Security
Shared Responsibility
Quickbase is committed to the best-in-class security standards. Security and data confidentiality are a shared responsibility. Quickbase provides a secure platform, and provides the tools, support and training resources that enable our customers to build and maintain secure apps. Customers also have responsibilities around the security of Quickbase apps and data held within them. Customers must understand what data they intend to collect and store in their Quickbase apps, and ensure that risk and compliance requirements are addressed which correlate to the importance and classification of that data. Customers must ensure that security is addressed in the development of Quickbase apps, including ensuring that apps are shared with only those who are authorized to access them.
Quickbase give you confidence that your data is secure and meets all industry and internal compliance regulations. Quickbase simplifies the data governance process, improving data integrity while helping IT proactively manage risk. The Quickbase platform includes important security and governance features to ensure that the data within the Quickbase platform is reliable, safe and secure.
For detailed information on Quickbase’s security posture, and information how to access our SOC 2 information, please visit our Quickbase Compliance page
Process Based Security
Cloud Security Alliance
CSA's Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by cloud computing offerings, thereby helping organizations assess the security of cloud providers they currently use or are considering contracting with. Quickbase has completed and published its Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document the security controls in our PaaS (platform as a service) offering. The CAIQ provides a set of over 140 questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider.
Quickbase's CAIQ is available for download from the CSA Star Registry.
Pen Tests
Quickbase contracts with a 3rd party security firm to conduct a comprehensive security penetration test on an annual basis. Our pen test report is available to customers or prospective customers under NDA.
Vulnerability Scans
Quickbase employs a variety of tools and processes including static code analysis and dynamic web application scans designed to detect security vulnerabilities. Customers may run a security scan against the Quickbase platform under the following conditions:
- The customer can only test using their own Quickbase application(s) with up to three (3) applications accessed during the testing.
- The methodology for the test should mimic normal user activities with both normal pace and normal user volume.
- This should not be a performance test or a denial of service test.
- The customer should conduct the test during non-business hours to minimize the chance of negatively impacting their own users.
The customer must open a support case with Quickbase Customer Care to test up to 3 apps at least 5 business days prior to the security scan and provide the following information:
- The application URL(s) against which the test will be conducted.
- The source IP address from which the test will be conducted.
- The date and time the test will begin and end.
- The name and contact information of a person or persons with the direct ability to stop the testing if asked to do so by Quickbase staff.
Quickbase reserves the right to block any testing which negatively impacts the platform.
What details should you include when reporting a security issue to Quickbase?
Please provide as many relevant details as you can. In particular:
- What steps someone can follow to reproduce the issue.
- Any patches or steps to mitigate the problem.
If you believe you've found a security issue, please report it here.
Secure Data Centers
The Quickbase platform is hosted at Flexential Tier 4 data centers located in Las Vegas, NV and Denver, CO. Flexential has spent nearly two decades building world class data centers with the sole purpose of providing best-in-class colocation and network services designed to meet the most demanding IT requirements. Additionally Quickbase utilizes Amazon AWS for ancillary services such as WebHooks and Quickbase Sync and Google Cloud for Quickbase Pipelines.
Operational Security
Customer Data Segregation
Quickbase is a multi-tenant application Platform as a Service (aPaaS) with logical access segregating each customer’s data. Quickbase customer control logical access to their data via authentication and authorization at the Realm, Account and Application layers. Realms, otherwise thought of as a sub-domain, hold customer Accounts. Within accounts are Quickbase Applications which are built and managed by the customer. Customers manage access and permissions at the Realm, Account and App layers via the Quickbase platform.
Access Control
Customers provision access to the Quickbase apps they develop and deploy to their Quickbase Realm. Quickbase supports Single Sign on and user provisioning/ de-provisioning via the Security Assertion Markup Language (SAML). Quickbase Groups may be used by customers to provision Role Based Access Control to Quickbase apps, at the app, form or field layer.
Quickbase staff do not have access to customer Quickbase apps unless they are invited or authorized by the customer. Quickbase developers occasionally require read/only access to systems which hold metadata, scripts and app schema in order to troubleshoot. A small team of operations personnel have administrative access to the infrastructure which hosts the Quickbase platform.
Platform Capabilities
Encryption
In Motion: Quickbase encrypts customer data in motion and at rest. All communications over non-trusted Internet networks are encrypted at up to 256 bit (SHA2) TLS certificate, TLS 1.2 and 1.3.
At Rest: Quickbase encrypts all of your app data and any file attachments attached to your Quickbase apps at the application layer using a AES 256 key. Customers may choose to manage a unique key for their Quickbase Realm (a Realm is Quickbase parlance for a customer's security domain within Quickbase). Realm-specific encryption keys provide an additional means to ensure the privacy and confidentiality of that data. In addition to having a unique encryption key, customers who subscribe to this feature can rotate realm-specific encryption keys on their own schedule. To set up realm-specific encryption keys for your organization, please open a support case.
Logging & Auditing
Logs from the servers, devices and services which power the Quickbase platform are off-loaded and secured in a 3rd party log management platform which performs log analysis, alerting and reporting as well as investigation capabilities for Quickbase operations, engineering and security teams who support the Quickbase platform. These operational logs are retained for 6 months.
Quickbase provides Audit logs as an optional feature for customers. Audit logs provide your Quickbase realm administrator a view of your Quickbase realm user activity, data and schema changes to your apps. Customers may choose to retain audit log data for 6 months, 1, 3 or 7 years.