Continuing A Tradition of Trust: The 2024 SOC2 Reports for Quickbase and FastField Are Now Available

We’re proud to announce that our latest SOC2 reports are now available. These reports are often required by IT teams to help ensure proper compliance with your org’s governance policies. If you’d like to access them, please contact your account team. Read on for technical details about the SOC2 framework and how it benefits you as a customer of Quickbase. 

 

Background 

Quickbase is a work management platform optimized to run large-scale operations and projects. And to do that, we need to manage some of your most sensitive data. That’s why trust is at the core of everything that we do. Before deciding to build in Quickbase, you need to trust that your data will be secure here. You need to trust that we are complying with all the necessary standards and controls. You need to trust that your privacy is being protected. And you need to know that our software will be up and available day-in, day out. Trust is not something that’s given lightly - it needs to be earned. And we work hard every day to earn your trust. 

 

Our reputation of operational excellence 

Quickbase has a proven track record of providing best in class security, confidentiality, and availability. Here’s how we do it: 

• Security – The Quickbase platform itself is designed with data security at its core. For example, we logically segregate customer data by realm and by app. And customers control who can access their accounts and the apps within them. Quickbase protects data at rest using envelope encryption with AES-256 encryption keys. And data in transit is encrypted via TLS (v1.2 or higher). Quickbase’s internal processes are designed to keep your data secure as well. We use a number of tools to detect security vulnerabilities, including, but not limited to, regular web application security scans and infrastructure scans. Extensive logging of all aspects of the Quickbase platform are tracked and stored for six months. 

• Confidentiality – Our platform operations ensure the confidentiality of your data. The only Quickbase staff with administrative access to our infrastructure are the members of our small operations team, and all Quickbase staff are bound by NDAs and acceptable use policies which forbid unauthorized access to customer data.  

• Availability – Quickbase has an average uptime of 99.9%. We make uptime stats widely available through our service page. We maintain this high level of availability in a number of ways. We use multiple geographically diverse hosting locations, with all necessary data being replicated across regions. We also regularly exercise our failover capability between regions to ensure that we can switch regions within 2hrs (This is our RTO, or Recovery Time Objective). Our operations team is also continuously monitoring the platform, to make sure we rapidly address any production issues, 24/7/365. 
  

You can also learn more in our Trust Center.

 

But don’t take our word for it 

Independent, third-party validation adds a crucial layer of trust where sensitive business data is involved. That’s why such validation has become the gold standard for data security in the cloud. Our SOC2 reports provide that third-party validation, and Quickbase has been evaluated by other independent entities as well: 

• We have earned an A ranking on SecurityScorecard, rating us as #1 across all industries for our security posture.  

• We have achieved Level Two attestation in the STAR registry. This means that an independent assessment validated that Quickbase conforms to the security controls and principles of the Cloud Controls Matrix, provided by the Cloud Security Alliance. 

 

What is SOC2? 

The System and Organization Controls 2 (SOC2) framework provides detailed information and assurance that the Trust Services Criteria are being met by the service organization being examined. This framework was developed by the American Institute of Certified Public Accountants (AICPA), and it has become a widely recognized standard of quality for the software industry. The Trust Services Criteria relevant to the Quickbase platform are security, confidentiality, and availability. 

Additionally, our SOC2 report for Quickbase includes attestation of adherence to the following supplemental frameworks: 

• The HIPAA Security Rule – for healthcare entities and those organizations serving the healthcare industry 

• DFARS – for US Department of Defense customers 

• CSA STAR Level 2 – for any customer seeking additional assurance as to the state of our cloud security posture 

And our SOC2 report for FastField includes attestation of adherence to the HIPAA Security Rule.  

Quickbase engaged a third-party firm to conduct an independent assessment to validate that Quickbase conforms to the controls and principles of the AICPA’s Trust Services Criteria. These assessments are performed annually. Since Quickbase’s recent acquisition of FastField, our SOC2 assessment now includes reports on both platforms: Quickbase and FastField. 

Both Quickbase and FastField have been evaluated under the SOC2 Type II framework. Unlike SOC2 Type I, which assesses the design of these controls at a single point in time, Type II examines their operational effectiveness. This ensures that Quickbase’s systems and practices consistently meet the stringent criteria set out for security, availability, and confidentiality. 

Please note that, in addition to our SOC2 reports, we also have SOC1 and SOC3 reports available. SOC1 provides assurance to customers leveraging Quickbase for processes that impact financial reporting. SOC3 is designed to meet the needs of those seeking assurance about the controls at Quickbase relevant to security, confidentiality and availability, but do not have the need for or the knowledge necessary to make effective use of a SOC2 report. 

 

How can I view the new SOC reports? 

If you're interested in viewing any of our latest SOC reports, please contact your account team. 

 

The shared responsibility model 

Quickbase is committed to maintaining best-in-class security; however, security and privacy are a shared responsibility. Quickbase provides a secure Platform-as-a-Service (PaaS), and further provides the tools, support and training resources to enable our customers to build and maintain secure apps. Customers also have responsibilities around the security of Quickbase apps and the data held within them. Customers must understand what data they intend to collect and store in their Quickbase apps, and ensure that legal, security and compliance requirements are addressed accordingly. Customers must ensure that security is addressed in the development, implementation and maintenance of Quickbase apps, including but not limited to ensuring that apps are shared with only those who are authorized to access them. This “Shared Responsibility Model” empowers Quickbase customers to maintain greater control of their data, which in return limits the actions Quickbase might be able to take on their behalf.