Security & compliance

Quickbase is committed to maintaining best-in-class security; however, security is a shared responsibility. This shared responsibility model empowers you to maintain control of your data. It also limits the actions Quickbase might be able to take on your behalf.

Quickbase's responsibility

• Providesecure Platform-as-a-Service (PaaS).
• Provide tools, support, and training resources so you can build and maintain secure apps

Customer's responsibility

• Understand the data you will collect and store in Quickbase apps
• Address legal, security, and compliance requirements
• Securely develop, implement, and maintain Quickbase apps. This includes, but is not limited to, making sure you only share apps with users authorized to access them.

Platform security capabilities

We've designed the Quickbase platform with data security at its core. The platform provides tools for access control, data segregation, encryption, and more.

Access control

Customers provision and manage access to their Quickbase apps. Quickbase supports:

• Single sign-on
• User provisioning/de-provisioning via Security Assertion Markup Language (SAML)
• Provisioning groups with role-based access at the app, form, or field level

Customer data segregation

Quickbase is a multi-tenant application Platform-as-a-Service (PaaS). It uses logical access to segregate each customer’s data.

Each customer is assigned a realm, which is a sub-domain. Realms hold customer accounts. Applications, developed and maintained by customers, exist within accounts. Customers manage access and permissions at the realm, account, and application levels.

Encryption

Quickbase protects data at rest using envelope encryption with AES-256 encryption keys. Data in transit is encrypted via TLS (v1.2 or higher). You may also use a realm-specific key for an additional layer of data security. If you do, you can rotate realm-specific keys on your own schedule and integrate with AWS and Azure KMS.

Operational security

Auditing, logging, and data retention processes also keep data security, availability, and integrity at the forefront.

Technical and operational logs

Quickbase’s operational logs from servers, devices, and services are stored in a 3rd-party, secure log management platform. This 3rd-party platform performs log analysis, alerting, and reporting. It also provides investigation capabilities for Quickbase site reliability, engineering, and security teams. We retain operational logs for six months. These logs are for internal use only.

Audit logs managed by customers

Quickbase also provides audit log capabilities for customers to track their own user activity. Use audit logs to make sure security standards and compliance policies are upheld. The types of activity you can track include:

• Logins
• application access
• data changes
• changes and version creation for schema
• permissions changes

You can choose to retain audit logs for anywhere from 6 months up to 3 years, depending on your service plan. Audit APIs are also available so you can create custom reports and alerts about platform activity.

Data retention

Following data deletion by the customer, we hold data in Quickbase backup systems for approximately 6 months before it is fully purged. At that point, Quickbase sends authorized customer contacts a Certificate of Data Destruction. These certify your app data is completely purged from all Quickbase systems.

Additional assurance efforts

We protect the security of our platform through penetration testing and vulnerability scanning.

Penetration testing

At least annually, an independent penetration testing firm performs a time-bound security assessment. They assess:

• Quickbase platform
• Internet-facing systems
• Applicable infrastructure
• Supporting policy and procedure documentation

We provide the following resources to the penetration testing firm. These resources help them identify possible weaknesses in the Quickbase platform:

• Application design diagrams
• Source code
• Threat models,
• Full administrative privileges within multiple tenants created specifically for the test

This type of penetration testing is known as white-box methodology. It is inclusive of testing against the OWASP Top Ten.

Vulnerability scanning run by Quickbase

Quickbase employs a variety of tools and processes to detect, protect, and respond to security vulnerabilities. This includes, but is not limited to, regular web application security scans and infrastructure scans.

Vulnerability scanning run by customers

Customers may run a security scan against their Quickbase instance. This can only be done under specific conditions designed to protect the performance and reliability of the platform. You must give advance notice to the Quickbase Technical Support team before running a security scan. As part of that notice, you must verify that your testing plans comply with our requirements. Quickbase reserves the right to block any testing which negatively impacts the platform.

Compliance

Quickbase understands the need to provide assurance to customers operating in regulated environments.

We are committed to maintaining compliance with applicable portions of the below::

• SOC1 – Type II, SOC2 – Type II, SOC3
• The HIPAA Security Rule
• DFARS CSA – CCM – STAR Level 2
• TX-RAMP Certified Cloud Product – Level 2

While Quickbase maintains responsibility for ensuring the security and compliance of the underlying platform infrastructure and supporting technology, Quickbase customers are responsible for ensuring apps and realms are designed, implemented and maintained to meet individual security, compliance, and legal needs. Our shared responsibility model applies to both security and compliance. This means that Quickbase cannot advise customers on how best to achieve their compliance needs. Customers should consult their own compliance professionals to meet applicable compliance requirements. For more information, please see our compliance page.