Privacy
Quickbase abides by privacy laws and regulations that are applicable to our services. Quickbase personnel may have logical access to customer data stored in Quickbase apps only if they are authorized by the customer or have a need for access due to their job function.
Quickbase does not have visibility into or knowledge of what customers are uploading onto its platform, including whether or not that data is deemed subject to privacy regulations. Customers are responsible for their own privacy compliance for data they upload and store in Quickbase apps.
Quickbase’s Privacy Policy describes how Quickbase handles any personal information gathered from visitors to its website at Quickbase.com and from users of the Quickbase service.
EU Data Protection Regulations
The Quickbase platform is hosted in the United States but serves customers globally, so we have implemented safeguards to ensure that transfers of personal data out of the European Union (“EU”), Switzerland, and the United Kingdom (“UK”) (together, “Europe”) comply with the applicable regulations.
GDPR
The General Data Protection Regulation and the UK General Data Protection Regulation (together, the “GDPR”) expand the privacy rights of European individuals and places certain obligations on service providers like Quickbase, which may store and process the personal data of such individuals.
Compliance with the GDPR is a shared responsibility between Quickbase and our customers. Quickbase complies with the GDPR in the delivery of our service to our customers and we are also dedicated to helping our customers assess their compliance with the GDPR in connection with their use of the Quickbase platform. We have made enhancements to our products, contracts, and documentation to help support Quickbase’s and our customers’ compliance with the GDPR.
Transfer Mechanisms
There are several mechanisms to ensure that personal data transferred out of Europe is provided the legal protections required by the GDPR, namely the Standard Contractual Clauses and end user consent. For customers that require it, Quickbase has a Data Processing Agreement (“DPA”) which includes the obligations and commitments applicable to Quickbase and our customers related to the processing of personal data. Our DPA has been updated to include the new form of SCC’s implemented by the European Commission and provide for a valid mechanism for the transfer of personal data outside the EU.
A third mechanism was via Privacy Shield certification, a framework designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the United States. On July 16, 2020, the European Court of Justice invalidated the Privacy Shield program as a valid transfer mechanism. The decision does not relieve participating organizations of their Privacy Shield obligations and the Department of Commerce will continue to administer the Privacy Shield program. Quickbase’s certification under the Privacy Shield program may be viewed at the Privacy Shield site.
CCPA
The California Consumer Privacy Act enhances privacy rights and consumer protection for residents of California by allowing California residents more control over how companies collect and use their personal information. The bill was passed by the California State Legislature and signed into law on June 28, 2018. The law goes into effect starting January 1, 2020. In providing the Quickbase platform, our customers are "businesses" and Quickbase is a "Service Provider" as described in the CCPA, which means that Quickbase retains, uses and/or discloses personal information only to provide the Quickbase platform and for other uses as permitted by the CCPA.
Subprocessors
Quickbase utilizes subprocessors for the provisioning of our Services to you as described in our agreements on the Terms Of Service page. For a current list of our sub-processors please see our Data Subprocessors page.
Export Controls
Prohibited Countries
Quickbase complies with U.S. regulations related to embargoed countries and regions. As such, Quickbase currently prohibits the unauthorized usage of its products and services in Cuba, Iran, North Korea, Sudan and Syria. Because this list of countries and regions may change from time to time, customers and their users are urged to consult the relevant regulations, including the U.S. Export Administration Regulations.
Denied Parties
Quickbase products and services may not be exported to, re-exported to, transferred to, or used by any restricted person or entity, including those listed on the U.S. Treasury Department's list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person's List or Entity List, the State Department's Debarred list, or similar denied parties list without prior authorization by the U.S. Government.
For more information and for further assistance in determining your individual licensing requirements, contact the Department of Commerce, Bureau of Industry and Security (https://www.bis.doc.gov) or Office of Foreign Assets Control (https://www.treasury.gov).
Prohibited End-Users
Quickbase products and services may not be exported, re-exported, or transferred if for use directly or indirectly in any prohibited activity described in Part 744 of the U.S. Export Administration Regulations, including certain nuclear, chemical or biological weapons, rocket systems or unmanned air vehicle end-uses.
Data Sovereignty
Quickbase does not transfer customer Quickbase app data outside of the Quickbase hosted service hosted in the United States, or to any third-party, without customer authorization.
Data Portability
Data portability allows organizations to move, copy or transfer data easily from their Quickbase apps to other systems. Customer's authorized users may download their app data any time in CSV, Tab-delimited or XML format, via the web interface or our APIs.
Data Retention
Customers are in control and responsible for implementing their data retention requirements for the data they upload to Quickbase apps. Quickbase purges customer data from the online Quickbase platform if you terminate your service with Quickbase. After which, data will be held in Quickbase backup systems for 6 months. Upon data being fully purged from Quickbase backup systems Quickbase will send authorized customer contacts a Certificate of Data Destruction, certifying your app data is completely purged from all Quickbase systems.
Quickbase apps can be configured by the app builder to send reports via email. Quickbase uses a third party service to send reports via email which employs opportunistic TLS. This means that if a customer’s email system supports TLS encryption, email delivered from QB apps will be encrypted in transit (i.e., from the Quickbase Service to the customer’s email system over the Internet).
By default, Quickbase only allows emails sent from a customer realm to be sent to users within that realm, however, authorized customer account administrators may submit a care support case to enable apps within their realm to send emails to other individuals.
Quickbase Sync and Pipelines Gmail Connection and Google API Services
As part of the Quickbase Service, Quickbase allows Quickbase users to synchronize information from their own Google accounts with their own Quickbase applications. Quickbase's use of information received, and Quickbase's transfer of information to any other app, from Google APIs will adhere to Google's Limited Use Requirements (specified in the Google API Terms of Service, Google API User Data Policy).