Security
Shared Responsibility
Quickbase is committed to maintaining best-in-class security; however, security and privacy are a shared responsibility. Quickbase provides a secure Platform-as-a-Service (PaaS), and further provides the tools, support and training resources to enable our customers to build and maintain secure apps. Customers also have responsibilities around the security of Quickbase apps and the data held within them. Customers must understand what data they intend to collect and store in their Quickbase apps, and ensure that legal, security and compliance requirements are addressed accordingly. Customers must ensure that security is addressed in the development, implementation and maintenance of Quickbase apps, including but not limited to ensuring that apps are shared with only those who are authorized to access them. This “Shared Responsibility Model” empowers Quickbase customers to maintain greater control of their data, which in return limits the actions Quickbase might be able to take on their behalf.
Quickbase continuously validates the sufficiency of its security efforts via internal and external mechanisms. Quickbase’s annual SOC2 – Type II report provides greater detail surrounding our security posture. Learn more on the Quickbase Compliance page. Quickbase further maintains a detailed Security Packet, available to current or prospective customers under obligations of confidentiality.
Customer Data Segregation
Quickbase is a multi-tenant application PaaS with logical access segregating each customer’s data. Quickbase customers control logical access to their data via authentication and authorization at the Realm, Account and Application layer. Realms, otherwise thought of as a sub-domain, hold customer Accounts. Applications exist within each Account, and are developed, implemented and maintained by the customer. Customers further manage access and permissions at the Realm, Account and Application layer.
Access Control
Customers provision and manage access to their Quickbase apps. Quickbase supports single sign on and user provisioning/de-provisioning via Security Assertion Markup Language (SAML). Groups can also be used to provision role-based access at the app, form or field layer.
Quickbase staff do not access customer apps and the data therein unless invited into the app by the customer. Quickbase developers occasionally require read-only access to systems which hold metadata, scripts and app schema in order to troubleshoot. A small team of operations personnel have administrative access to the infrastructure which hosts the Quickbase platform. All Quickbase personnel are bound by NDAs and acceptable use policies prohibiting unauthorized access and disclosure of customer data.
Encryption
Quickbase encrypts customer data in motion and at rest. All communications over non-trusted Internet networks are encrypted at up to 256 bit (SHA2) TLS certificate, TLS 1.2 and 1.3. Quickbase encrypts all customer app data and any files attached therein using an AES 256 key.
For advanced data encryption needs, Quickbase supports the ability for customers to encrypt data at rest using their own encryption key, rotated on their own schedule. Realm-specific encryption keys provide an additional means to ensure the privacy and confidentiality of customer data. To set up realm-specific encryption keys for your organization, please open a support case.
Logging & Auditing
Extensive logging of all aspects of the Quickbase platform are ingested in near real-time into a log management system and SIEM. This supports analysis, alerting and reporting, as well as investigation capabilities for Quickbase’s operations, engineering and security teams supporting the platform. Operational logs are retained for six months.
Quickbase also provides audit logs as an optional feature for customers. Application audit logs are available on Team, Business and Enterprise plans and provide Quickbase realm administrators a view of their Quickbase realm user activity, data and schema changes to their apps. Customers may choose to retain audit log data for six months, one, three or seven years.
Vulnerability & Threat Management
Penetration Testing
At least annually, Quickbase engages an independent penetration testing firm to perform a time-bound security assessment of the Quickbase platform, internet-facing systems, applicable infrastructure, and supporting policy and procedure documentation. This penetration testing firm is given application design diagrams, source code, threat models, and full administrative privileges within multiple tenants created specifically for the test. These resources give the firm the greatest advantage in identifying possible weaknesses in the Quickbase platform. This type of penetration testing is known as white-box methodology and is inclusive of testing against the OWASP Top Ten.
Vulnerability Scanning — Quickbase
Quickbase employs a variety of tools and processes to detect, protect and respond to security vulnerabilities. This includes, but is not limited to, regular web application security scans and infrastructure scans. More details on these processes are available to current or prospective customers under obligations of confidentiality.
Vulnerability Scanning — Quickbase Customers
Customers may run a security scan against their Quickbase realm under the following conditions.
- Customers can only test using their own Quickbase application(s) with up to three (3) applications accessed during the testing.
- The methodology for the test should mimic normal user activities with both normal pace and normal user volume.
- This should not be a performance test or a denial-of-service test.
- Customers should conduct the test during non-business hours to minimize the chance of negatively impacting their own users.
Customers must open a support case with Quickbase Customer Care to test up to three apps at least five business days prior to the security scan. The following details must be provided.
- The application URL(s) against which the test will be conducted.
- The source IP address from which the test will be conducted.
- The date and time the test will begin and end.
- The name and contact information of a person or persons with the direct ability to stop the testing if asked to do so by Quickbase staff.
Quickbase reserves the right to block any testing which negatively impacts the platform.
Reporting A Security Concern
Quickbase encourages customers and public researchers alike to report known or suspected security concerns to Quickbase. Learn more about this process by visiting the Reporting a Vulnerability page.