Compliance

• SOC1 – Type II: This report provides assurance to customers leveraging Quickbase for processes that impact financial reporting.
• SOC2 – Type II: This report is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at Quickbase relevant to security, confidentiality and availability.
• SOC3: This report is designed to meet the needs of those seeking assurance about the controls at Quickbase relevant to security, confidentiality and availability, but do not have the need for or the knowledge necessary to make effective use of a SOC2 report.

These reports are released by August 31st of each year. The SOC1 and SOC2 reports are available to current or prospective customers under obligations of confidentiality. Quickbase’s annual SOC3 report is prepared for public release. Download the 2023 report here.

HIPAA Security Rule

Quickbase’s annual SOC2 – Type II report also includes independent attestation to Quickbase’s compliance with the applicable requirements of 45 C.F.R Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), and 164.312 (Technical Safeguards) set forth in the U.S. Department of Health and Human Services’ Health Information Portability and Accountability Act (HIPAA), collectively known as the HIPAA Security Rule requirements.

Quickbase enables its customers to build applications compliant with the HIPAA Security Rule. However, Quickbase’s customers are responsible for determining if they are a Covered Entity or Business Associate under HIPAA; determining if a business associate agreement (BAA) with Quickbase is required; and for ensuring that it uses Quickbase in compliance with all requirements under HIPAA. Customers who store or process Protected Health Information (PHI) must sign a BAA with Quickbase. Quickbase will sign BAAs with business and enterprise customers on annual or multi-year contracts.

DFARS • NIST 800-171

Quickbase’s annual SOC2 – Type II report also includes independent attestation to Quickbase’s compliance with applicable requirements of the Defense Federal Acquisition Regulation Supplement (DFARS) set forth in NIST Special Publication 800-171: Protecting Controlled Unclassified Information for Nonfederal Information Systems and Organizations (NIST SP 800-171).

CSA • CCM • STAR Level 2

Quickbase’s annual SOC2 – Type II report also includes independent attestation to Quickbase’s compliance with the Cloud Security Alliance’s (CSA) Cloud Controls Matrix (CCM). Quickbase’s listing as a Level 2 provider can be publicly accessed via the CSA’s Security, Trust, Assurance and Risk (STAR) Registry.

GxP • US FDA CFR Title 21 Part 11

The Quickbase platform and underlying technology & infrastructure is maintained to meet best practices and requirements surrounding electronic records under US FDA CFR Title 21 Part 11. Quickbase maintains a documented control mapping to demonstrate both Quickbase’s capabilities & responsibilities, and customer responsibilities under these requirements. The control mapping is available to current or prospective customers under obligations of confidentiality.

At this time, eSignature functionality is not native to the Quickbase platform, but many customers successfully integrate various third-party eSignature service offerings via a pipeline channel or third-party integration to support eSignature functionality. Quickbase’s API can be leveraged to extend the platform to solve for a variety of needs.

FERPA • HECVAT

Quickbase enables education institutions leveraging the Quickbase platform to maintain FERPA compliance by:

• Maintaining security of the Quickbase platform via industry-standard security plans and controls;
• Not sharing or disclosing customer app data inappropriately or to third-parties beyond those supporting the operations of Quickbase (visit our subprocessors page to learn more);
  
• Not using customer app data for unrelated activities, such as data mining; Implementing security breach notification procedures;
  
• Deleting customer data and offering certificates of data destruction in accordance with contractual requirements and best-practice considerations.
  

Further, Quickbase has completed the Higher Education Community Vendor Assessment Toolkit (HECVAT) to aid in efforts to assess the Quickbase platform and the corporate operations of Quickbase for requirements in this industry. This is available to current or prospective customers under obligations of confidentiality.

Accessibility • Section 508 • WCAG

Quickbase is committed to providing an inclusive experience within its platform. To make the interface accessible to all users, Quickbase strives to ensure features and functionality support a wide-range of specifications within the Web Content Accessibility Guidelines (WCAG) 2.0 and Section 508 of the Rehabilitation Act set forth by the U.S. Department of HHS. New features and functionality are assessed for adherence to these recommendations prior to being deployed. Quickbase routinely completes the Voluntary Product Accessibility Template (VPAT) to aid customers in performing a standardized review of the accessibility of the Quickbase platform. Read more about Quickbase’s approach to accessibility in this blog post. Quickbase's VPAT can be downloaded here.

TX-RAMP Certified Cloud Product – Level 2

Quickbase is a Level 2 Certified Cloud Product under the Texas Risk and Authorization Management Program (TX-RAMP). Quickbase’s listing as a Level 2 product can be found on the Texas Department of Information Resources’ public listing.