SOC, HIPAA, DFARS
Quickbase conducts annual 3rd party attestations for several compliance standards and regulations including SOC 1/2/3, HIPAA and DFARS.
Cloud Security Alliance
CSA's Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by cloud computing offerings, thereby helping organizations assess the security of cloud providers they currently use or are considering contracting with. Quickbase has completed and published its Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document the security controls in our PaaS (platform as a service) offering. The CAIQ provides a set of over 140 questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider.
Quickbase's CAIQ is available for download from the CSA Star Registry.
Quickbase contracts with a 3rd party security firm to conduct a comprehensive security penetration test on an annual basis. Our pen test report is available to customers or prospective customers under NDA.
Quickbase employs a variety of tools and processes including static code analysis and dynamic web application scans designed to detect security vulnerabilities. Customers may run a security scan against the Quickbase platform under the following conditions:
- The customer can only test using their own Quickbase application(s) with up to three (3) applications accessed during the testing.
- The methodology for the test should mimic normal user activities with both normal pace and normal user volume.
- This should not be a performance test or a denial of service test.
- The customer should conduct the test during non-business hours to minimize the chance of negatively impacting their own users.
- The customer must open a support case with Quickbase Customer Care to test up to 3 apps at least 5 business days prior to the security scan and provide the following information:
- The application URL(s) against which the test will be conducted.
- The source IP address from which the test will be conducted.
- The date and time the test will begin and end.
- The name and contact information of a person or persons with the direct ability to stop the testing if asked to do so by Quickbase staff.
Quickbase reserves the right to block any testing which negatively impacts the platform.
What details should you include when reporting a security issue to Quickbase?
Please provide as many relevant details as you can. In particular: What steps someone can follow to reproduce the issue. Any patches or steps to mitigate the problem.
Secure Data Centers
The Quickbase platform is hosted at Flexential Tier 4 data centers located in Las Vegas, NV and Denver, CO. Flexential has spent nearly two decades building world class data centers with the sole purpose of providing best-in-class colocation and network services designed to meet the most demanding IT requirements. Additionally Quickbase utilizes Amazon AWS for ancillary services such as WebHooks and Quickbase Sync and Google Cloud for Quickbase Pipelines.
Quickbase undergoes an annual SSAE18 SOC 1/2/3 Type 2 examination covering Security and Availability Trust Services Principles defined by the AICPA Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Quickbase began including SOC 1 audit in 2017. Please note customer app and realm controls are not part of the scope of Quickbase's SOC reports; therefore customers may want to include these pertinent Quickbase controls in their respective SOC examination.
Quickbase's SOC 1/2 reports are issued in July annually and is available to customers or prospective customers under NDA. Quickbase's SOC 3 report is publicly available and provides a summary of the Quickbase SOC 2 report. Download the 2021 report here.
The Health Insurance Portability and Accountability Act (“HIPAA”) is a United States law that applies to companies and other entities involved in the healthcare industry that may have access to patient information (called “Protected Health Information”, or “PHI”).
Quickbase abides by the HIPAA Security and Privacy rules in our operation of the Quickbase platform. Quickbase performs an annual HIPAA Attestation as part of our annual SOC examinations conducted by a 3rd party audit firm which validates Quickbase controls meet or exceed the requirements.
Quickbase enables its customers to build HIPAA-compliant applications. Quickbase's Customers are responsible for determining if they are a Covered Entity or Business Associate under HIPAA (and whether a business associate agreement with Quickbase is required) and for ensuring that it uses Quickbase in compliance with HIPAA. Customers who store or process Protected Health Information must sign a business associate agreement with Quickbase. Quickbase will sign BAAs with our customers on annual or multi-year contracts.
Quickbase utilizes a PCI compliant vendor to process credit cards for our customers. However, the Quickbase platform itself has not undergone a PCI audit, therefore credit card data should not be stored in Quickbase apps.
A growing number of customers are adopting Quickbase to handle unclassified Department of Defense (DoD) Covered Defense Information (CDI) including
Controlled Unclassified Information (CUI), Personal Identifiable Information (PII), Protected Health Information (PHI), and other mission-critical data requiring protection from unauthorized disclosure. NIST Special Publication 800-171, Protecting Covered Defense Information in Nonfederal Systems and Organizations, otherwise known as DFARS (Defense Federal Acquisition Regulation Supplement), details the fourteen families of security requirements for protecting the confidentiality of CDI. Quickbase incorporates NIST 800-171 controls into its operation and management of the Quickbase platform and provides independent attestation to our compliance via our annual 3rd party SOC examination. As with our SOC 2 this report is available to customers or to prospective customers under NDA.
FERPA & HECVAT
FERPA governs use of that data when schools and districts use Quickbase apps which includes FERPA regulated data.
Educational institutions are responsible for maintaining FERPA compliance when handling personal data of their students. These responsibilities include identifying data elements which are uploaded to QuickBase, maintaining access and sharing permissions appropriately, and being transparent with students as to data sharing arrangements with service providers
As a service provider, Quickbase enables education institutions who use Quickbase apps for FERPA data to be compliant with FERPA by:
• Maintaining security of the Quickbase platform via security plans and controls.
• Not sharing or disclosing our app data to any 3rd party.
• Not using customer app data for unrelated activities such as data mining.
• Implementing customer security breach notification procedures.
• Purging app data at end of service contract.
For more information about FERPA, visit the Privacy Technical Assistance Center at the US Dept of Education at https://www.ed.gov/open/plan/privacy-technical-assistance-center
HECVAT, aka the Higher Education Community Vendor Assessment Toolkit, is a questionnaire framework specifically designed for higher education to measure vendor risk of service providers like Quickbase. Quickbase provides an up to date completed HECVAT questionnaire to assist education institutions with their due diligence.
Electronic discovery refers to discovery in legal proceedings such as litigation where the information sought is in electronic format. Quickbase supports key requirements of e-Discovery:<>
- Preservation of Evidence - Upon legal hold being placed on customer data held within Quickbase apps, the customer may instruct personnel to preserve (not delete) apps and data. Additionally, the customer may choose to make copies of existing apps in order to preserve the data at that point in time. Lastly Quickbase maintains backup copies of customer apps and data. Customers may request apps to be restored via customer support.
- Identification of Data - Quickbase provides the ability to search apps, however it is important to note that fields must be marked as searchable by the app owner. File attachments may also be searched; however they must be downloaded and searched locally.
- Data Access - Customers own their data which they have uploaded and stored within Quickbase.
Quickbase abides by privacy laws and regulations that are applicable to our services. Quickbase personnel may have logical access to customer data stored in Quickbase apps only if they are authorized by the customer or have a need for access due to their job function.
Quickbase does not have visibility into or knowledge of what customers are uploading onto its platform, including whether or not that data is deemed subject to privacy regulations. Customers are responsible for their own privacy compliance for data they upload and store in Quickbase apps.
EU Data Protection Regulations
Quickbase is hosted in the United States and serves customers globally. There are several mechanisms to ensure that data transfers from the EU to the U.S. provide the legal protections required by EU Data Protection Regulations, namely the EU Model Contract clauses and end user consent. For customers that require it, Quickbase has a Data Processing Agreement (“DPA”) which includes the EU Model Contract clauses in order to capture the requirements of GDPR and provide for a valid mechanism of data transfer between the EU and the US.
A third mechanism was via Privacy Shield certification, a framework designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. On July 16, 2020, the European Court of Justice invalidated the Privacy Shield program as a valid transfer mechanism. The decision does not relieve participating organizations of their Privacy Shield obligations and the Department of Commerce will continue to administer the Privacy Shield program. Quickbase’s certification under the Privacy Shield program may be viewed at the Privacy Shield site.
On May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (GDPR) took effect in the European Union (EU). The GDPR expands the privacy rights of EU individuals and places new obligations on service providers like Quickbase which store and process EU personal data.
Quickbase views GDPR as an opportunity to deepen our commitment to privacy and data protection best practices. Similar to existing legal requirements, compliance with the GDPR requires a partnership between Quickbase and our customers in their use of our platform. Quickbase complies with the GDPR in the delivery of our service to our customers and we are also dedicated to helping our customers comply with the GDPR. We have closely analyzed the requirements of the GDPR and have made enhancements to our products, contracts, and documentation to help support Quickbase’s and our customers’ compliance with the GDPR. In addition to ensuring our own compliance with the provision of GDPR, Quickbase's updated Data Processing Addendum, available upon request, contains additional provisions to assist customers with their compliance with the GDPR.
Quickbase utilizes subprocessors for the provisioning of our Services to you as described in our agreements on https://www.quickbase.com/terms-of-service. For a current list of our sub-processors please see https://www.quickbase.com/data-subprocessors
The California Consumer Privacy Act enhances privacy rights and consumer protection for residents of California by allowing California residents more control over how companies collect and use their personal information. The bill was passed by the California State Legislature and signed into law on June 28, 2018. The law goes into effect starting January 1, 2020. In providing the Quickbase platform, our customers are "businesses" and Quickbase is a "Service Provider" as described in the CCPA, which means that Quickbase retains, uses and/or discloses personal information only to provide the Quickbase platform and for other uses as permitted by the CCPA.
Quickbase complies with U.S. regulations related to embargoed countries and regions. As such, Quickbase currently prohibits the unauthorized usage of its products and services in Cuba, Iran, North Korea, Sudan and Syria. Because this list of countries and regions may change from time to time, customers and their users are urged to consult the relevant regulations, including the U.S. Export Administration Regulations.
Quickbase products and services may not be exported to, re-exported to, transferred to, or used by any restricted person or entity, including those listed on the U.S. Treasury Department's list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person's List or Entity List, the State Department's Debarred list, or similar denied parties list without prior authorization by the U.S. Government.
For more information and for further assistance in determining your individual licensing requirements, contact the Department of Commerce, Bureau of Industry and Security (https://www.bis.doc.gov/) or Office of Foreign Assets Control (https://www.treasury.gov).
Quickbase products and services may not be exported, re-exported, or transferred if for use directly or indirectly in any prohibited activity described in Part 744 of the U.S. Export Administration Regulations, including certain nuclear, chemical or biological weapons, rocket systems or unmanned air vehicle end-uses.
To make the interface accessible to users with disabilities, Quickbase includes features that support several specifications in the Web Content Accessibility Guidelines (WCAG) 2.0.
The Voluntary Product Accessibility Template (VPAT) is a standardized form developed in partnership by the Information Technology Industry Council (ITI) and the U.S. General Services Administration (GSA) to document a product’s conformance with key regulations of Section 508 of the Rehabilitation Act. Quickbase has completed an accessibility assessment of the Quickbase platform and has documented their accessibility status using these VPATs. Quickbase's VPAT can be downloaded here.
Find a Security Issue?
Please visit our Responsible Disclosure page here.