Security and Compliance
A Legacy of Trust
Quickbase was a division of Intuit, a global leader in financial and business solutions, from 1999 until its divestiture in 2016. Today, Quickbase is building on a long legacy of Trust (one of our core values) to continue to meet higher levels of security and compliance enabling our customers to build and deploy secure Quickbase apps in mission critical use cases.
- Embedding best practices into everything we do, in every part of our company
- Alignment of our processes and controls with industry standards
- Being transparent with our customers and continuing to learn from them
Security and confidentiality is a shared responsibility between Quickbase and our customers. Quickbase provides a secure platform, and provides the tools, support and training resources that enable our customers to build and maintain secure apps.
Customers have numerous responsibilities around the security of Quickbase apps and data held within them. Customers must understand what data they intend to collect and store in their Quickbase apps, and ensure that risk and compliance requirements are addressed which correlate to the importance and classification of that data. Customers must ensure that security is addressed in the development of Quickbase apps, including ensuring that apps are shared with only those who are authorized to access them.
Quickbase’s Compliance & Information Security Officer, part of the Executive Management team, sets the vision and strategy for the company’s security and compliance program, with the goal of providing strategic direction, ascertaining that risks are managed appropriately and ensuring that objectives are achieved. Quickbase’s Security Team is responsible the design and implementation of security tooling, risk identification and mitigation and aligning our corporate, development and infrastructure controls with best practices in line with Quickbase's business and compliance objectives.
Background Checks and Security Training
All Quickbase staff undergo background checks before they’re hired. All Quickbase staff are also required to take mandatory security, ethics and privacy training once they join Quickbase and on an ongoing basis during their employment with Quickbase.
Security in Software Development
Quickbase integrates security testing into each phase of the development life-cycle —from static code security scans, to dynamic web scans which run daily. We train our development team on how to develop securely using best practices.
Data and Operational Security
Customer Data Segregation
Quickbase is a multi-tenant application Platform as a Service (aPaaS) with logical access segregating each customer’s data. Quickbase customer control logical access to their data via authentication and authorization at the Realm, Account and Application layers. Realms, otherwise thought of as a sub-domain, hold customer Accounts. Within accounts are Quickbase Applications which are built and managed by the customer. Customers manage access and permissions at the Realm, Account and App layers via the Quickbase platform.
Customers provision access to the Quickbase apps they develop and deploy to their Quickbase Realm. Quickbase supports Single Sign on and user provisioning/ de-provisioning via the Security Assertion Markup Language (SAML). Quickbase Groups may be used by customers to provision Role Based Access Control to Quickbase apps, at the app, form or field layer.
Quickbase staff do not have access to customer Quickbase apps unless they are invited or authorized by the customer. Quickbase developers occasionally require read/only access to systems which hold metadata, scripts and app schema in order to troubleshoot. A small team of operations personnel have administrative access to the infrastructure which hosts the Quickbase platform.
In Motion: Quickbase encrypts customer data in motion and at rest. All communications over non-trusted Internet networks are encrypted at up to 256 bit (SHA2) TLS certificate, TLS 1.2 and 1.3.
At Rest: Quickbase encrypts all of your app data and any file attachments attached to your Quickbase apps at the application layer using a AES 256 key. Customers may choose to manage a unique key for their Quickbase Realm (a Realm is Quickbase parlance for a customer's security domain within Quickbase). Realm-specific encryption keys provide an additional means to ensure the privacy and confidentiality of that data. In addition to having a unique encryption key, customers who subscribe to this feature can rotate realm-specific encryption keys on their own schedule. To set up realm-specific encryption keys for your organization, please open a support case.
Quickbase’s operations team employs automated incident detection, escalation technologies and procedures which ensure that any infrastructure or sub-service provider issue is rapidly addressed, 24x7x365. Customers may view and subscribe to service status updates at https://service.quickbase.com/
Logging and Auditing
Logs from the servers, devices and services which power the Quickbase platform are off-loaded and secured in a 3rd party log management platform which performs log analysis, alerting and reporting as well as investigation capabilities for Quickbase operations, engineering and security teams who support the Quickbase platform. These operational logs are retained for 3 months.
Quickbase provides Audit logs as an optional feature for customers. Audit logs provide your Quickbase realm administrator a view of your Quickbase realm user activity, data and schema changes to your apps. Customers may choose to retain audit log data for 6 months, 1, 3 or 7 years.
Quickbase data is continuously replicated from the production to the hot standby data center. In each data center, Quickbase app and file attachment data is backed up via a daily snapshot from online storage to alternate online storage within the same data center. Quickbase maintains 14 daily snapshots and 6 months of weekly snapshots. This same procedure is done in the disaster recovery data center. The backup data is encrypted by virtue of the fact that the data is encrypted at the application layer. Removable backup media is not used, hence there is no physical transportation of media. Additionally customers may download their Quickbase application data at any time. For more information consult our help article on backups.
Disaster Recovery and Business Continuity
Each component of the infrastructure which powers Quickbase — from network equipment to web, app and database servers—is highly available and redundant. If something were to drastically impact our production services, our DR capabilities are best in class. Quickbase maintains 2 identical, geographically diverse, production-ready data centers. Production data is replicated to the hot standby data center with up to a 15 minute delay, i.e., a recovery point objective (RPO) of 15 minutes. If an issue were to impact the production site, we only need 2 hours to bring up production at the DR site, i.e., a recovery time objective (RTO) of 2 hours. We periodically (2-4 times per year) switch between the two data centers as part of our normal disaster recovery plan validation process. Switching between data centers allows us to ensure that Quick Base’s disaster recovery plan is tested and working properly should there ever be a real disaster.
Quickbase employs tools and process which monitor the platform, network, server and service components which make up the Quickbase services, and has a dedicated security team and incident response processes. Quickbase commits to notifying affected customers of any suspected or confirmed unauthorized access to information via e-mail or phone.
Quickbase stores and processes data held in Quickbase apps in the U.S.A. Quickbase does not transfer customer Quickbase app data outside of the Quickbase hosted service hosted in the United States, or to any third-party, without customer authorization.
Data portability allows organizations to move, copy or transfer data easily from their Quickbase apps to other systems. Customer's authorized users may download their app data any time in CSV, Tab-delimited or XML format, via the web interface or our APIs.
Customers are in control and responsible for implementing their data retention requirements for the data they upload to Quickbase apps. Quickbase purges customer data from the online Quickbase platform if you terminate your service with Quickbase. After which, data will be held in Quickbase backup systems for 6 months. Upon data being fully purged from Quickbase backup systems Quickbase will send authorized customer contacts a Certificate of Data Destruction, certifying your app data is completely purged from all Quickbase systems.
Quickbase apps can be configured by the app builder to send reports via email. Quickbase uses a third party service to send reports via email which employs opportunistic TLS. This means that if a customer’s email system supports TLS encryption, email delivered from QB apps will be encrypted in transit (i.e., from the Quickbase Service to the customer’s email system over the Internet).
By default, Quickbase only allows emails sent from a customer realm to be sent to users within that realm, however, authorized customer account administrators may submit a care support case to enable apps within their realm to send emails to other individuals.
Quickbase Sync and Pipelines Gmail Connection and Google API Services
As part of the Quickbase Service, Quickbase allows Quickbase users to synchronize information from their own Google accounts with their own Quickbase applications. Quickbase's use of information received, and Quickbase's transfer of information to any other app, from Google APIs will adhere to Google's Limited Use Requirements (specified in the Google API Terms of Service, Google API User Data Policy).