Is there available a general security "White Paper" that is a document that describes the site and record security provided by Quickbase?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Is there available a general security "White Paper" that is a document that describes the site and record security provided by Quickbase?

Looking for something that gives a general overview of these features
Photo of Danny


  • 0 Points

Posted 6 years ago

  • 0
  • 1
Photo of Mark_Shnier


  • 700 Points 500 badge 2x thumb
I would put in a support ticket. I'm sure that their sales dept has a response to those kind of questions.
Photo of Ⲇanom the ultimate (Dan Diebolt)

Ⲇanom the ultimate (Dan Diebolt), Champion

  • 30,224 Points 20k badge 2x thumb
Yes, QuickBase has always been secure and uses state of the art RSA 2048 bit encryption:

Additionally, QuickBase has consistently passed SAS70 and SSAE 16 audits. There is report available:

We’re pleased to report that the auditors found “no exceptions” during their testing, which means they can verify that QuickBase does what it says it will do! We are happy to share the detailed SSAE 16 report with customers who sign a Non-Disclosure Agreement with us. If you’re interested in obtaining the report, please contact your business development manager, QuickBase Coach, or submit a support ticket.

The only weak area of security is email notifications which are set up at the discretion of administrator. This lone security issue is easily addressed by only sending a hyperlink in the email notification so that a user clicking on the hyperlink will have to authenticate to QuickBase before accessing a report or record details.
Photo of Esther


  • 702 Points 500 badge 2x thumb
Sorry i come back four years later, but I need this, and the link of Mark does not work. I try to contact sales department and they were not able to help me.

Could you help me with this? thank you.
Does this help?

Copy and pasted Oct 5, 2017

Security and Compliance at Quick Base

A Legacy of Trust

Quick Base was a division of Intuit, a global leader in financial and business solutions, from 1999 until its divestiture in 2016. Today, Quick Base, Inc. is building on a long legacy of trust to continue to meet higher levels of security and compliance.

Mission Statement

Our mission is to enable our customers to utilize the Quick Base platform for critical business processes and applications by:

Embedding best practices into everything we do, in every part of our company
Aligning our processes and controls with industry standards
Being transparent with our customers and continuing to learn from them
The Shared Responsibility Model of the Quick Base Platform

The security and confidentiality of our customers’ apps and data on the Quick Base platform is a shared responsibility between Quick Base and our customers. Quick Base provides a secure platform where customers can build and manage their apps. Additionally, Quick Base provides tools, support and resources that enable our customers to maintain secure apps.

Customers have numerous responsibilities around the security of Quick Base apps and data held within them. Customers must understand what data they intend to collect and store in their Quick Base apps, and ensure that risk and compliance requirements are addressed which correlate to the importance and classification of that data. Customers must ensure that security is addressed in the development of Quick Base apps, including ensuring that apps are shared with only those who are authorized to access them.

Security Governance at Quick Base

Quick Base’s Compliance & Information Security Officer (CISO), part of the Executive Management team, sets the vision and strategy for the company’s security and compliance program, with the goal of providing strategic direction, ascertaining that risks are managed appropriately and ensuring that objectives are achieved.

Quick Base’s Security Council is composed of leadership from Product Development, Operations and Corporate IT and is responsible for aligning corporate, development and infrastructure controls with best practices as set by the CISO in conjunction with Quick Base business and compliance objectives.

Background Checks and Security Training

All Quick Base staff undergo background checks before they’re hired. All Quick Base staff are also required to take mandatory security, ethics and privacy training once they join Quick Base and on an ongoing basis during their employment with Quick Base.

Security in Software Development

Quick Base integrates security testing into each phase of the development lifecycle —from static code security checks, to dynamic web scans which run continuously, to annual penetration tests by security experts. We train our development team on security best practices.

Customer Segregation

Quick Base is a shared application Platform as a Service (aPaaS) with logical access segregating each customer’s data. Quick Base controls logical access to data via authentication and authorization at the Realm, Account and Application layers. Realms, otherwise thought of as a domain, hold customer Accounts. Within accounts are Quick Base Applications which are managed by Quick Base customers. Quick Base customers can manage access and permissions at the Realm, Account and App layers via the Quick Base platform.


Quick Base encrypts customer data in motion and at rest. All communications over non-trusted Internet networks are encrypted via a 256 bit (SHA2) TLS certificate, TLS 1.0, 1.1, 1.2. Quick Base encrypts data at rest at the application layer including app data and file attachments using AES256. Quick Base is disabling support for TLS 1.0 in April 2018.

Operations and Monitoring

Quick Base’s operations team employs automated incident detection, escalation technologies and procedures which ensure that any infrastructure or platform issue is rapidly addressed, 24x7x365. Customers may view status updates at

Security Incident Response

Quick Base commits to notifying affected customers of any suspected or confirmed data breach (once we become aware of) within 24 hours. We will notify customers via e-mail or phone.

Role Based Access

A small team of operations personnel have administrative access to the host layer. At the application layer (within Quick Base itself), Quick Base staff do not have access unless they are invited or authorized by our customers.

Data Management

Customers are responsible for understanding and implementing their data retention and deletion requirements for the data they upload to Quick Base. Customers may delete data at any time and since Quick Base maintains backups for 6 months, it may take up to 6 months for their data to be completely purged from our backup systems once it has been deleted from their apps.

Infrastructure Security

Physical Security

Quick Base is hosted in data centers in the United States which provide military-grade physical security including 24x7 guards, controlled access points, biometrics and video surveillance. Security attestations including SSAE16 SOC 2 for our data center providers are available to customers or prospects under NDA upon request.

High Availability

Each component of the infrastructure which powers Quick Base — from network equipment to web, app and database servers—is highly available and redundant.

Disaster Recovery

Quick Base maintains 2 geographically diverse production-ready data centers; data is replicated from the production data center to the hot standby disaster recovery (DR) data center with up to a 15 minute delay, i.e., a recovery point objective (RPO) of 15 minutes. Upon a disaster being declared at the production site, Quick Base requires two (2) hours to bring up production at the DR site, i.e., a recovery time objective (RTO) of 2 hours.



Quick Base undergoes an annual SSAE16 SOC 2 Type 2 examination covering Security and Availability Trust Services Principles defined by the AICPA Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Quick Base's SOC 2 report is issued in July annually and is available to customers or prospective customers under NDA.


While a SOC 2 is focused on an organization's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality and privacy of a system, a SOC 1 is focused on controls related to financial reporting. Quick Base recognizes that many of our customers utilize Quick Base apps for processes involved with their financial reporting, therefore Quick Base will, beginning in July 2018 additionally issue a SOC 1 report in tandem with our SOC 2 report. Please note customer controls at the app layer are not part of the scope of Quick Base's SOC 1; therefore customers may want to include these pertinent Quick Base apps in their respective SOC 1 examination.


Quick Base enables our customers to build HIPAA-compliant applications. Quick Base abides by the HIPAA security and privacy rules in our operation of the Quick Base platform. Quick Base may sign BAAs (Business Associate Agreements) with our customers with annual contracts.


Quick Base utilizes a PCI compliant vendor to process credit cards for our customers. However, the Quick Base platform itself is not PCI compliant, therefore credit card data should not be stored in Quick Base apps.


Electronic discovery refers to discovery in legal proceedings such as litigation where the information sought is in electronic format. Quick Base supports key requirements of e-Discovery:

Preservation of Evidence
Upon legal hold being placed on customer data held within Quick Base apps, the customer may instruct personnel to preserve (not delete) apps and data. Additionally, the customer may choose to make copies of existing apps in order to preserve the data at that point in time. Lastly Quick Base maintains backup copies of customer apps and data. Customers may request apps to be restored via customer support.
Identification of Data
Quick Base provides the ability to search apps, however it is important to note that fields must be marked as searchable by the app owner. File attachments may also be searched; however they must be downloaded and searched locally.
Data Access
Customers own their data which they have uploaded and stored within Quick Base.

Quick Base abides by privacy laws and regulations that are applicable to our hosting services and to our customers who host websites that may contain personal information on the Quick Base platform. Quick Base personnel may have logical access to customer data stored in Quick Base apps only if they are authorized, and have a need for access due to their job function. Quick Base does not transfer customer data hosted on Quick Base outside of the Quick Base hosted service, or to any third-party, without customer authorization.

Customers must ensure that privacy concerns and regulations are addressed and adhered to where customer personnel may have logical access to personal information uploaded or stored in the customer’s Quick Base apps.

Quick Base’s Privacy Policy describes how Quick Base handles any personal information gathered from visitors to its website at Quick and from users of the Quick Base service.

EU Data Protection Regulations

Quick Base is hosted in the United States and serves customers globally. There are several mechanisms to ensure that data transfers from the EU to the U.S. provide the legal protections required by EU Data Protection Regulations, including Privacy Shield (a replacement to Safe Harbor), EU Model Contract clauses and end user consent.

The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce, and replaces the Safe Harbor program. Quick Base is currently in process of applying for Privacy Shield certification.

EU Model Clause

The EU Model Clause is a standard contract addendum between service providers such as Quick Base and its customers, designed to ensure that any personal data leaving the EEA will be transferred in compliance with EU data- protection law and meets the requirements of the EU Data Protection Directive 95/46/EC. Quick Base offers customers on annual contracts Standard Contractual Clauses that make specific guarantees around transfers of personal data for Quick Base services. This ensures that Quick Base customers can freely move data through Quick Base from the EU.

Find a Security Issue?

Please visit our Responsible Disclosure page here.
Photo of Esther


  • 702 Points 500 badge 2x thumb
Thank you for take the time to write me back, but I am trying to get one of this " EU Model Clause is a standard contract addendum between service providers such as Quick Base and its customers" and I am getting difficulties, they request me to use another provider ("Docusign" by the way) to share the draft of agreement , them I wonder ; it is not sure enough QB to share drafts ? does QB trust in their own web?.

All you said here sound perfect but this is just here on a web is not of my Property if you chose to delete it I will find myself in the future looking for something is not any longer available.

Is there any other place, where I can show to my stakeholders that QB is a safe platforms to share information?.
I’m sorry, But that is all the information I have. If you need something actually signed by Quick Base, you will need to deal with Quick Base support as I am not a Quick Base Employee.
Photo of Michael John Lemire

Michael John Lemire, Security and Compliance Officer

  • 130 Points 100 badge 2x thumb
hi Esther, I am the security officer here at Quick Base.   Thank you QuickBaseCoach for posting the content from our web site    which describes our security practices.      In regards to the EU Model Clause we use Docusign for electronic signatures but are happy to execute the addendum manually as well.