited number of cases and have 24 hour visibility to those cases through our online portal MySuccess.
Cornerstone offers various support packages, with varying levels of access, availability, and services at an additional cost. Which include enhanced service levels and 24x7 live phone support.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
All support options include:
- OnDemand’s self-service resources is available 24/7 through the web interface within the Cornerstone application.
- Case Management Tools:Available 24/7 via self-service portal.
- Live Emergency Phone Support:24/7 S1/S2 Emergency Support.

Included Support - provided as standard.
- 2 Named Admins
- Phone Support (M-F):Available Monday through Friday, 24 hours.

Choice Support Includes:
- 5 Named Admins
- Phone Support (M-F):Available Monday through Friday, 24 hours.
- Access to shared Customer Service Manager (CSM).

Preferred Support Includes:
- 5 Named Admins
- Phone Support 24/7/365
Shared GPS Guru: Dedicated GPS Subject Matter Expert

Elite Support Includes:
- 10 Named Admins
- Phone Support 24/7/365
- Prioritized Case Handling: Enhanced case review and resolution.
- Elite Support Performance Scorecard
- Named GPS Guru: Dedicated Global Product Support Subject Matter Expert.
- Weekly Guru Call: A scheduled time to discuss upcoming business projects and/or needs.
- Release Weekend Support: Live support during release weekend.
Support available to third parties

Onboarding and offboarding

Getting started
Once the contract has been executed, Cornerstone will assign the client an Implementation Consultant. The Implementation Consultant will be the primary point of contact during implementation. In addition, they will be supported by a project team that may include a Program Sponsor, Engagement Manager, Integration Consultant, and Training Consultant, depending on project’s scope and complexity.

We deploy our solution in significantly less time than required for similar deployments of legacy software. Our SaaS model eliminates the need for complex technical requirements such as code customisation, equipment deployment, and unique delivery models.

A typical pragmatic implementation would be done following either or Cornerstone NOW or Realise approach, therefore would take approximately between 3 (Cornerstone Now) and 8 (Realise) weeks for an initial module based on scope and complexity. With years of experience and hundreds of deliveries across various industries, we’ve learned what it takes to ensure our clients can make a successful leap to impact.

Cornerstone and partners can also engage in further discussion to fine tune the implementation approach (governance, scope, timeline, etc.) to cope with any specific need or stake on client’s side.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
In the event that a client does not renew their contract, Cornerstone will return the client’s data via their secure FTP site in the same format in which the data was originally inputted into the software. Alternatively, the client’s data can be returned in a mutually agreed format at a scope and price to be agreed. Cornerstone will maintain a copy of the client data for no more than six months following termination of the agreement, after which time any client data not retrieved will be destroyed.
End-of-contract process
Our agreements are for a term lease period, and software fees are paid in annual installments over that period, during which time Cornerstone recovers costs. Accordingly, during that lease period (as with, say, a rental or car lease), there can be no termination for convenience. Effect of Termination. Immediately following termination of this Agreement, Client shall cease using all Products. Client may retrieve Client Data any time prior to termination or expiration of the Agreement. If requested, Cornerstone will assist with such data retrieval at a scope and price to be agreed.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Cornerstone Mobile allows users to view their learning transcript and to download, view, and interact with rich, standards-based courseware and knowledge content from their smartphones and tablet devices. Content conforms to SCORM 1.2, SCORM 2004, and AICC standards and is supported for maximum content interoperability and reusability.

Our offline player allows users to complete online courses on their phones and tablets while not connected to the internet. Online classes behave as though they are being used online: bookmarks are kept, progress is saved, etc. After reconnecting to the internet, the results of the training can then be uploaded to Cornerstone.
Service interface
What users can and can't do using the API
Cornerstone has available a number of out-of-the-box API’s as functionality exposed as web services. Currently, four main areas of functionality are offered through our web services.

User and Organisational Unit upload / Edit
a) A feed from your HRIS or system of record can upload and modify new users, Organisational Units and changes.

Transcript and Task retrieval
a) Ability to see the homepage widgets and user transcript

b) Home page widgets available:

Assigned Training
In Progress
Upcoming Sessions
Pending Tasks
c) Also available: View of the entire user transcript

Sections within the curricula available for viewing
d) Web service provides status and IDs for learning objects

Catalog Search
a) Ability to search the catalog by title, description, etc., to see training and sessions available to a given user

Learning Objects
a) Ability to perform general functionality for learning objects

b) Tasks available:

Launch Materials
The web services are a configuration. Cornerstone provides the web service URL and documentation to the client. All the necessary information is provided in the documentation. The client will use standard web service API’s on any platform or any tool that supports web services to consume ours.
API documentation
API documentation formats
  • HTML
  • PDF
  • Other
API sandbox or test environment
Customisation available
Description of customisation
Cornerstone provides unique flexibility in how G Cloud clients can deploy the system to different groups of users. Different branding, business rules, and functionality can be established for any Organisational Unit (such as Division, Location, Position, custom group of individuals, etc.). The end result is an unparalleled level of personalisation for the user.

Cornerstone was designed to be administered by the client and not the vendor. G Cloud Clients have complete control to configure the look and feel of the application to your specific business units with specific functionality and branding. Client administrators are presented with an extensive set of web-based controls which enable them to easily configure graphics, colors, key words, layout, and business rules.

Clients can make configuration changes on their own without any assistance from Cornerstone or for any additional costs. Not all vendors can make this claim. The high configurability of the Cornerstone system is one of the distinct advantages that we offer to our customers.


Independence of resources
The Cornerstone application, as per the Software as a Service model, is designed to scale horizontally. It is multi-tenant-efficient, offering a load balanced farm of identical instances known as swim lanes. When additional server equipment is added, the application capacity scales to fill the available hardware.

This allows virtually unlimited growth capacity.

As opposed to a classical behind the firewall or hosted architecture, our application and our hardware platforms are designed to:

• Efficiently support a high number of users and customers

• Redistribute load easily

• Add additional capacity easily and quickly


Service usage metrics
Metrics types
Cornerstone provides an SLA for all clients that guarantees initial response and resolution in regards to defined priority and severity levels.

Cornerstone’s SLA also guarantees 99.5% uptime (excluding reasonable and scheduled maintenance periods) per month.

MySuccess enables named client administrators to access Global Care knowledge assets, solutions, and self-service support tools online at any time. MySuccess is powered by a case management system and interface that provides the ability to submit, update, track and manage questions, issues, and other requests. Clients can download a support performance scorecard at any time.
Reporting types
Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Other
Other data at rest protection approach
Data-at-rest protection, Optional TDE Encryption at rest
Physical access control, complying with CSA CCM v3.0 and ISO27002 Standards.
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Clients can export their data at any time through our reporting engine and analytics tool. In addition, an outbound data feed can be established from Cornerstone to an internal client system such as a data warehouse.

Cornerstone does offer data warehouse replication services. A client’s entire Data Warehouse is replicated to a separate server in our data center to allow clients to make direct SQL connections over a Virtual Private Network (VPN). Clients can report against all data in the replicated data warehouse directly without having to use our Analytics module.
Data export formats
  • CSV
  • ODF
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
TLS (Version 1.2 or above), VPN, restricted access (SSO) and dedicated lines.

Availability and resilience

Guaranteed availability
Cornerstone provides an SLA for all clients that guarantees initial response and resolution in regards to defined priority and severity levels.

Cornerstone’s SLA also guarantees 99.5% uptime (excluding reasonable and scheduled maintenance periods) per month.

In the event that Cornerstone has not complied with its "Resolution" obligations set forth above, then, for each calendar day (or portion thereof) that Cornerstone has not so complied, Client shall be entitled, as its sole and exclusive remedy therefor, to a credit against Client's next invoice equal to 1/365th of the annual fees for Software set forth in the Agreement.
Approach to resilience
Cornerstone’s Disaster Recovery/Business Continuity Plan defines plans, procedures, and guidelines for the Company in the event of disaster. Specifically, this document establishes procedures for recovering business operations, internal data; systems, and critical internal functions to maintain Cornerstone as an on-going concern in the face of unexpected events.

The plan has the following primary objectives:
•Identify critical systems, services, and staff necessary to maintain and/or restore Cornerstone business operations and internal functions.

•Provide guidelines for the communication of activities and status to both Cornerstone staff and client personnel during the recovery period.

•Present an orderly course of action for restoring critical computing capability to Cornerstone and for maintaining and/or restoring client service and support.

Cornerstone performs site-to-site replication of data to protect client data in the event of a disaster. There are two dedicated disaster recovery sites distant from each of the production data centers. Disaster recovery testing is performed semi-annually at each DR site.

Further available information is available upon request.
Outage reporting
Outages occur during scheduled maintenance/releases. Otherwise, the system is not likely to experience any outages, however in the unlikely event of an unexpected outage, clients will receive email alerts.

Downtime is scheduled for planned quarterly releases at least 4 months in advance and deployed during off-peak hours, typically 8:30PM EST Fridays to 1AM EST Saturday (4.5 hours). Patch fixes typically occur every two weeks between 8:30PM EST and 12:00AM EST. The typical downtime for a patch deployment is approximately 10 minutes.

Client administrators can access a calendar of upcoming release and patch dates at any time through our client portal, Success Center. In addition, multiple email reminders are sent in advance.

Identity and authentication

User authentication needed
User authentication
  • Username or password
  • Other
Other user authentication
Users access the Cornerstone application either through a username and password, or through Single Sign-On (SSO). Cornerstone does not offer two factor authentication to clients for logging into their portal. However, clients that use SSO are able to implement two factor authentication within their own network prior to sending the SAML token to Cornerstone.
Access restrictions in management interfaces and support channels
Users need a unique username, password to access the application. Alternatively, clients can be authenticated using security tokens, utilising a symmetric algorithm, passed by the client’s local authenticator for Single Sign-On functionality.

Passwords represent a fundamental and significant security mechanism at Cornerstone. Passwords are required to access the production network (via Active Directory) and applications (SQL Server). User accounts are created that employ individual user ID and passwords to identify and authenticate a given user. Users cannot access any Cornerstone system without a valid user ID and password. The SQL server logon groups are each configured to use Windows authentication.
Access restriction testing frequency
At least every 6 months
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
DNV GL Business Assurance accredited the ISO/IEC 27001 certification
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Please note that our IT service management policies and procedures are informed by many sources, including the cohesive set of best practices covered by ITIL, as well as other standards and best practices such as SSAE 16, ISAE 3402, ISO 27001, and FISMA. These certifications cover all the main security requirements
ISO 28000:2007 certification
Who accredited the ISO 28000:2007
Cornerstone is not ISO 28000:2007 certified
ISO 28000:2007 accreditation date
What the ISO 28000:2007 doesn’t cover
Please note that Cornerstone has received certification for the following programs:

• SSAE 16, ISAE 3402 Type II Audit, SOC 2 Type II
• PCI Certification
• Privacy Shield (previous EU Model Clauses, previous Safe Harbor)
• EU GMP Annex 11 and 21 CFR Part 11
• Federal Information Security Management Act (FISMA)
• ISO 27001:2013
• Equinix SSAE16 Audit, ISO 27001, ISO 22301, ISO 9001, OHSAS 18001, ISO 14001
• Equinix Telecity ISO 27001, ISO 22301, ISO 9001, OHSAS 18001, ISO 14001
CSA STAR certification
CSA STAR accreditation date
CSA STAR certification level
Level 5: CSA STAR Continuous Monitoring
What the CSA STAR doesn’t cover
Cornerstone can provide upon request a copy of the CSA questionnaire with all the Cornerstone compliant specifications.
PCI certification
Who accredited the PCI DSS certification
Trustwave accredited the PCI certification for Cornerstone
PCI DSS accreditation date
What the PCI DSS doesn’t cover
Cornerstone is categorized as PCI Level 4 SAQ D under the Payment Card Industry Data Security Standards. Standards include: building and maintaining a secure network, protecting cardholder data, and maintaining an information security policy.
Other security certifications
Any other security certifications
  • SSAE 16, ISAE 3402 Type II Audit, SOC 2 Type11
  • Privacy Shield (previous EU Model Clauses, previous Safe Harbor)
  • EU GMP Annex 11 and 21 CFR Part 11
  • Federal Information Security Management Act (FISMA)
  • ISAE 3402
  • WCAG 2.0 and Section 508
  • FedRAMP
  • SSAE16 Audit, ISO 27001, 22301, 9001, OHSAS 18001, 14001
  • Equinix Telecity ISO 27001, 22301, 9001, OHSAS 18001, 14001

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
Information security policies and processes
Security is of paramount importance to Cornerstone due to the sensitive nature of employee data. We designed our solution to meet rigorous industry security standards and have ISO27001:2013 including ISO27018 for privacy, plus conduct annual SSAE 16 SOC1 and SOC2 third party audits to verify continuously Cornerstone Technical and operational controls to assure clients that their sensitive data is protected across the system. We ensure high levels of security by segregating each client’s data from the data of other clients and by enforcing a consistent approach to roles and rights within the system. These restrictions limit system access to only those individuals authorised by our clients.

We employ multiple standard technologies, protocols, and processes to monitor, test, and certify the security of our infrastructure continuously.

Security responsibilities are handled by our IT operations team and overseen by our Deputy CISO, who works in concert with our Sr. Director of Technology Operations and Chief Technology Officer and is responsible for securing information in accordance with industry best practices and for implementing the recommendations of the various 3rd party audits.

Cornerstone does not publish these documents. However we can provide a secure online account, where you can access and view these documents.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
As a SaaS company, we release software frequently and regularly so that our clients may benefit from our on-going R&D. Cornerstone follows a defined SDLC (Software Development Lifecycle) that contains a number of important quality steps, an abridged version of which can be provided upon request. Development and Project Management are tasked with ensuring that these steps are followed:
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Cornerstone contracts leading third party information security consulting and services companies to run external penetration tests against our production environments to coincide with major code releases throughout the year. Vulnerability classes tested for include the following:
•Cross Site Request Forgery (CSRF)
•Cross Site Scripting (XSS)
•Command Injection (including SQL, LDAP, and OS command injection)
•Server Side Includes (SSI) Injection
•Forced Browsing
•Format String Vulnerabilities
•Response Splitting
•Directory Traversal and Data Exposure
•SSL/TLS Cipher Strength Analysis
•Cookie Analysis
•HTTP Method Analysis
•Hostile Link attacks
•Cookie Injection Attacks
•Session Fixation
•Session Management (Subversion, Timeouts/Logouts)
•Vulnerabilities Within the Username/Password Recovery Method
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Security is of paramount importance to Cornerstone due to the sensitive nature of employee data. We designed our solution to meet rigorous industry security standards and to assure clients that their sensitive data is protected across the system. We ensure high levels of security by segregating each client’s data from the data of other clients and by enforcing a consistent approach to roles and rights within the system. These restrictions limit system access to only those individuals authorised by our clients.

Cornerstone include best in class multiple standard technologies, like SPLUNK to help manage our security monitoring.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Cornerstone maintains an ISO27001 based Security Incident Response Plan in order to organise resources to respond in an effective and efficient manner to an adverse event related to the safety and security of a computer resource under Cornerstone’s management. An adverse event may be malicious code attack, unauthorised access to Cornerstone managed networks or systems, unauthorised utilisation of Cornerstone services, denial of service attack, or general misuse of systems.

The plan clearly defines the appropriate steps and processes in communication. Clients will be notified within 24 hours of the identified issue.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£3.75 to £20.00 per user per year
Discount for educational organisations
Free trial available

Service documents

Return to top ↑