Cornerstone OnDemand

MASTER AGREEMENT

Last updated: October 15, 2019

This Master Agreement (“Agreement”) governs one or more Orders executed by you, an individual or entity that purchases Cornerstone Services and/or Software, and Cornerstone OnDemand, Inc. (“Cornerstone”).

Definitions.

“Active User” means a user established on the Software with a designation of “active.” You determine who is an Active User, subject to the maximum quantities set forth in the respective Order(s).

“Affiliate” means a party that partially (at least 50%) or fully controls, is partially or fully controlled by, or is under partial (at least 50%) or full common control with, another party.

“Client Content” means any and all courses, learning objects, certifications, quizzes, tests, materials, instructor-led sessions, documents, or URLs created and/or introduced by you or your Affiliates that reside in the Software.

“Client Data” means personal data regarding you, your Affiliates, or any of your users which is uploaded to the Software pursuant to the Agreement or an Order.

"Confidential Information" means any non-public information of you or Cornerstone disclosed by either party to the other party, either directly or indirectly, in writing, orally or by inspection of tangible objects, or to which the other party may have access, which a reasonable person would consider confidential and/or which is marked “confidential” or “proprietary” or some similar designation by the disclosing party. Confidential Information shall not, however, include the existence of the Agreement or any information which the recipient can establish: (i) was or has become generally known or available or is part of the public domain without direct or indirect fault, action, or omission of the recipient; (ii) was known by the recipient prior to the time of disclosure, according to the recipient’s prior written documentation; (iii) was received by the recipient from a source other than the discloser, rightfully having possession of and the right to disclose such information; or (iv) was independently developed by the recipient, where such independent development has been documented by the recipient.

“Order” means a purchase made by you hereunder in an order, schedule, statement of work, addendum, or amendment signed by both you and Cornerstone.

“Service” means any service rendered by Cornerstone specifically to you, including, but not limited to: (i) hosting and making available the Software; (ii) hosting, delivery, and/or distribution of eLearning content; and/or (iii) provision of customer and/or technical support for the Software.

“Software” means: (i) any and all of Cornerstone’s proprietary web-based applications, including, without limitation, all updates, revisions, bug-fixes, upgrades, and enhancements thereto, as well as applications that have been modified in any way by Cornerstone at the request of a client; and (ii) application functionality and eLearning content provided by Cornerstone or Cornerstone-contracted third parties.

“Third Party” means any party that is not either of the parties, its Affiliates, applicants, employees, shareholders, directors, officers, contractors, customers, or Active Users.

Rights; Usage. In accordance with the Agreement, Cornerstone gives you the non-transferable and non-assignable right for the duration of the applicable Order to use, and to permit your Active Users and your Affiliates’ Active Users to use, the Software items listed therein on a non-exclusive basis via the Internet. Cornerstone will (i) according to ISO 27001 (or successor/equivalent) standards, maintain appropriate safeguards for protection of Client Data, including regular back-ups, security and incident response protocols, and application and infrastructure monitoring; and (ii) not access, modify, or disclose Client Data, except as compelled by law, to prevent or address service or technical issues, or if otherwise permitted by you.You may retrieve Client Data any time during the term of the applicable Order.If requested, Cornerstone will assist with such data retrieval at a scope and price to be agreed.To meet its disaster recovery commitments, Cornerstone maintains a backup copy of Client Data for approximately six (6) months following expiration or termination of the applicable Order, after which time all backups are destroyed.

Restrictions. The Software and Services may be used only for your and your Affiliates’ own lawful business purposes. You shall not: (i) use or deploy the Software in violation of applicable laws or the Agreement; (ii) resell any Software or Service except through Extended Enterprise transactions/registrations; (iii) create any derivative works based upon the Software; (iv) reverse engineer, reverse assemble, decompile or otherwise attempt to derive source code from the Software or any part thereof (except to the extent that such restriction is not permitted under applicable law); (v) make any Software or Service available to any unauthorized parties; or (vi) release the results of benchmark tests or other comparisons of any Software or Service with other software, services, or materials.You will be responsible for Active Users’ compliance with the Agreement and liable for Active Users’ breach thereof.You will ensure that you have obtained all necessary consents and approvals for Cornerstone to access Client Data for the purposes permitted under the Agreement. Upon expiration or termination of the applicable Order, you shall cease using all Software and Services.

Support. Cornerstone shall provide the level of technical support stated in the applicable Order. Only the number of administrators set forth in the applicable support package description (i.e., not all Active Users) who have completed the requisite training may contact Cornerstone for support. You agree to promptly provide Cornerstone with sufficient documentation, data and assistance with respect to any reported errors, and to reasonably cooperate with Cornerstone, in order for Cornerstone to comply with its support obligations hereunder. In no event shall Cornerstone be responsible or liable for any errors, bugs or other problems contained in or originating from hardware or software not provided by Cornerstone.Should unexpected or inappropriate use of the Software result in denial of service (DoS) with respect to the Software, Cornerstone may disable the implicated Client Content and/or deny access to your portal only if and for so long as necessary to restore service.

Fees and Payment. You will be invoiced for fees according to the applicable Order. Payment of fees will be due upon receipt, except where the Order expressly prescribes other payment dates.Except where otherwise stated, all fees set forth in an Order are in U.S. dollars and must be paid in the currency set forth in the Order.Late payments hereunder will incur a late charge of 1.5% (or the highest rate allowable by law, whichever is lower) per month on the outstanding balance from the date due until the date of actual payment.In addition, following notice and a reasonable time to cure, Services are subject to suspension for failure to timely remit payment therefor.

Term and Termination.

Term. The term of this Agreement runs from the Effective Date through the expiration or termination of the last Order.

Termination for Cause. Either party may immediately terminate the Agreement if the other party materially breaches the Agreement, and, where capable of remedy, such breach has not been materially cured within thirty (30) days of the breaching party’s receipt of written notice describing the breach in reasonable detail.

Bankruptcy Events. A party may immediately terminate the Agreement if the other party: (i) has a receiver appointed over it or over any part of its undertakings or assets; (ii) passes a resolution for winding up (other than for a bona fide scheme of solvent amalgamation or reconstruction), or a court of competent jurisdiction makes an order to that effect and such order is not discharged or stayed within ninety (90) days; or (iii) makes a general assignment for the benefit of its creditors.

Effect of Termination. Immediately following termination of a given Order, you shall cease using all Software and Services purchased in that Order.You may retrieve Client Data any time prior to termination or expiration of the given Order. If requested, Cornerstone will assist with such data retrieval at a scope and price to be agreed.

Confidentiality. Each of the parties agrees: (i) not to disclose any Confidential Information to any third parties except as mandated by law and except to those Affiliates and subcontractors of Cornerstone providing Services hereunder who agree to be bound by confidentiality obligations no less stringent than those set forth in the Agreement; (ii) not to use any Confidential Information for any purposes except carrying out such party’s rights and responsibilities under the Agreement; and (iii) to keep the Confidential Information confidential using the same degree of care such party uses to protect its own confidential information; provided, however, that such party shall use at least reasonable care.These obligations shall survive termination of the Agreement.If either party breaches any of its obligations with respect to confidentiality or the unauthorized use of Confidential Information hereunder, the other party shall be entitled to seek equitable relief to protect its interest therein, including but not limited to, injunctive relief, as well as money damages.

Intellectual Property.As between the parties, Cornerstone will and does retain all proprietary and intellectual property rights, title and interest in and to the Software and Services. You retain all proprietary and intellectual property rights, title and interest in and to Client Data and Client Content.

Indemnification.

Indemnification by Cornerstone. Cornerstone agrees to indemnify, defend, and hold you harmless from and against any and all Third Party claims and causes of action, as well as related losses, liabilities, judgments, awards, settlements, damages, expenses and costs (including reasonable attorney’s fees and related court costs and expenses) (collectively, “Damages”) that you incur or suffer which directly relate to or directly arise out of the violation or infringement of any third-party intellectual property rights by your authorized use of the Software. The foregoing provisions of this section shall not apply to the extent the Damages relate to or arise out of: (i) Client Data; (ii) Client Content; or (iii) your or your users’ unauthorized use and/or alteration of the Software.

Indemnification by Client. You agree to indemnify, defend, and hold harmless Cornerstone from and against any and all Damages incurred or suffered by Cornerstone which directly relate to or directly arise out of the violation or infringement of any third-party intellectual property rights by Client Data or Client Content. The foregoing provisions of this section shall not be applicable to the extent the Damages relate to or arise from Cornerstone’s use of Client Data or Client Content in violation of the Agreement.

Indemnification Procedures. To obtain indemnification, indemnitee shall: (i) give written notice of any claim promptly to indemnitor; (ii) give indemnitor, at indemnitor’s option, sole control of the defense and settlement of such claim, provided that indemnitor may not, without the prior consent of indemnitee (not to be unreasonably withheld), settle any claim unless it unconditionally releases indemnitee of all liability; (iii) provide to indemnitor all available information and assistance; and (iv) not take any action that might compromise or settle such claim.

Infringement Cures. Should the Software or any part thereof become, or in Cornerstone’s reasonable opinion be likely to become, the subject of a claim for infringement of a third party intellectual property right, then Cornerstone may, at its sole option and expense: (i) procure for you the right to use and access the infringing or potentially infringing item(s) of the Software free of any liability for infringement; or (ii) replace or modify the infringing or potentially infringing item(s) of the Software with a non-infringing substitute otherwise materially complying with the functionality of the replaced system.

Exclusive Remedies. The remedies set forth in this section shall be exclusive with respect to any infringement claim hereunder.

Warranties. Each party represents and warrants to the other party that, as of the date hereof: (i) it has full power and authority to execute and deliver each Order; (ii) each Order has been duly authorized and executed by an appropriate employee of such party; (iii) each Order is legally valid and a binding obligation of such party; and (iv) its execution, delivery and/or performance of an Order does not conflict with any agreement, understanding or document to which it is a party. CORNERSTONE WARRANTS THAT THE SOFTWARE WILL PERFORM SUBSTANTIALLY IN MATERIAL ACCORDANCE WITH THE AGREEMENT AND APPLICABLE DOCUMENTATION REGARDING EXISTING FUNCTIONALITY PROVIDED BY CORNERSTONE; NO NEW OR DIFFERENT FUNCTIONALITY IS PROMISED HEREUNDER. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CORNERSTONE DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.

Liability.

Liability Cap. EXCEPT FOR (i) A PARTY’S INTELLECTUAL PROPERTY INDEMNIFICATION OBLIGATIONS; (ii) A PARTY’S WILLFUL MISCONDUCT; OR (iii) LIABILITY WHICH CANNOT BE LIMITED BY APPLICABLE LAW, EACH PARTY’S MAXIMUM AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THE AGREEMENT, REGARDLESS OF THE THEORY OF LIABILITY, WILL BE LIMITED TO THE TOTAL FEES PAID OR PAYABLE BY YOU TO CORNERSTONE UNDER THE AFFECTED ORDER(S) FOR THE TWELVE-MONTH PERIOD IMMEDIATELY PRECEDING THE DATE THE CAUSE OF ACTION AROSE. THE EXISTENCE OF MORE THAN ONE CLAIM SHALL NOT EXPAND SUCH LIMIT. THE PARTIES ACKNOWLEDGE THAT THE FEES AGREED UPON BETWEEN YOU AND CORNERSTONE ARE BASED IN PART ON THESE LIMITATIONS, AND THAT THESE LIMITATIONS WILL APPLY NOTWITHSTANDING ANY FAILURE OF ANY ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. THE FOREGOING LIMITATION SHALL NOT APPLY TO A PARTY’S PAYMENT OBLIGATIONS UNDER AN ORDER.

Exclusion of Consequential Damages. NEITHER PARTY WILL BE LIABLE FOR LOST PROFITS, LOST REVENUE, LOST BUSINESS OPPORTUNITIES, LOSS OF DATA, INTERRUPTION OF BUSINESS, PROVIDING REPLACEMENT SOFTWARE (EXCEPT AS SET FORTH IN SECTION “INFRINGEMENT CURES”), OR ANY OTHER INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATING TO THE AGREEMENT, REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Communications. Neither party shall issue any press release using the name of the other party as a customer or provider without the other party’s consent (not to be unreasonably withheld or delayed). Notwithstanding the foregoing, the parties agree that either party can promote this strategic relationship internally, to existing customers, and in marketing material to potential customers, and that Cornerstone shall have the right to list you as a client of Cornerstone on the Cornerstone websites and in marketing materials.

Miscellaneous Provisions.

Governing Law; Jurisdiction. The Agreement will be governed by and construed in accordance with the laws of the State of California and the federal laws of the United States of America, without regard to conflict of law principles. You and Cornerstone agree that any suit, action or proceeding arising out of, or with respect to, the Agreement or any judgment entered by any court in respect thereof shall be brought exclusively in the state or federal courts of the State of California located in the County of Los Angeles, and each of you and Cornerstone hereby irrevocably accepts the exclusive personal jurisdiction and venue of those courts for the purpose of any suit, action or proceeding.

Force Majeure. Neither party will be liable for any failure or delay in its performance under the Agreement due to any cause beyond its reasonable control, including without limitation acts of war, acts of God, earthquake, flood, weather conditions, embargo, riot, epidemic, acts of terrorism, sabotage,governmental act, failure of the Internet or other acts beyond such party’s reasonable control, provided that the delayed party: (i) gives the other party prompt notice of such cause; and (ii) uses reasonable commercial efforts to correct promptly such failure or delay in performance.

Counterparts; Facsimile. Each Order may be executed in any number of counterparts and in facsimile or electronically, each of which shall be an original but all of which together shall constitute one and the same instrument.

Entire Agreement. The Agreement, any and all Orders, and any schedules and/or exhibits attached to the Orders, contains the entire understanding of the parties in respect of its subject matter and supersedes all prior agreements and understandings (oral or written) between the parties with respect to such subject matter. Purchase orders submitted by you are for your internal administrative purposes only, and the terms and conditions contained in those purchase orders will have no force and effect. Any modification, amendment, or addendum to the Agreement and/or an Order must be in writing and signed by both parties.

Assignment. Neither party may assign the Agreement or any of its rights, obligations, or benefits hereunder, by operation of law or otherwise, without the other party’s prior written consent; provided, however, either party, without the consent of the other party, may assign the Agreement to an Affiliate or to a successor (whether direct or indirect, by operation of law, and/or by way of purchase, merger, consolidation or otherwise) to all or substantially all of the business or assets of such party, where the responsibilities or obligations of the other party are not increased by such assignment and the rights and remedies available to the other party are not adversely affected by such assignment.Subject to that restriction, the Agreement will be binding on, inure to the benefit of, and be enforceable against the parties and their respective successors and permitted assigns.

No Third Party Beneficiaries. The representations, warranties and other terms contained herein are for the sole benefit of the parties hereto and their respective successors and permitted assigns, and shall not be construed as conferring any rights on any other persons.

Statistical Data. Without limiting the confidentiality rights and intellectual property rights protections set forth in the Agreement, Cornerstone has the perpetual right to use aggregated, anonymized, and statistical data (“Statistical Data”) derived from the operation of the Software, and nothing herein shall be construed as prohibiting Cornerstone from utilizing the Statistical Data for business and/or operating purposes, provided that Cornerstone does not share with any third party Statistical Data which reveals the identity of you, your users, or your Confidential Information.

Suggestions. Cornerstone shall have a royalty-free, worldwide, perpetual license to use or incorporate into the Software and Services any suggestions, ideas, enhancement requests, feedback, recommendations, or other information provided by your or your users relating to the operation of the Software and Services.

Third-Party Applications and Service Providers.

External Applications. The Software may contain features capable of interoperating with third-party applications not offered by Cornerstone (“External Applications”). To use such features, you may be required to obtain access to such applications from a third-party provider. Cornerstone shall not be responsible for your access to, or operation of, External Applications.

Embedded Applications. Cornerstone may offer or sell certain third-party applications embedded within the Software, which meet security, privacy, and/or support standards that differ from those set forth in the Agreement (“Embedded Applications”).Use of Embedded Applications is optional, and you may deactivate Embedded Applications in your Software portal at any time.A list of Embedded Applications, including information relevant thereto, is available upon request.

Service Providers. Cornerstone offers a certification program to certify third-party service providers that implement, configure, and/or administer Software (“Certified Consultants”). A list of Certified Consultants is available upon request. You may not permit any non-Certified Consultant to implement, configure, and/or administer Software.None of the warranties or support obligations hereunder shall apply to any Software implemented, configured, or administered by any non-Certified Consultant.

Export Controls. You understand that use of the Software and Services is subject to U.S. export controls andtrade and economic sanctions laws and agrees to comply with all such applicable laws and regulations, including without limitation the Export Administration Regulations maintained by the U.S. Department of Commerce, and the trade and economic sanctions maintained by the Treasury Department’s Office of Foreign Assets Control.

Rule 10b-5 Limitations. Each party acknowledges that United States securities laws prohibit any person who has material, non-public information about a publicly-traded company from purchasing or selling securities of such company, or from communicating such information to any other person under circumstances in which it is reasonably foreseeable that such person is likely to purchase or sell securities of such company.

Severability. If any provision of the Agreement is held by a court or arbitrator of competent jurisdiction to be contrary to law, such provision shall be changed by the court or by the arbitrator and interpreted so as to best accomplish the objectives of the original provision to the fullest extent allowed by law, and the remaining provisions of the Agreement shall remain in full force and effect.

Notices. Any notice or communication required or permitted to be given hereunder may be delivered by hand, deposited with an overnight courier, sent by facsimile, or mailed by registered or certified mail, return receipt requested and postage prepaid to the address for the other party first written above or at such other address as may hereafter be furnished in writing by either party hereto to the other party. Such notice will be deemed to have been given as of the date it is delivered, if by personal delivery; the next business day, if deposited with an overnight courier; upon receipt of confirmation of facsimile delivery (if followed up by such registered or certified mail); and five days after being so mailed.

Independent Contractors. You and Cornerstone are independent contractors, and nothing in the Agreement shall create any partnership, joint venture, agency, franchise, sales representative or employment relationship between you and Cornerstone. Each party understands that it does not have authority to make or accept any offers or make any representations on behalf of the other. Neither party may make any statement that would contradict anything in this section.

Waiver. No failure or delay on the part of either party in exercising any right, power or remedy under the Agreement shall operate as a waiver, nor shall any single or partial exercise of any such right, power or remedy preclude any other or further exercise or the exercise of any other right, power or remedy.

Survival. Sections of the Agreement intended by their nature and content to survive termination of the Agreement shall so survive.

DATA PROCESSING ADDENDUM

(applicable only if and to the extent your organization has users located in the EUROPEAN UNION)

Preamble

This Data Processing Addendum (the “Addendum”) forms part of and is subject to the Terms and Conditions agreed to by you and Cornerstone concerning the provisioning of human capital management software by Cornerstone (hereinafter also “Cornerstone” or the “Processor”) to you (hereinafter also the “Controller”). It applies to all activities carried out by the Processor within the framework of the Terms and Conditions whereby the Processor's employees or third parties commissioned by the Processor might Process Personal Data of the Controller and/or Active Users. In the event of any conflict between the terms of the Terms and Conditions and the terms of this Addendum, the terms of this Addendum shall prevail.

Definitions

“GDPR” means Regulation (EU) 2016/679 of 27 April 2016.

"Personal Data" means any information Processed by Cornerstone on your behalf relating to an identified or identifiable natural person; see article 4(1) of the GDPR.

"Personal Data Breach" means, according to Article 4(12) of the GDPR, a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (see Article 4(2) of the GDPR).

“Subprocessors” has the meaning as being defined in section 5.1 of this Addendum.

"Third Country" means a country without a system of ensuring adequate protection within the meaning of Article 45 of the GDPR.

Capitalized terms used, but not otherwise defined, herein shall have the same meanings assigned to those terms in the Terms and Conditions.

Scope of the Addendum

Cornerstone acts as a data processor for you, who acts as the data controller. Personal Data may include the categories of Personal Data, the categories of data subjects and the purposes of the Processing set out in Annex 1.

Processing of Personal Data

Cornerstone shall Process Personal Data for the purposes of providing services under the Terms and Conditions only in accordance with the Terms and Conditions and this Addendum, and in accordance with documented instructions listed in this Addendum and the Terms and Conditions. Client may issue further documented instructions consistent with and in the scope of this Addendum and the Terms and Conditions. Cornerstone shall immediately inform you if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

Cornerstone must notify you in writing without undue delay regarding events which significantly impede Cornerstone's current or future ability to Process Personal Data in accordance with this Addendum.

Cornerstone must limit the access to Personal Data to its employees or Subprocessors for whom access to said data is reasonably necessary to fulfill Cornerstone's obligations to you. Cornerstone must ensure that persons authorized to Process Personal Data are bound by the same or equivalent confidentiality obligations as Cornerstone and/or are under an appropriate statutory obligation of confidentiality.

Cornerstone shall implement and maintain appropriate technical and organizational measures as described in Article 32 of the GDPR. For this purpose, the parties agree on the security measures set forth in Annex 2 for the Processing of Personal Data.

The appropriate technical and organizational security measures must be determined with due regard to:

the state of the art,

the cost of their implementation, and

the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Cornerstone shall make available to you upon request information necessary to demonstrate compliance with Processor’s obligations set forth in Article 28 of the GDPR, and allow for and reasonably assist with audits, including inspections, conducted by the Controller or an independent third party auditor appointed by the Controller, as follows:

Cornerstone shall at its own cost obtain and make available upon your request an audit report from an independent auditor regarding Cornerstone's compliance with the data security requirements of the controls defined in SSAE 18 or ISO 27001 (or equivalent standard). Such audit report must be issued on the basis of a recognized standard for such reports.

In addition, you are entitled, at a time and scope to be agreed by the parties, to conduct or have conducted an annual audit, including an inspection, if and to the extent the audit report set forth in the preceding paragraph does not meet the requirements set forth in Article 28 of the GDPR. Any third party auditor shall not be a competitor of Cornerstone, and shall, upon Cornerstone's request, sign a customary non-disclosure agreement to treat all information obtained or received from Cornerstone confidentially, and may share any such information obtained or received only with you and Cornerstone. You shall be responsible for costs of the audit, and agree to pay Cornerstone a reasonable fee per audit to be mutually agreed by the parties to cover Cornerstone assistance with the audit. An additional audit may take place: (i) if required by you competent legal supervisory authority; or (ii) following a Personal Data Breach.

Cornerstone shall without undue delay notify you about any:

request by a legal authority for disclosure of Personal Data Processed under the Agreement, unless such notification is expressly prohibited under applicable law; or

request for access to Personal Data received directly from identified data subjects themselves or from third parties.

Cornerstone shall notify you without undue delay after becoming aware of a Personal Data Breach. The notification shall at least describe the nature of the Personal Data Breach (including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned) and the measures taken or proposed by Cornerstone to address the Personal Data Breach.

Cornerstone shall provide reasonable and timely assistance to you (at your expense) to help enable you to respond to: (i) any request from a data subject to exercise any of the data subject’s rights under applicable data protection laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the Processing of the Personal Data.

In the event that any such request, correspondence, enquiry or complaint is made directly to Cornerstone, Cornerstone shall promptly inform you and provide full details of the same, except to the extent prohibited by law.

Cornerstone shall, upon your request and at your expense, reasonably assist the Controller in ensuring compliance with Controller’s obligations pursuant to Articles 32 to 36 of the GDPR (including security of Processing, notification of Personal Data breach, data protection impact assessment and prior consultation), based on the nature of Processing and the information available to Cornerstone.

In the event that your designated account manager at Cornerstone cannot assist with your data privacy enquiry, you may contact the data protection officer of Cornerstone, of whom the contact details are as follows: José Alberto Rodríguez Ruiz, 28 Rue Londres, 75009 Paris, France, jrodriguez@csod.com.

Client's General Obligations

You will comply with all its obligations under applicable data protection laws and regulations.

Other Data Processors

Cornerstone may engage other processors (“Subprocessors”) for the Processing of Personal Data under this Addendum, provided Cornerstone ensures such Subprocessors’ compliance with the terms of this Addendum. As of the effective date of the Addendum, Cornerstone relies on the Subprocessors listed in Annex 1 to provide the Services.

Prior to the engagement of another Subprocessor, Cornerstone shall inform youradministrators of the intended subprocessing at least 30 days prior thereto, thereby giving you the opportunity to object to such change on reasonable grounds, as set forth in Article 28 of the GDPR.

You authorize Cornerstone to transfer Client Data to Cornerstone Affiliates and/or other Subprocessors located in the United States, the United Kingdom, Israel, India, New Zealand and/or other locations outside the European Economic Area, as is reasonably required to provide support, perform technical projects or perform other types of services under the Master Agreement, provided that, to the extent applicable, either: (i) such locations are recognized by the European Commission as providing adequate data protection; (ii) Cornerstone has executed on your behalf the EU Standard Contractual Clauses with such Affiliates and/or other Subprocessors (you hereby grant such proxy to Cornerstone); or (iii) upon your request, you execute the EU Standard Contractual Clauses directly with such Affiliates and/or other Subprocessors.

Cornerstone shall remain fully liable to you for the performance of its Subprocessors’ obligations hereunder.

Data Retrieval and Deletion

You may retrieve your Personal Data at any time prior to termination of the Master Agreement as set forth therein.

Promptly upon the expiration or earlier termination of the Master Agreement, or earlier upon your request, Cornerstone shall securely destroy or render unreadable or undecipherable, each and every original and copy in every media of all Personal Data in Cornerstone’s possession, custody or control.

Notwithstanding section 6.2, backups of Personal Data are to be deleted according to and in compliance with Cornerstone’s general backup cycle, which means that backups will be deleted at the latest within approximately six (6) months from the decommissioning of your portal.

Cornerstone shall provide to you, upon your request, written confirmation that deletion has occurred in accordance with this section 6.

In the event applicable law does not permit Cornerstone to comply with delivery or destruction of Personal Data as set forth herein, Cornerstone shall ensure the privacy, confidentiality and security of Personal Data in accordance with the standards agreed in this Addendum and shall not use or disclose any Personal Data after termination of the Master Agreement.

Miscellaneous

The parties may agree in good faith on any reasonable amendment to the Addendum required to maintain compliance with the applicable law. Such amendment may include additional fees to be reasonably agreed by the parties.

\

ANNEX 1

I. Categories of data, categories of data subjects and purposes of the Processing

Categories of Personal Data

The Personal Data being Processed by Cornerstone may concern the following categories of data:

Learning, performance, recruiting, and/or HR data

Categories of data subjects

The Personal Data Processed by Cornerstone may concern the following categories of data subjects:

Employees, suppliers, contractors, agents, directors, officers, customers, members, and/or partners of the data controller and/or its affiliates

Purpose and nature of the Processing operations

Personal Data may be Processed by Cornerstone for the following purposes:

Delivery and use of human capital management software;

Implementation services related to configuration of human capital management software;

Product support; and

Technical projects

as further described in Cornerstone OnDemand’s SSAE18 audit report, ISO27001 audit report, and IT security policy.

Special categories of data

None.

II. Current Subprocessors

Subprocessor

Country

Services performed

Cornerstone OnDemand Limited*

U.K.

Support, Technical Project Services

Cornerstone OnDemand, Inc.*

U.S.A.

Support, R&D, Technical Project Services

Cornerstone OnDemand Spain S.L.

Spain

Support

Cornerstone OnDemand Global Operations, Inc.

EUbranches

Support

Cornerstone OnDemand Global Operations, Inc.

Israel

Support

Cornerstone OnDemand ANZ (Sonar Limited)

New Zealand

Support

Cornerstone OnDemand Services India Private Limited

India

Support, Technical Project Services

*If this Cornerstone entity is the party executing the Addendum, the entity will be deemed the Processor and not a Subprocessor.

Cornerstone utilizes Amazon Web Services (“AWS”) as a technology infrastructure provider. Acting in this capacity, AWS has no need to, and is prohibited from, accessing any Client Data. Additionally, Client Data is fully encrypted, with only Cornerstone managing the encryption keys.

Cornerstone’s AWS environment will either meet or exceed Cornerstone’s security standards, and be located in the same regions as Cornerstone’s data centers.

ANNEX 2

Security measures

Cornerstone shall Process Personal Data in accordance with applicable law to which Cornerstone is subject and in accordance the data security requirements of the controls defined in SSAE 16 SOC 2 or ISO 27001 (or equivalent standard).

Cornerstone shall appoint a fixed contact point for you to carry out any matters in relation to the Processing of Personal Data.

Cornerstone shall ensure that Cornerstone's employees receive adequate training and instructions, including, but not limited to, education on general safety awareness, relevant security policies and procedures, and Personal Data Processing.

Cornerstone shall maintain organizational and technical measures to ensure separation of data between clients and systems.

Access Control of Processing Areas

Cornerstone shall maintain suitable measures in order to prevent unauthorized persons from gaining access to the data Processing equipment (namely telephones, database and application servers and related hardware) where the Personal Data is Processed or used.This is accomplished by measures like:

establishing security areas;

protection and restriction of access paths;

securing the decentralized telephones, data Processing equipment and personal computers;

establishing access authorizations for employees and third parties, including the respective documentation;

regulations on card-keys;

restriction on card-keys;

all access to the data centre where Personal Data is hosted is logged, monitored, and tracked;

the data centre where Personal Data is hosted is secured by a security alarm system; and

other appropriate security measures.

Access Control to Data Processing Systems

Cornerstone shall maintain suitable measures to prevent its Personal Data Processing systems from being used by unauthorized persons.This is accomplished by measures like:

identification of the terminal and/or the terminal user to the Cornerstone systems;

automatic time-out of user terminal if left idle, with identification and password required to reopen;

automatic turn-off of the user ID when several erroneous passwords are entered;

log file of events (monitoring of break-in-attempts);

issuing and safeguarding of identification codes;

dedication of individual terminals and/or terminal users, and identification characteristics exclusive to specific functions;

employee policies and training with respect to each employee's access rights to Personal Data (if any), including informing employees about their obligations and the consequences of any violations of such obligations, to ensure that employees will only access Personal Data and resources required to perform their job duties; and

all access to data content is logged, monitored, and tracked.

Access Control to Use Specific Areas of Data Processing Systems

Cornerstone commits that the persons entitled to use its Personal Data Processing system are only able to access the data within the scope and to the extent covered by its access permission (role or authorization) and that Personal Data cannot be read, copied or modified or removed without authorization.This shall be accomplished by:

employee policies and training with respect to each employee’s access rights to the Personal Data;

allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions;

monitoring capability in respect of individuals who delete, add or modify the Personal Data;

effective and measured disciplinary action against individuals who access Personal Data without authorization;

release of Personal Data only to authorized persons;

control of files, controlled and documented destruction of Personal Data; and

policies controlling the retention of back-up copies.

Availability Control

Cornerstone shall maintain suitable measures to ensure that Personal Data are protected from accidental destruction or loss.This is accomplished by:

infrastructure redundancy;

tape backup is stored off-site and available for restore in case of failure of SAN infrastructure for database server;

complying with Cornerstone’s business continuity policy; and

any detected security incident is recorded

For all applications supported by the Cornerstone, the following controls will be implemented:

Transmission Control

Cornerstone shall maintain suitable measures to prevent the Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media.This is accomplished by:

use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels;

certain highly confidential data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within system transmission; and

as far as possible, all data transmissions are logged, monitored and tracked.

Input Control

Cornerstone implements suitable measures to ensure that it is possible to check and establish whether and by whom Personal Data has been input into Personal Data Processing systems or removed. This is accomplished by:

an authorization policy for the input of data into memory, as well as for the reading, alteration and disposal of stored Personal Data;

authentication of the authorized personnel;

protective measures for the data input into memory, as well as for the reading, alteration and disposal of stored Personal Data;

utilization of user codes (passwords);

following a policy according to which all employees of Cornerstone who have access to Personal Data Processed for you shall reset their passwords at a minimum once in a 180 day period;

providing that entries to Data Processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked;

automatic log-off of user IDs that have not been used for a substantial period of time;

proof established within Cornerstone’s organization of the input authorization; and

electronic recording of entries.

Cornerstone system administrators (if any):

Cornerstone shall maintain measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by:

individual appointment of system administrators;

adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months;

yearly audits of system administrators’ activity to assess compliance with assigned tasks, the instructions received by importer and applicable laws;

keeping an updated list with system administrators’ identification details (e.g. name, surname, function or organizational area) and tasks assigned.

Separation of Processing for different Purposes

Cornerstone shall maintain suitable measures to ensure that Personal Data collected for different purposes can be Processed separately. This is accomplished by:

access to Personal Data is separated through application security for the appropriate users; and

modules within Cornerstone’s database separate which data is used for which purpose, i.e., by functionality and function.

You acknowledge and agree that Cornerstone may change its security policies and related security measures, provided that Cornerstone maintains, at all times, an overall level of security as least as stringent as the one set forth in this Addendum.