Security and Compliance at QuickBase
A Legacy of Trust
QuickBase was a division of Intuit, a global leader in financial and business solutions, from 1999 until its divestiture in 2016. Today, QuickBase, Inc. is building on a long legacy of trust to continue to meet higher levels of security and compliance.
Our mission is to enable our customers to utilize the QuickBase platform for critical business processes and applications by:
- Embedding best practices into everything we do, in every part of our company
- Aligning our processes and controls with industry standards
- Being transparent with our customers and continuing to learn from them
The Shared Responsibility Model of the QuickBase Platform
The security and confidentiality of our customers’ apps and data on the QuickBase platform is a shared responsibility between QuickBase and our customers. QuickBase provides a secure platform where customers can build and manage their apps. Additionally, QuickBase provides tools, support and resources that enable our customers to maintain secure apps.
Customers have numerous responsibilities around the security of QuickBase apps and data held within them. Customers must understand what data they intend to collect and store in their QuickBase apps, and ensure that risk and compliance requirements are addressed which correlate to the importance and classification of that data. Customers must ensure that security is addressed in the development of QuickBase apps, including ensuring that apps are shared with only those who are authorized to access them.
Security Governance at QuickBase
QuickBase’s Compliance & Information Security Officer (CISO), part of the Executive Management team, sets the vision and strategy for the company’s security and compliance program, with the goal of providing strategic direction, ascertaining that risks are managed appropriately and ensuring that objectives are achieved.
QuickBase’s Security Council is composed of leadership from Product Development, Operations and Corporate IT and is responsible for aligning corporate, development and infrastructure controls with best practices as set by the CISO in conjunction with QuickBase business and compliance objectives.
Background Checks and Security Training
All QuickBase staff undergo background checks before they’re hired. All QuickBase staff are also required to take mandatory security, ethics and privacy training once they join QuickBase and on an ongoing basis during their employment with QuickBase.
Security in Software Development
QuickBase integrates security testing into each phase of the development lifecycle —from static code security checks, to dynamic web scans which run continuously, to annual penetration tests by security experts. We train our development team on security best practices.
QuickBase is a shared application Platform as a Service (aPaaS) with logical access segregating each customer’s data. QuickBase controls logical access to data via authentication and authorization at the Realm, Account and Application layers. Realms, otherwise thought of as a domain, hold customer Accounts. Within accounts are QuickBase Applications which are managed by QuickBase customers. QuickBase customers can manage access and permissions at the Realm, Account and App layers via the QuickBase platform.
QuickBase encrypts customer data in motion and at rest. All communications over non-trusted Internet networks are encrypted via a 256 bit (SHA2) TLS certificate, TLS 1.0, 1.0, 1.2. QuickBase encrypts data at rest at the application layer including app data and file attachments using AES256.
Operations and Monitoring
QuickBase’s operations team employs automated incident detection, escalation technologies and procedures which ensure that any infrastructure or platform issue is rapidly addressed, 24x7x365. Customers may view status updates at http://service.quickbase.com/.
Security Incident Response
QuickBase commits to notifying affected customers of any suspected or confirmed data breach (once we become aware of) within 24 hours. We will notify customers via e-mail or phone.
Role Based Access
A small team of operations personnel have administrative access to the host layer. At the application layer (within QuickBase itself), QuickBase staff do not have access unless they are invited or authorized by our customers.
Customers are responsible for understanding and implementing their data retention and deletion requirements for the data they upload to QuickBase. Customers may delete data at any time and since QuickBase maintains backups for 6 months, it may take up to 6 months for their data to be completely purged from our backup systems once it has been deleted from their apps.
QuickBase is hosted in data centers in the United States which provide military-grade physical security including 24x7 guards, controlled access points, biometrics and video surveillance. Security attestations including SSAE16 SOC 2 for our data center providers are available to customers or prospects under NDA upon request.
Each component of the infrastructure which powers QuickBase — from network equipment to web, app and database servers—is highly available and redundant.
QuickBase maintains 2 geographically diverse production-ready data centers; data is continuously replicated from the production data center to the hot standby disaster recovery (DR) data center. Upon a disaster being declared at the production site, QuickBase requires four (4) hours to bring up production at the DR site.
SSAE16 SOC 2
QuickBase undergoes an annual SSAE16 SOC 2 Type 2 examination covering all 5 Trust Principles defined by the AICPA. A copy of our SOC 2 report is available to customers or prospective customers under NDA.
QuickBase enables our customers to build HIPAA-compliant applications. QuickBase abides by the HIPAA security and privacy rules in our operation of the QuickBase platform. QuickBase may sign BAAs (Business Associate Agreements) with our customers with annual contracts.
QuickBase utilizes a PCI compliant vendor to process credit cards for our customers. However, the QuickBase platform itself is not PCI compliant, therefore credit card data should not be stored in QuickBase apps.
Electronic discovery refers to discovery in legal proceedings such as litigation where the information sought is in electronic format. QuickBase supports key requirements of e-Discovery:
Preservation of Evidence
Upon legal hold being placed on customer data held within QuickBase apps, the customer may instruct personnel to preserve (not delete) apps and data. Additionally, the customer may choose to make copies of existing apps in order to preserve the data at that point in time. Lastly QuickBase maintains backup copies of customer apps and data. Customers may request apps to be restored via customer support.
Identification of Data
QuickBase provides the ability to search apps, however it is important to note that fields must be marked as searchable by the app owner. File attachments may also be searched; however they must be downloaded and searched locally.
Customers own their data which they have uploaded and stored within QuickBase.
QuickBase abides by privacy laws and regulations that are applicable to our hosting services and to our customers who host websites that may contain personal information on the QuickBase platform. QuickBase personnel may have logical access to customer data stored in QuickBase apps only if they are authorized, and have a need for access due to their job function. QuickBase does not transfer customer data hosted on QuickBase outside of the QuickBase hosted service, or to any third-party, without customer authorization.
Customers must ensure that privacy concerns and regulations are addressed and adhered to where customer personnel may have logical access to personal information uploaded or stored in the customer’s QuickBase apps.
EU Data Protection Regulations
QuickBase is hosted in the United States and serves customers globally. There are several mechanisms to ensure that data transfers from the EU to the U.S. provide the legal protections required by EU Data Protection Regulations, including Privacy Shield (a replacement to Safe Harbor), EU Model Contract clauses and end user consent.
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce, and replaces the Safe Harbor program. QuickBase is currently in process of applying for Privacy Shield certification.
EU Model Clause
The EU Model Clause is a standard contract addendum between service providers such as QuickBase and its customers, designed to ensure that any personal data leaving the EEA will be transferred in compliance with EU data- protection law and meets the requirements of the EU Data Protection Directive 95/46/EC. QuickBase offers customers on annual contracts Standard Contractual Clauses that make specific guarantees around transfers of personal data for QuickBase services. This ensures that QuickBase customers can freely move data through QuickBase from the EU.