Compliance

The Quickbase platform is used by thousands of customers across many industries. We regularly review our portfolio of Certifications and Attestations to better enable our customers to develop applications that meet the requirements they are subject to. Our present portfolio is listed below.

Quickbase undergoes an annual SSAE18 SOC 1/2/3 Type 2 examination covering Security and Availability Trust Services Principles defined by the AICPA Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Quickbase began including SOC 1 audit in 2017. Please note customer app and realm controls are not part of the scope of Quickbase's SOC reports; therefore customers may want to include these pertinent Quickbase controls in their respective SOC examination.

Quickbase's SOC 1/2 reports are issued in mid-August annually and is available to customers or prospective customers under NDA. Quickbase's SOC 3 report is publicly available and provides a summary of the Quickbase SOC 2 report. Download the 2022 report here.

The Health Insurance Portability and Accountability Act (“HIPAA”) is a United States law that applies to companies and other entities involved in the healthcare industry that may have access to patient information (called “Protected Health Information”, or “PHI”).

Quickbase abides by the HIPAA Security rule in our operation of the Quickbase platform. Quickbase performs an annual HIPAA Attestation as part of our annual SOC examinations conducted by a 3rd party audit firm which validates Quickbase controls meet or exceed the requirements.

Quickbase enables its customers to build HIPAA-compliant applications. Quickbase's Customers are responsible for determining if they are a Covered Entity or Business Associate under HIPAA (and whether a business associate agreement with Quickbase is required) and for ensuring that it uses Quickbase in compliance with HIPAA. Customers who store or process Protected Health Information must sign a business associate agreement with Quickbase. Quickbase will sign BAAs with our customers on annual or multi-year contracts.

GxP is a collection of quality guidelines and regulations applicable to life sciences organizations that make food and medical products such as drugs, biologics, medical devices and medical software applications. GxP regulations include those requirements outlined in US FDA CFR Title 21 Part 11.

The platform and underlying technology is maintained to meet best practices so customers can build and support applications subject to FDA and GxP requirements. Our GxP Assurance Package shows the platform meets the requirements of compliance regulations such as US FDA CFR Title 21 Part 11.

Quickbase utilizes a PCI compliant vendor to process credit cards for our customers. However, the Quickbase platform itself has not undergone a PCI audit, therefore credit card data should not be stored in Quickbase apps.

A growing number of customers are adopting Quickbase to handle unclassified Department of Defense (DoD) Covered Defense Information (CDI) including Controlled Unclassified Information (CUI), Personal Identifiable Information (PII), Protected Health Information (PHI), and other mission-critical data requiring protection from unauthorized disclosure. NIST Special Publication 800-171, Protecting Covered Defense Information in Nonfederal Systems and Organizations, otherwise known as DFARS (Defense Federal Acquisition Regulation Supplement), details the fourteen families of security requirements for protecting the confidentiality of CDI.

Quickbase incorporates NIST 800-171 controls into its operation and management of the Quickbase platform and provides independent attestation to our compliance via our annual 3^rd party SOC examination. As with our SOC 2 this report is available to customers or to prospective customers under NDA.

FERPA governs use of that data when schools and districts use Quickbase apps which includes FERPA regulated data.

Educational institutions are responsible for maintaining FERPA compliance when handling personal data of their students. These responsibilities include identifying data elements which are uploaded to QuickBase, maintaining access and sharing permissions appropriately, and being transparent with students as to data sharing arrangements with service providers

As a service provider, Quickbase enables education institutions who use Quickbase apps for FERPA data to be compliant with FERPA by:

• Maintaining security of the Quickbase platform via security plans and controls.
• Not sharing or disclosing our app data to any 3rd party.
• Not using customer app data for unrelated activities such as data mining.
• Implementing customer security breach notification procedures.
• Purging app data at end of service contract.

For more information about FERPA, visit the Privacy Technical Assistance Center at the US Department of Education.

HECVAT, aka the Higher Education Community Vendor Assessment Toolkit, is a questionnaire framework specifically designed for higher education to measure vendor risk of service providers like Quickbase. Quickbase provides an up to date completed HECVAT questionnaire to assist education institutions with their due diligence.

To make the interface accessible to users with disabilities, Quickbase includes features that support several specifications in the Web Content Accessibility Guidelines (WCAG) 2.0.

The Voluntary Product Accessibility Template (VPAT) is a standardized form developed in partnership by the Information Technology Industry Council (ITI) and the U.S. General Services Administration (GSA) to document a product’s conformance with key regulations of Section 508 of the Rehabilitation Act. Quickbase has completed an accessibility assessment of the Quickbase platform and has documented their accessibility status using these VPATs. Quickbase's VPAT can be downloaded here.