Security and Compliance

updated 7/23/2020

A Legacy of Trust

Quick Base was a division of Intuit, a global leader in financial and business solutions, from 1999 until its divestiture in 2016. Today, Quick Base is building on a long legacy of Trust (one of our core values) to continue to meet higher levels of security and compliance enabling our customers to build and deploy secure Quick Base apps in mission critical use cases.

Our Mission

  • Embedding best practices into everything we do, in every part of our company
  • Alignment of our processes and controls with industry standards
  • Being transparent with our customers and continuing to learn from them

Shared Responsibility

Security and confidentiality is a shared responsibility between Quick Base and our customers. Quick Base provides a secure platform, and provides the tools, support and training resources that enable our customers to build and maintain secure apps.

Customers have numerous responsibilities around the security of Quick Base apps and data held within them. Customers must understand what data they intend to collect and store in their Quick Base apps, and ensure that risk and compliance requirements are addressed which correlate to the importance and classification of that data. Customers must ensure that security is addressed in the development of Quick Base apps, including ensuring that apps are shared with only those who are authorized to access them.

Security Governance

Quick Base’s Compliance & Information Security Officer, part of the Executive Management team, sets the vision and strategy for the company’s security and compliance program, with the goal of providing strategic direction, ascertaining that risks are managed appropriately and ensuring that objectives are achieved. Quick Base’s Security Team is responsible the design and implementation of security tooling, risk identification and mitigation and aligning our corporate, development and infrastructure controls with best practices in line with Quick Base's business and compliance objectives.

Background Checks and Security Training

All Quick Base staff undergo background checks before they’re hired. All Quick Base staff are also required to take mandatory security, ethics and privacy training once they join Quick Base and on an ongoing basis during their employment with Quick Base.

Security in Software Development

Quick Base integrates security testing into each phase of the development life-cycle —from static code security scans, to dynamic web scans which run daily. We train our development team on how to develop securely using best practices.

Data and Operational Security

Customer Data Segregation

Quick Base is a multi-tenant application Platform as a Service (aPaaS) with logical access segregating each customer’s data. Quick Base customer control logical access to their data via authentication and authorization at the Realm, Account and Application layers. Realms, otherwise thought of as a sub-domain, hold customer Accounts. Within accounts are Quick Base Applications which are built and managed by the customer. Customers manage access and permissions at the Realm, Account and App layers via the Quick Base platform.

Access Control

Customers provision access to the Quick Base apps they develop and deploy to their Quick Base Realm. Quick Base supports Single Sign on and user provisioning/ de-provisioning via the Security Assertion Markup Language (SAML). Quick Base Groups may be used by customers to provision Role Based Access Control to Quick Base apps, at the app, form or field layer.

Quick Base staff do not have access to customer Quick Base apps unless they are invited or authorized by the customer. Quick Base developers occasionally require read/only access to systems which hold metadata, scripts and app schema in order to troubleshoot. A small team of operations personnel have administrative access to the infrastructure which hosts the Quick Base platform.


In Motion: Quick Base encrypts customer data in motion and at rest. All communications over non-trusted Internet networks are encrypted at up to 256 bit (SHA2) TLS certificate, TLS 1.2 and 1.3.

At Rest: Quick Base encrypts all of your app data and any file attachments attached to your Quick Base apps at the application layer using a AES 256 key. Customers may choose to manage a unique key for their Quick Base Realm (a Realm is Quick Base parlance for a customer's security domain within Quick Base). Realm-specific encryption keys provide an additional means to ensure the privacy and confidentiality of that data. In addition to having a unique encryption key, customers who subscribe to this feature can rotate realm-specific encryption keys on their own schedule. To set up realm-specific encryption keys for your organization, please open a support case.


Quick Base’s operations team employs automated incident detection, escalation technologies and procedures which ensure that any infrastructure or sub-service provider issue is rapidly addressed, 24x7x365. Customers may view and subscribe to service status updates at

Logging and Auditing

Logs from the servers, devices and services which power the Quick Base platform are off-loaded and secured in a 3rd party log management platform which performs log analysis, alerting and reporting as well as investigation capabilities for Quick Base operations, engineering and security teams who support the Quick Base platform. These operational logs are retained for 3 months.

Quick Base provides Audit logs as an optional feature for customers. Audit logs provide your Quick Base realm administrator a view of your Quick Base realm user activity, data and schema changes to your apps. Customers may choose to retain audit log data for 6 months, 1, 3 or 7 years.


Quick Base data is continuously replicated from the production to the hot standby data center. In each data center, Quick Base app and file attachment data is backed up via a daily snapshot from online storage to alternate online storage within the same data center. Quick Base maintains 14 daily snapshots and 6 months of weekly snapshots. This same procedure is done in the disaster recovery data center. The backup data is encrypted by virtue of the fact that the data is encrypted at the application layer. Removable backup media is not used, hence there is no physical transportation of media. Additionally customers may download their Quick Base application data at any time. For more information consult our help article on backups.

Disaster Recovery and Business Continuity

Each component of the infrastructure which powers Quick Base — from network equipment to web, app and database servers—is highly available and redundant. If something were to drastically impact our production services, our DR capabilities are best in class. Quick Base maintains 2 geographically diverse production-ready data centers. Production data is replicated to the hot standby data center with up to a 15 minute delay, i.e., a recovery point objective (RPO) of 15 minutes. If an issue were to impact the production site, we only need 2 hours to bring up production at the DR site, i.e., a recovery time objective (RTO) of 2 hours.

Incident Response

Quick Base employs tools and process which monitor the platform, network, server and service components which make up the Quick Base services, and has a dedicated security team and incident response processes. Quick Base commits to notifying affected customers of any suspected or confirmed unauthorized access to information via e-mail or phone.

Data Sovereignty

Quick Base stores and processes data held in Quick Base apps in the U.S.A. Quick Base does not transfer customer Quick Base app data outside of the Quick Base hosted service hosted in the United States, or to any third-party, without customer authorization.

Data Portability

Data portability allows organizations to move, copy or transfer data easily from their Quick Base apps to other systems. Customer's authorized users may download their app data any time in CSV, Tab-delimited or XML format, via the web interface or our APIs.

Data Retention

Customers are in control and responsible for implementing their data retention requirements for the data they upload to Quick Base apps. Quick Base purges customer data from the online Quick Base platform if you terminate your service with Quick Base. After which, data will be held in Quick Base backup systems for 6 months. Upon data being fully purged from Quick Base backup systems Quick Base will send authorized customer contacts a Certificate of Data Destruction, certifying your app data is completely purged from all Quick Base systems.


Quick Base apps can be configured by the app builder to send reports via email. Quick Base uses a third party service to send reports via email which employs opportunistic TLS. This means that if a customer’s email system supports TLS encryption, email delivered from QB apps will be encrypted in transit (i.e., from the Quick Base Service to the customer’s email system over the Internet).

By default, Quick Base only allows emails sent from a customer realm to be sent to users within that realm, however, authorized customer account administrators may submit a care support case to enable apps within their realm to send emails to other individuals.

Quick Base Sync and Pipelines Gmail Connection and Google API Services

As part of the Quick Base Service, Quick Base allows Quick Base users to synchronize information from their own Google accounts with their own Quick Base applications. Quick Base's use of information received, and Quick Base's transfer of information to any other app, from Google APIs will adhere to Google's Limited Use Requirements (specified in the Google API Terms of Service, Google API User Data Policy).

Security Assurance and Compliance


Quick Base conducts annual 3rd party attestations for several compliance standards and regulations including SOC 1/2/3, HIPAA and DFARS.

Cloud Security Alliance

CSA's Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by cloud computing offerings, thereby helping organizations assess the security of cloud providers they currently use or are considering contracting with. Quick Base has completed and published its Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document the security controls in our PaaS (platform as a service) offering. The CAIQ provides a set of over 140 questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider.

Quick Base's CAIQ is available for download from the CSA Star Registry.

Pen Tests

Quick Base contracts with a 3rd party security firm to conduct a comprehensive security penetration test on an annual basis. Our pen test report is available to customers or prospective customers under NDA.

Vulnerability Scans

Quick Base employs a variety of tools and processes including static code analysis and dynamic web application scans designed to detect security vulnerabilities. Customers may run a security scan against the Quick Base platform under the following conditions:

  • The customer can only test using their own Quick Base application(s) with up to three (3) applications accessed during the testing.
  • The methodology for the test should mimic normal user activities with both normal pace and normal user volume.
  • This should not be a performance test or a denial of service test.
  • The customer should conduct the test during non-business hours to minimize the chance of negatively impacting their own users.
  • The customer must open a support case with Quick Base Customer Care to test up to 3 apps at least 5 business days prior to the security scan and provide the following information:
  • The application URL(s) against which the test will be conducted.
  • The source IP address from which the test will be conducted.
  • The date and time the test will begin and end.
  • The name and contact information of a person or persons with the direct ability to stop the testing if asked to do so by Quick Base staff.

Quick Base reserves the right to block any testing which negatively impacts the platform.

What details should you include when reporting a security issue to Quick Base?

Please provide as many relevant details as you can. In particular: What steps someone can follow to reproduce the issue. Any patches or steps to mitigate the problem.

Secure Data Centers

The Quick Base platform is hosted at Flexential Tier 4 data centers located in Las Vegas, NV and Denver, CO. Flexential has spent nearly two decades building world class data centers with the sole purpose of providing best-in-class colocation and network services designed to meet the most demanding IT requirements. Additionally Quick Base utilizes Amazon AWS for ancillary services such as WebHooks and Quick Base Sync and Google Cloud for Quick Base Pipelines.

SOC Reports

Quick Base undergoes an annual SSAE18 SOC 1/2/3 Type 2 examination covering Security and Availability Trust Services Principles defined by the AICPA Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Quick Base began including SOC 1 audit in 2017. Please note customer app and realm controls are not part of the scope of Quick Base's SOC reports; therefore customers may want to include these pertinent Quick Base controls in their respective SOC examination.

Quick Base's SOC 1/2 reports are issued in July annually and is available to customers or prospective customers under NDA. Quick Base's SOC 3 report is publicly available and provides a summary of the Quick Base SOC 2 report. Download the 2020 report here.


The Health Insurance Portability and Accountability Act (“HIPAA”) is a United States law that applies to companies and other entities involved in the healthcare industry that may have access to patient information (called “Protected Health Information”, or “PHI”).

Quick Base abides by the HIPAA Security and Privacy rules in our operation of the Quick Base platform. Quick Base performs an annual HIPAA Attestation as part of our annual SOC examinations conducted by a 3rd party audit firm which validates Quick Base controls meet or exceed the requirements.

Quick Base enables its customers to build HIPAA-compliant applications. Quick Base's Customers are responsible for determining if they are a Covered Entity or Business Associate under HIPAA (and whether a business associate agreement with Quick Base is required) and for ensuring that it uses Quick Base in compliance with HIPAA. Customers who store or process Protected Health Information must sign a business associate agreement with Quick Base. Quick Base will sign BAAs with our customers on annual or multi-year contracts.


Quick Base utilizes a PCI compliant vendor to process credit cards for our customers. However, the Quick Base platform itself has not undergone a PCI audit, therefore credit card data should not be stored in Quick Base apps.

NIST 800-171

A growing number of customers are adopting Quick Base to handle unclassified Department of Defense (DoD) Covered Defense Information (CDI) including
Controlled Unclassified Information (CUI), Personal Identifiable Information (PII), Protected Health Information (PHI), and other mission-critical data requiring protection from unauthorized disclosure. NIST Special Publication 800-171, Protecting Covered Defense Information in Nonfederal Systems and Organizations, otherwise known as DFARS (Defense Federal Acquisition Regulation Supplement), details the fourteen families of security requirements for protecting the confidentiality of CDI. Quick Base incorporates NIST 800-171 controls into its operation and management of the Quick Base platform and provides independent attestation to our compliance via our annual 3rd party SOC examination. As with our SOC 2 this report is available to customers or to prospective customers under NDA.


FERPA governs use of that data when schools and districts use Quick Base apps which includes FERPA regulated data.

Educational institutions are responsible for maintaining FERPA compliance when handling personal data of their students. These responsibilities include identifying data elements which are uploaded to QuickBase, maintaining access and sharing permissions appropriately, and being transparent with students as to data sharing arrangements with service providers

As a service provider, Quick Base enables education institutions who use Quick Base apps for FERPA data to be compliant with FERPA by:
• Maintaining security of the Quick Base platform via security plans and controls.
• Not sharing or disclosing our app data to any 3rd party.
• Not using customer app data for unrelated activities such as data mining.
• Implementing customer security breach notification procedures.
• Purging app data at end of service contract.

For more information about FERPA, visit the Privacy Technical Assistance Center at the US Dept of Education at


Electronic discovery refers to discovery in legal proceedings such as litigation where the information sought is in electronic format. Quick Base supports key requirements of e-Discovery:<>

  • Preservation of Evidence - Upon legal hold being placed on customer data held within Quick Base apps, the customer may instruct personnel to preserve (not delete) apps and data. Additionally, the customer may choose to make copies of existing apps in order to preserve the data at that point in time. Lastly Quick Base maintains backup copies of customer apps and data. Customers may request apps to be restored via customer support.
  • Identification of Data - Quick Base provides the ability to search apps, however it is important to note that fields must be marked as searchable by the app owner. File attachments may also be searched; however they must be downloaded and searched locally.
  • Data Access - Customers own their data which they have uploaded and stored within Quick Base.


Quick Base abides by privacy laws and regulations that are applicable to our services. Quick Base personnel may have logical access to customer data stored in Quick Base apps only if they are authorized by the customer or have a need for access due to their job function.

Quick Base does not have visibility into or knowledge of what customers are uploading onto its platform, including whether or not that data is deemed subject to privacy regulations. Customers are responsible for their own privacy compliance for data they upload and store in Quick Base apps.

Quick Base’s Privacy Policy describes how Quick Base handles any personal information gathered from visitors to its website at Quick and from users of the Quick Base service.

EU Data Protection Regulations

Quick Base is hosted in the United States and serves customers globally. There are several mechanisms to ensure that data transfers from the EU to the U.S. provide the legal protections required by EU Data Protection Regulations, namely the EU Model Contract clauses and end user consent. For customers that require it, Quick Base has a Data Processing Agreement (“DPA”) which includes the EU Model Contract clauses in order to capture the requirements of GDPR and provide for a valid mechanism of data transfer between the EU and the US.

A third mechanism was via Privacy Shield certification, a framework designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. On July 16, 2020, the European Court of Justice invalidated the Privacy Shield program as a valid transfer mechanism. The decision does not relieve participating organizations of their Privacy Shield obligations and the Department of Commerce will continue to administer the Privacy Shield program. Quick Base’s certification under the Privacy Shield program may be viewed at the Privacy Shield site


On May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (GDPR) took effect in the European Union (EU). The GDPR expands the privacy rights of EU individuals and places new obligations on service providers like Quick Base which store and process EU personal data.

Quick Base views GDPR as an opportunity to deepen our commitment to privacy and data protection best practices. Similar to existing legal requirements, compliance with the GDPR requires a partnership between Quick Base and our customers in their use of our platform. Quick Base complies with the GDPR in the delivery of our service to our customers and we are also dedicated to helping our customers comply with the GDPR. We have closely analyzed the requirements of the GDPR and have made enhancements to our products, contracts, and documentation to help support Quick Base’s and our customers’ compliance with the GDPR. In addition to ensuring our own compliance with the provision of GDPR, Quick Base's updated Data Processing Addendum, available upon request, contains additional provisions to assist customers with their compliance with the GDPR.


Quick Base utilizes subprocessors for the provisioning of our Services to you as described in our agreements on For a current list of our sub-processors please see


The California Consumer Privacy Act enhances privacy rights and consumer protection for residents of California by allowing California residents more control over how companies collect and use their personal information. The bill was passed by the California State Legislature and signed into law on June 28, 2018. The law goes into effect starting January 1, 2020. In providing the Quick Base platform, our customers are "businesses" and Quick Base is a "Service Provider" as described in the CCPA, which means that Quick Base retains, uses and/or discloses personal information only to provide the Quick Base platform and for other uses as permitted by the CCPA.

Export Controls

Prohibited Countries

Quick Base complies with U.S. regulations related to embargoed countries and regions. As such, Quick Base currently prohibits the unauthorized usage of its products and services in Cuba, Iran, North Korea, Sudan and Syria. Because this list of countries and regions may change from time to time, customers and their users are urged to consult the relevant regulations, including the U.S. Export Administration Regulations.

Denied Parties

Quick Base products and services may not be exported to, re-exported to, transferred to, or used by any restricted person or entity, including those listed on the U.S. Treasury Department's list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person's List or Entity List, the State Department's Debarred list, or similar denied parties list without prior authorization by the U.S. Government.

For more information and for further assistance in determining your individual licensing requirements, contact the Department of Commerce, Bureau of Industry and Security ( or Office of Foreign Assets Control (

Prohibited End-Uses

Quick Base products and services may not be exported, re-exported, or transferred if for use directly or indirectly in any prohibited activity described in Part 744 of the U.S. Export Administration Regulations, including certain nuclear, chemical or biological weapons, rocket systems or unmanned air vehicle end-uses.

Accessibility/508 Compliance

To make the interface accessible to users with disabilities, Quick Base includes features that support several specifications in the Web Content Accessibility Guidelines (WCAG) 2.0.

The Voluntary Product Accessibility Template (VPAT) is a standardized form developed in partnership by the Information Technology Industry Council (ITI) and the U.S. General Services Administration (GSA) to document a product’s conformance with key regulations of Section 508 of the Rehabilitation Act. Quick Base has completed an accessibility assessment of the Quick Base platform and has documented their accessibility status using these VPATs. Quick Base's VPAT can be downloaded here.

Find a Security Issue?

Please visit our Responsible Disclosure page here.