Cornerstone OnDemand

Cornerstone Public Sector Recruiting, Applicant Tracking System (ATS) and Onboarding

With the intense pressure to identify, hire and onboard top talent, it’s time to rethink recruiting. Cornerstone Recruiting and Onboarding addresses all your Local Government talent acquisition needs to strengthen your candidate experience. Efficiently manage the entire process and shorten new hire and onboarding time to full productivity.


  • Applicant tracking, offer letter management, interview feedback, and compliance management
  • Built-in social recruitment software tools
  • Built-in reporting and analytics tools
  • Employee referral system
  • Configurable career sites
  • Multiple Job board management - civil service and agency portals,
  • Personalised pages and central resources for new hires
  • Forms management
  • Assign tasks, training, goals, and certifications to new hires
  • Onboard tracking – track your new hire’s progress


  • Intuitive applications to attract, target and identify candidates
  • Reach targeted talent directly with Social Recruitment
  • Leverage your employee’s networks with Employee Referral System
  • Deliver your employer brand and differentiators with Configurable Career Sites
  • From hire-to-retire, seamlessly handle the employee lifecycle for any role
  • Track important metrics, from cost-per-hire to EEO/OFCCP compliance with dashboards
  • Reduce administrative hassle and increase compliance while delivering accountability
  • Tie strategic insights to business outcomes with reporting and analytics
  • Seamlessly onboard employees and accelerate new-hire engagement and productivity
  • Align new talent to organisational goals with targeted goals


£2.50 to £30.00 per user per year

Service documents

G-Cloud 10


Cornerstone OnDemand

Julian Turner

07788 291438

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Full Integration with the Cornerstone Suite, which can seamlessly tie employee learning and performance metrics to give executives and managers a clear picture of how learning initiatives impact organisational success.
Cloud deployment model Public cloud
Service constraints Cornerstone is a Software-as-a-Service. Users can access the application at any time and from anywhere through the internet. In addition, Cornerstone has broad experience in developing highly stable single sign-on linkages with its clients. End users will be able to access the infrastructure seamlessly with one login and from a specified location on the client’s network.

Cornerstone are happy to provide specific hardware configurations or requirements upon request.
System requirements
  • As a SaaS Service - there are no hardware requirements.
  • Minimum Desktop Requirements: Recommendations upon request
  • Supports Mobile Device Enablement: Recommendations upon request
  • There are no software maintenance, and no network administration requirements

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response time 1 hour, Cornerstone offers professional support which is included in the software subscription fee at no additional cost and includes 24x5 live support during the working week. In addition, clients can submit an unlimited number of cases and have 24 hour visibility to those cases through our online portal MySuccess,

For those clients who have business-specific requirements that require more comprehensive support, Cornerstone also offers various support packages, with varying levels of access, availability, and services at an additional cost. Which can include, enhanced service levels and 24x7 live support.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 A
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Professional Support is included in with every Cornerstone license. Weekday phone support is provided and status updates for issues are available 24/7 along with comprehensive resources in the Cornerstone Client Success Center.

Up to 5 Admins
24/5 Support
24/7 access to Client Success Center

Professional Plus Support

Includes all features of our Professional Support, with an added 24/7 support.

• Up to 5 Admins
• 24/7 Support
• 24/7 access to Client Success Center

Premier Support

Premier support includes all features of our Professional Support, with an added personal and customised approach. Questions and issues are resolved through a priority queue by a designated Cornerstone expert who understands your unique business.

• Named Support Specialist
• Bi-weekly GPS calls
• Quarterly Scorecard KPIs
• Up to 5 Admins
• 24/5 Support

Premier Plus Support

The most comprehensive level of support delivering the highest level of personalised service with an Enhanced Service Level Agreement to match the scale and technical complexity of your talent management needs. Clients have access to 24/7 support in a priority queue.

• Named Support Specialist
• Weekly GPS calls
• Quarterly Scorecard KPIs
• Up to 10 Admins
• 24/7 Support
• Enhanced SLA
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Once the contract has been executed, Cornerstone will assign the client a dedicated Implementation Consultant. The Implementation Consultant will be the primary point of contact during implementation. In addition, they will be supported by a project team that includes a Program Sponsor, Engagement Manager, Integration Consultant, and Training Consultant.

We deploy our solution in significantly less time than required for similar deployments of legacy software. Our SaaS model eliminates the need for complex technical requirements such as code customisation, equipment deployment, and unique delivery models.

A typical implementation takes approximately 6-8 weeks for an initial module based on scope and complexity.

With years of experience and hundreds of deliveries across various industries, we’ve learned what it takes to ensure our clients can make a successful leap to impact.

Our Cornerstone University Services team provides consulting, training, and performance support tools to enable clients to learn and use our talent management solutions successfully. We offer a blended training approach to accommodate different learning styles.

This approach is designed to meet individual learning needs, whether the trainee has five minutes or five days. The self-regulated learning approach supports heavy interaction or independent learning.

Online Administrator Training (included)
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction In the event that a client does not renew their contract, Cornerstone will return the client’s data via their secure FTP site in the same format in which the data was originally inputted into the software. Alternatively, the client’s data can be returned in a mutually agreed format at a scope and price to be agreed. Cornerstone will maintain a copy of the client data for no more than six months following termination of the agreement, after which time any client data not retrieved will be destroyed.
End-of-contract process Our agreements are for a term lease period, and software fees are paid in annual installments over that period, during which time Cornerstone recovers costs. Accordingly, during that lease period (as with, say, a rental or car lease), there can be no termination for convenience. Effect of Termination. Immediately following termination of this Agreement, Client shall cease using all Products. Client may retrieve Client Data any time prior to termination or expiration of the Agreement. If requested, Cornerstone will assist with such data retrieval at a scope and price to be agreed.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Cornerstone Mobile allows users to view their learning transcript and to download, view, and interact with rich, standards-based courseware and knowledge content from their smartphones and tablet devices. Content conforms to SCORM 1.2, SCORM 2004, and AICC standards and is supported for maximum content interoperability and reusability.

Our offline player allows users to complete online courses on their phones and tablets while not connected to the internet. Online classes behave as though they are being used online: bookmarks are kept, progress is saved, etc. After reconnecting to the internet, the results of the training can then be uploaded to Cornerstone.
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing The user pages of the Cornerstone system are generally compliant with Section 508 of the Rehabilitation Act of 1973, depending on the features used and the way the client has configured its portal. This includes the ability for keyboard only navigation. Cornerstone OnDemand enlists the help of a 3rd party to satisfy 508 Compliance, as well as any VPAT requests. This 3rd party is Criterion 508 ( Criterion is proven as a leader in compliance, and has aided Cornerstone in complying with all federal, and local 508 standards. Criterion was selected as a partner because of their expert knowledge of Section 508 Compliance, WCAG Compliance, as well as their in-depth testing methodology. Criterion engages in a multi-stage testing strategy that consists of latest JAWS, Dragon, and 508 browser testing plug-ins. The test that sets Criterion apart from competitors is their employment of real people with disabilities. These testers have a first-hand account of what it takes to function throughout our application. Through rigorous testing and fixing, Cornerstone OnDemand achieved its first 508 Compliance Certification in 2011 and continues to receive certifications twice a year.
What users can and can't do using the API Cornerstone has available a number of out-of-the-box API’s as functionality exposed as web services. Currently, four main areas of functionality are offered through our web services.

User and Organisational Unit upload / Edit
a) A feed from your HRIS or system of record can upload and modify new users, Organisational Units and changes.

Transcript and Task retrieval
a) Ability to see the homepage widgets and user transcript

b) Home page widgets available:

Assigned Training
In Progress
Upcoming Sessions
Pending Tasks
c) Also available: View of the entire user transcript

Sections within the curricula available for viewing
d) Web service provides status and IDs for learning objects

Catalog Search
a) Ability to search the catalog by title, description, etc., to see training and sessions available to a given user

Learning Objects
a) Ability to perform general functionality for learning objects

b) Tasks available:

Launch Materials
The web services are a configuration. Cornerstone provides the web service URL and documentation to the client. All the necessary information is provided in the documentation. The client will use standard web service API’s on any platform or any tool that supports web services to consume ours.
API documentation Yes
API documentation formats
  • HTML
  • PDF
  • Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Cornerstone provides unique flexibility in how G Cloud clients can deploy the system to different groups of users. Different branding, business rules, and functionality can be established for any Organisational Unit (such as Division, Location, Position, custom group of individuals, etc.). The end result is an unparalleled level of personalisation for the user.

Cornerstone was designed to be administered by the client and not the vendor. G Cloud Clients have complete control to configure the look and feel of the application to your specific business units with specific functionality and branding. Client administrators are presented with an extensive set of web-based controls which enable them to easily configure graphics, colors, key words, layout, and business rules.

Clients can make configuration changes on their own without any assistance from Cornerstone or for any additional costs. Not all vendors can make this claim. The high configurability of the Cornerstone system is one of the distinct advantages that we offer to our customers.


Independence of resources The Cornerstone application, as per the Software as a Service model, is designed to scale horizontally. It is multi-tenant-efficient, offering a load balanced farm of identical instances known as swim lanes. When additional server equipment is added, the application capacity scales to fill the available hardware.

This allows virtually unlimited growth capacity.

As opposed to a classical behind the firewall or hosted architecture, our application and our hardware platforms are designed to:

• Efficiently support a high number of users and customers

• Redistribute load easily

• Add additional capacity easily and quickly


Service usage metrics Yes
Metrics types Cornerstone provides an SLA for all clients that guarantees initial response and resolution in regards to defined priority and severity levels.

Cornerstone’s SLA also guarantees 99.5% uptime (excluding reasonable and scheduled maintenance periods) per month.

MySuccess enables named client administrators to access Global Care knowledge assets, solutions, and self-service support tools online at any time. MySuccess is powered by a case management system and interface that provides the ability to submit, update, track and manage questions, issues, and other requests. Clients can download a support performance scorecard at any time.
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Other
Other data at rest protection approach Data-at-rest protection, Optional TDE Encryption at rest
Physical access control, complying with CSA CCM v3.0 and ISO27002 Standards.
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Clients can export their data at any time through our reporting engine and analytics tool. In addition, an outbound data feed can be established from Cornerstone to an internal client system such as a data warehouse.

Cornerstone does offer data warehouse replication services. A client’s entire Data Warehouse is replicated to a separate server in our data center to allow clients to make direct SQL connections over a Virtual Private Network (VPN). Clients can report against all data in the replicated data warehouse directly without having to use our Analytics module.
Data export formats
  • CSV
  • ODF
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network TLS (Version 1.2 or above), VPN, restricted access (SSO) and dedicated lines.

Availability and resilience

Availability and resilience
Guaranteed availability Cornerstone provides an SLA for all clients that guarantees initial response and resolution in regards to defined priority and severity levels.

Cornerstone’s SLA also guarantees 99.5% uptime (excluding reasonable and scheduled maintenance periods) per month.

In the event that Cornerstone has not complied with its "Resolution" obligations set forth above, then, for each calendar day (or portion thereof) that Cornerstone has not so complied, Client shall be entitled, as its sole and exclusive remedy therefor, to a credit against Client's next invoice equal to 1/365th of the annual fees for Software set forth in the Agreement.
Approach to resilience Cornerstone’s Disaster Recovery/Business Continuity Plan defines plans, procedures, and guidelines for the Company in the event of disaster. Specifically, this document establishes procedures for recovering business operations, internal data; systems, and critical internal functions to maintain Cornerstone as an on-going concern in the face of unexpected events.

The plan has the following primary objectives:
•Identify critical systems, services, and staff necessary to maintain and/or restore Cornerstone business operations and internal functions.

•Provide guidelines for the communication of activities and status to both Cornerstone staff and client personnel during the recovery period.

•Present an orderly course of action for restoring critical computing capability to Cornerstone and for maintaining and/or restoring client service and support.

Cornerstone performs site-to-site replication of data to protect client data in the event of a disaster. There are two dedicated disaster recovery sites distant from each of the production data centers. Disaster recovery testing is performed semi-annually at each DR site.

Further available information is available upon request.
Outage reporting Outages occur during scheduled maintenance/releases. Otherwise, the system is not likely to experience any outages, however in the unlikely event of an unexpected outage, clients will receive email alerts.

Downtime is scheduled for planned quarterly releases at least 4 months in advance and deployed during off-peak hours, typically 8:30PM EST Fridays to 1AM EST Saturday (4.5 hours). Patch fixes typically occur every two weeks between 8:30PM EST and 12:00AM EST. The typical downtime for a patch deployment is approximately 10 minutes.

Client administrators can access a calendar of upcoming release and patch dates at any time through our client portal, Success Center. In addition, multiple email reminders are sent in advance.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Username or password
  • Other
Other user authentication Users access the Cornerstone application either through a username and password, or through Single Sign-On (SSO). Cornerstone does not offer two factor authentication to clients for logging into their portal. However, clients that use SSO are able to implement two factor authentication within their own network prior to sending the SAML token to Cornerstone.
Access restrictions in management interfaces and support channels Users need a unique username, password to access the application. Alternatively, clients can be authenticated using security tokens, utilising a symmetric algorithm, passed by the client’s local authenticator for Single Sign-On functionality.

Passwords represent a fundamental and significant security mechanism at Cornerstone. Passwords are required to access the production network (via Active Directory) and applications (SQL Server). User accounts are created that employ individual user ID and passwords to identify and authenticate a given user. Users cannot access any Cornerstone system without a valid user ID and password. The SQL server logon groups are each configured to use Windows authentication.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Username or password
  • Other

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DNV GL Business Assurance accredited the ISO/IEC 27001 certification
ISO/IEC 27001 accreditation date 07/05/2015
What the ISO/IEC 27001 doesn’t cover Please note that our IT service management policies and procedures are informed by many sources, including the cohesive set of best practices covered by ITIL, as well as other standards and best practices such as SSAE 16, ISAE 3402, ISO 27001, and FISMA. These certifications cover all the main security requirements
ISO 28000:2007 certification Yes
Who accredited the ISO 28000:2007 Cornerstone is not ISO 28000:2007 certified
ISO 28000:2007 accreditation date N/A
What the ISO 28000:2007 doesn’t cover Please note that Cornerstone has received certification for the following programs:

• SSAE 16, ISAE 3402 Type II Audit, SOC 2 Type II
• PCI Certification
• Privacy Shield (previous EU Model Clauses, previous Safe Harbor)
• EU GMP Annex 11 and 21 CFR Part 11
• Federal Information Security Management Act (FISMA)
• ISO 27001:2013
• Equinix SSAE16 Audit, ISO 27001, ISO 22301, ISO 9001, OHSAS 18001, ISO 14001
• Equinix Telecity ISO 27001, ISO 22301, ISO 9001, OHSAS 18001, ISO 14001
CSA STAR certification Yes
CSA STAR accreditation date 07/05/2015
CSA STAR certification level Level 5: CSA STAR Continuous Monitoring
What the CSA STAR doesn’t cover Cornerstone can provide upon request a copy of the CSA questionnaire with all the Cornerstone compliant specifications.
PCI certification Yes
Who accredited the PCI DSS certification Trustwave accredited the PCI certification for Cornerstone
PCI DSS accreditation date 2014
What the PCI DSS doesn’t cover Cornerstone is categorized as PCI Level 4 SAQ D under the Payment Card Industry Data Security Standards. Standards include: building and maintaining a secure network, protecting cardholder data, and maintaining an information security policy.
Other security certifications Yes
Any other security certifications
  • SSAE 16, ISAE 3402 Type II Audit, SOC 2 Type11
  • Privacy Shield (previous EU Model Clauses, previous Safe Harbor)
  • EU GMP Annex 11 and 21 CFR Part 11
  • Federal Information Security Management Act (FISMA)
  • ISAE 3402
  • WCAG 2.0 and Section 508
  • FedRAMP
  • SSAE16 Audit, ISO 27001, 22301, 9001, OHSAS 18001, 14001
  • Equinix Telecity ISO 27001, 22301, 9001, OHSAS 18001, 14001

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
Information security policies and processes Security is of paramount importance to Cornerstone due to the sensitive nature of employee data. We designed our solution to meet rigorous industry security standards and have ISO27001:2013 including ISO27018 for privacy, plus conduct annual SSAE 16 SOC1 and SOC2 third party audits to verify continuously Cornerstone Technical and operational controls to assure clients that their sensitive data is protected across the system. We ensure high levels of security by segregating each client’s data from the data of other clients and by enforcing a consistent approach to roles and rights within the system. These restrictions limit system access to only those individuals authorised by our clients.

We employ multiple standard technologies, protocols, and processes to monitor, test, and certify the security of our infrastructure continuously.

Security responsibilities are handled by our IT operations team and overseen by our Deputy CISO, who works in concert with our Sr. Director of Technology Operations and Chief Technology Officer and is responsible for securing information in accordance with industry best practices and for implementing the recommendations of the various 3rd party audits.

Cornerstone does not publish these documents. However we can provide a secure online account, where you can access and view these documents.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach As a SaaS company, we release software frequently and regularly so that our clients may benefit from our on-going R&D. Cornerstone follows a defined SDLC (Software Development Lifecycle) that contains a number of important quality steps, an abridged version of which can be provided upon request. Development and Project Management are tasked with ensuring that these steps are followed:
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Cornerstone contracts leading third party information security consulting and services companies to run external penetration tests against our production environments to coincide with major code releases throughout the year. Vulnerability classes tested for include the following:
•Cross Site Request Forgery (CSRF)
•Cross Site Scripting (XSS)
•Command Injection (including SQL, LDAP, and OS command injection)
•Server Side Includes (SSI) Injection
•Forced Browsing
•Format String Vulnerabilities
•Response Splitting
•Directory Traversal and Data Exposure
•SSL/TLS Cipher Strength Analysis
•Cookie Analysis
•HTTP Method Analysis
•Hostile Link attacks
•Cookie Injection Attacks
•Session Fixation
•Session Management (Subversion, Timeouts/Logouts)
•Vulnerabilities Within the Username/Password Recovery Method
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Security is of paramount importance to Cornerstone due to the sensitive nature of employee data. We designed our solution to meet rigorous industry security standards and to assure clients that their sensitive data is protected across the system. We ensure high levels of security by segregating each client’s data from the data of other clients and by enforcing a consistent approach to roles and rights within the system. These restrictions limit system access to only those individuals authorised by our clients.

Cornerstone include best in class multiple standard technologies, like SPLUNK to help manage our security monitoring.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Cornerstone maintains an ISO27001 based Security Incident Response Plan in order to organise resources to respond in an effective and efficient manner to an adverse event related to the safety and security of a computer resource under Cornerstone’s management. An adverse event may be malicious code attack, unauthorized access to Cornerstone managed networks or systems, unauthorised utilisation of Cornerstone services, denial of service attack, or general misuse of systems.

The plan clearly defines the appropriate steps and processes in communication. Clients will be notified within 24 hours of the identified issue.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £2.50 to £30.00 per user per year
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑