Overview

  • We rely on multiple processes, automated systems and hardware to protect our confidential data
  • A combination of administrative, technical and physical safeguards establishes strict collection, use, retention and destruction protocols
  • Collection policies and practices limit acquired data to only the information we must have to deliver authorized services
  • Users are monitored and trained to ensure policy compliance
  • Sensitive data is obfuscated and obliterated when no longer needed
  • Data stores or instances are limited (primary: Basking Ridge, NJ, redundant: Evansville, IN)
  • All services are performed on U.S. systems
  • All service providers must adhere to our privacy and use policies

Physical Security

  • Physical access to data and systems locations is secure at all times
  • Access is provided on a “need” basis
  • User policies govern user and system access
  • Video monitoring is maintained for all sensitive areas
  • Card access is required for restricted areas
  • Access history is retained

Data and Network Intrusion Security

  • Cisco ASA 5500 adaptive security appliances secure all network and internet traffic using built-in firewalls and global threat intelligence including intrusion prevention systems (IPS) and a high-performance VPN
  • Highly sensitive data is encrypted within the database
  • Additional security is provided by content filtering, anti-virus/anti-spyware software, Active Directory integration, and vulnerability system testing for a complete security package
  • Penetration and vulnerability tests are performed, analyzed and implemented annually

Network User Security

  • All workstations run anti-virus software and software firewalls that are enabled at all times
  • IT administration staff maintains regular maintenance and updates
  • Software policy enforcement and adherence is actively monitored
  • Transferring employee and assignee information is stored within the application on network servers
  • All changes are logged and reviewed
  • Server access is strictly controlled at the administrator level

Compliance with US and International data protection laws

Cornerstone is certified under the existing U.S. EU Safe Harbor principles and intends to fully comply with future directives of the European Court of Justice for all of our relocation data. We choose to strictly adhere to the EU principles including Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement for all clients without limitation to geographic region. These principles are reflected in our Privacy Policy and readily available to all transferring employees and assignees as well as our clients. We use an outside service, TRUST-e, to evaluate our privacy policies and practices on an annual basis and independently ensure we comply with the principles.

In addition to extensive network and data security policies and practices, we ensure compliance at the service level through the maintenance of pertinent policies including “Acceptable Use” and “Need to Know” policies. Our policies are reinforced by ongoing training for all staff to ensure they know exactly how and when PII can be accessed, used or transferred. We strictly prohibit any “cross marketing” or other use of transferring employee or assignee PII for any purpose other than the provision of authorized relocation services. Downstream recipients of PII are contractually obligated to maintain policies that match Cornerstone’s.