A Legacy of Trust
Quick Base was a division of Intuit, a global leader in financial and business solutions, from 1999 until its divestiture in 2016. Today, Quick Base is building on a long legacy of Trust (one of our core values) to continue to meet higher levels of security and compliance enabling our customers to build and deploy secure Quick Base apps in mission critical use cases.
- Embedding best practices into everything we do, in every part of our company
- Alignment of our processes and controls with industry standards
- Being transparent with our customers and continuing to learn from them
Security and confidentiality is a shared responsibility between Quick Base and our customers. Quick Base provides a secure platform, and provides the tools, support and training resources that enable our customers to build and maintain secure apps.
Customers have numerous responsibilities around the security of Quick Base apps and data held within them. Customers must understand what data they intend to collect and store in their Quick Base apps, and ensure that risk and compliance requirements are addressed which correlate to the importance and classification of that data. Customers must ensure that security is addressed in the development of Quick Base apps, including ensuring that apps are shared with only those who are authorized to access them.
Quick Base’s Compliance & Information Security Officer, part of the Executive Management team, sets the vision and strategy for the company’s security and compliance program, with the goal of providing strategic direction, ascertaining that risks are managed appropriately and ensuring that objectives are achieved. Quick Base’s Security Team is responsible the design and implementation of security tooling, risk identification and mitigation and aligning our corporate, development and infrastructure controls with best practices in line with Quick Base's business and compliance objectives.
Background Checks and Security Training
All Quick Base staff undergo background checks before they’re hired. All Quick Base staff are also required to take mandatory security, ethics and privacy training once they join Quick Base and on an ongoing basis during their employment with Quick Base.
Security in Software Development
Quick Base integrates security testing into each phase of the development life-cycle —from static code security scans, to dynamic web scans which run daily. We train our development team on how to develop securely using best practices.
Data and Operational Security
Customer Data Segregation
Quick Base is a multi-tenant application Platform as a Service (aPaaS) with logical access segregating each customer’s data. Quick Base customer control logical access to their data via authentication and authorization at the Realm, Account and Application layers. Realms, otherwise thought of as a sub-domain, hold customer Accounts. Within accounts are Quick Base Applications which are built and managed by the customer. Customers manage access and permissions at the Realm, Account and App layers via the Quick Base platform.
Customers provision access to the Quick Base apps they develop and deploy to their Quick Base Realm. Quick Base supports Single Sign on and user provisioning/ de-provisioning via the Security Assertion Markup Language (SAML). Quick Base Groups may be used by customers to provision Role Based Access Control to Quick Base apps, at the app, form or field layer.
Quick Base staff do not have access to customer Quick Base apps unless they are invited or authorized by the customer. Quick Base developers occasionally require read/only access to systems which hold metadata, scripts and app schema in order to troubleshoot. A small team of operations personnel have administrative access to the infrastructure which hosts the Quick Base platform.
In Motion: Quick Base encrypts customer data in motion and at rest. All communications over non-trusted Internet networks are encrypted at up to 256 bit (SHA2) TLS certificate, TLS 1.2 and 1.3.
At Rest: Quick Base encrypts all of your app data and any file attachments attached to your Quick Base apps at the application layer using a AES 256 key. Customers may choose to manage a unique key for their Quick Base Realm (a Realm is Quick Base parlance for a customer's security domain within Quick Base). Realm-specific encryption keys provide an additional means to ensure the privacy and confidentiality of that data. In addition to having a unique encryption key, customers who subscribe to this feature can rotate realm-specific encryption keys on their own schedule. To set up realm-specific encryption keys for your organization, please open a support case.
Quick Base’s operations team employs automated incident detection, escalation technologies and procedures which ensure that any infrastructure or sub-service provider issue is rapidly addressed, 24x7x365. Customers may view and subscribe to service status updates at https://service.quickbase.com/
Logging and Auditing
Logs from the servers, devices and services which power the Quick Base platform are off-loaded and secured in a 3rd party log management platform which performs log analysis, alerting and reporting as well as investigation capabilities for Quick Base operations, engineering and security teams who support the Quick Base platform. These operational logs are retained for 3 months.
Quick Base provides Audit logs as an optional feature for customers. Audit logs provide your Quick Base realm administrator a view of your Quick Base realm user activity, data and schema changes to your apps. Customers may choose to retain audit log data for 6 months, 1, 3 or 7 years.
Quick Base data is continuously replicated from the production to the hot standby data center. In each data center, Quick Base app and file attachment data is backed up via a daily snapshot from online storage to alternate online storage within the same data center. Quick Base maintains 14 daily snapshots and 6 months of weekly snapshots. This same procedure is done in the disaster recovery data center. The backup data is encrypted by virtue of the fact that the data is encrypted at the application layer. Removable backup media is not used, hence there is no physical transportation of media.
Disaster Recovery and Business Continuity
Each component of the infrastructure which powers Quick Base — from network equipment to web, app and database servers—is highly available and redundant. If something were to drastically impact our production services, our DR capabilities are best in class. Quick Base maintains 2 geographically diverse production-ready data centers. Production data is replicated to the hot standby data center with up to a 15 minute delay, i.e., a recovery point objective (RPO) of 15 minutes. If an issue were to impact the production site, we only need 2 hours to bring up production at the DR site, i.e., a recovery time objective (RTO) of 2 hours.
Quick Base employs tools and process which monitor the platform, network, server and service components which make up the Quick Base services, and has a dedicated security team and incident response processes. Quick Base commits to notifying affected customers of any suspected or confirmed unauthorized access to information via e-mail or phone.
Quick Base stores and processes data held in Quick Base apps in the U.S.A. Quick Base does not transfer customer Quick Base app data outside of the Quick Base hosted service hosted in the United States, or to any third-party, without customer authorization.
Data portability allows organizations to move, copy or transfer data easily from their Quick Base apps to other systems. Customer's authorized users may download their app data any time in CSV, Tab-delimited or XML format, via the web interface or our APIs.
Customers are in control and responsible for implementing their data retention requirements for the data they upload to Quick Base apps. Quick Base purges customer data from the online Quick Base platform if you terminate your service with Quick Base. After which, data will be held in Quick Base backup systems for 6 months. Upon data being fully purged from Quick Base backup systems Quick Base will send authorized customer contacts a Certificate of Data Destruction, certifying your app data is completely purged from all Quick Base systems.
Quick Base apps can be configured by the app builder to send reports via email. Quick Base uses a third party service to send reports via email which employs opportunistic TLS. This means that if a customer’s email system supports TLS encryption, email delivered from QB apps will be encrypted in transit (i.e., from the Quick Base Service to the customer’s email system over the Internet).
By default, Quick Base only allows emails sent from a customer realm to be sent to users within that realm, however, authorized customer account administrators may submit a care support case to enable apps within their realm to send emails to other individuals.
Quick Base Sync Gmail Connection and Google API Services
The Quick Base Sync service allows authenticated Quick Base users to synchronize information from their own Google Gmail accounts with their own Quick Base applications. This Quick Base Help document describes how to define the connection to Gmail from Quick Base. To facilitate this synchronization process, the Sync feature uses Gmail APIs. Quick Base's use of information received, and Quick Base's transfer of information to any other app, from Google APIs will adhere to Google's Limited Use Requirements (specified in the Google API Terms of Service, Google API User Data Policy).