Staffbase Security—The Secure Employee App

Security on mobile devices and apps will always be a topic of utmost importance. Staffbase takes every precaution to ensure that your data is kept safe.

Icon Infrastructure and System Security

Infrastructure and System Security

The Staffbase app is hosted by Profitbricks and Azure, both of which comply to ISO 27001 and SSAE-16 standards, ensuring full data security. All information is encrypted using TLS 1.2 and PFS; security incidents are reported to our security team 24/7; and access to the Staffbase production network is restricted. In addition, we do daily backups and have an uptime of 99.9%.

Physical Security—Azure


North American Staffbase servers are located on Microsoft Azure. Azure facilities are compliant to ISO 27001 as well as SSAE-16 certification.


Staffbase servers hosted on Azure are located on the east coast of the United States (Virginia).

Physical Security—Profitbricks


EU-based Staffbase servers are located on Profitbricks. Profitbricks facilities are compliant with ISO 27001 and ISO 9001.


The Staffbase servers on Profitbricks are located in Frankfurt am Main, Germany.

Physical Security—Profitbricks


Our network is protected by redundant layer-4 firewalls; secure HTTPS-transport communication over public networks; and VPN only access to our production and testing systems; as well as key-based authentication for system administrators for maintenance purposes.


Staffbase network architecture is designed to minimize the risk of a security breach by permitting access to the minimal required systems only, while other systems, such as database servers, are only accessible internally. All traffic to our application servers is routed through our proxies and gateways. All other systems in our data centers never have direct access to the Internet—neither inbound nor outbound.

Third-Party Penetration Tests

We allow customers to do their own penetration tests on request. Additionally, we provide a summary of previous penetration tests on request.

Security Incident Event Management

A security incident event management (SIEM) system gathers all available logs from our systems to analyze these for correlated events. The SIEM system notifies the Staffbase Security team about the event, and the Staffbase Security team responds to that event.

Intrusion Detection and Prevention

Intrusion detection and prevention is done by our hosting providers Microsoft Azure and Profitbricks to ensure maximal security in both the international system as well as the German system.

DDoS Mitigation

Distributed Denial of Service (DDoS) is mitigated by our hosting providers Microsoft Azure and Profitbricks.

Logical Access

Access to the Staffbase Production Network is restricted to the core operations team. This includes frequently auditing and monitoring the accesses. All productive systems are secured by VPN and require key-based authentication.

Security Incident Response

In case of system alert, security incidents are escalated 24/7 to our Staffbase Security team. Our employees are trained for security incident response, including communication channels and escalation paths.


Encryption in Transit

All communication of our systems over public networks is encrypted using HTTPS with Transport Layer Security (TLS 1.2) and Perfect Forward Secrecy (PFS). We disabled SSLv3 on all systems to prevent security breaches.

Encryption at Rest

We encrypt user passwords by using best-practice one-way hash functions to minimize the impact of a data breach.

Availability & Continuity


For all Staffbase services we guarantee a 99.9% uptime.


We perform backups on all relevant systems in daily frequency and store these backups up to a month for restoring based on identified incidents. Also, all productive systems of Staffbase run at least in dual-mode to provide a fast performing failover.

Disaster Recovery

Our disaster recovery program includes plans for different scenarios and regular training for the recovery team. The team is therefore able to regain data in cases of emergency.

Icon Application Security

Application Security

Our applications are protected by best practices against common web risks such as CSRF, SQLi, and XSS. We regularly run penetration tests and preview all code changes that are submitted by our developers.

Secure Development

Security Training

We periodically train our developers to be aware of common security risks for development as well as the data privacy of our customers' data.

Framework Security Controls

Our applications are protected by best-practice mechanisms against common risks in Web applications, such as CSRF, SQLi, and XSS.


For ensuring a maximum level on QA we perform a number of automated tests on our code base. Also, we peer-review all code changes that are submitted to the code base by our developers.

Separate Environments

Staffbase's testing and staging systems are separated logically from production systems.

Application Vulnerabilities

Security Penetration Testing

While customers are allowed to perform their own penetration tests on request, our employees perform annual penetration tests internally for increasing the security level of our application.

Icon Product Security Features

Product Security Features

In order for security to be a given within the app, you can customize access privileges and roles regarding individual needs. You can then adjust security based on company policies by configuring the maximum lifetime of a user session.

Secure Development


We offer several ways for onboarding your users into Staffbase. They can be invited directly by email. You can also use registration based on domain bonding. That is, every user with a certain email domain can register without having been invited individually. Even when you do not know the email address of your users, you can invite them by generating unique access codes for one-time registration. Finally, you can use SSO for registration.

Single Sign-On (SSO)

For authentication as well as onboarding you can also use our SSO integrations. Therefore, you can integrate your systems into Staffbase by utilizing SAML and OpenID.

Configurable Password Policy

You can use a customized password policy when using SSO. We provide configurable password policies on request.

Two-Factor Authentication

Two-factor authentication is available when using SSO.

Secure Credential Storage

Passwords in Staffbase cannot be extracted, as they are stored in the database using bcrypt, a one-way-hash function designed to be collision free.

API Security & Authentication

Our API available to customers is secured by HTTPS and an API token that leverages HTTP Basic authentication.

Additional Product Security Features

Access Privileges & Roles

Depending on your your individual needs, you can customize access privileges and roles to be fine-grained in Staffbase.

Transmission Security

We utilize HTTPS connections for every communication between Staffbase clients and servers.

Email Signing

We facilitate DKIM (Domain Keys Identified Mail) for signing outbound emails from Staffbase.

Session Lifetime

In Staffbase you can configure the maximum lifetime of a user’s session to adjust security based on your company policies.

Icon Data Privacy and Data Security

Data Privacy and Data Security

Apart from an annual security awareness training, all employees sign a confidentiality agreement complying with the German data secrecy provision and the law for confidentiality of telecommunications. These laws are some of the strictest in the world.


Our security policies are maintained and audited frequently by our data protection officer.

Security Training

For our employees, we provide annual security awareness training as well as frequent security awareness updates about recent security risks.

Confidentiality Agreement

All employees of Staffbase have signed a confidentiality agreement to protect customer data, as well as agreements obligating them to comply with the data secrecy provisions of § 5 of the BDSG (Bundesdatenschutzgesetz) and the confidentiality of telecommunications (§ 88 Telecommunications Act).

Reduced Access

Access to our production systems is reduced to a minimum set of people responsible for maintenance and operations.

Sharing with Third Parties

We do not share client data with any third party. As plugins are optional in Staffbase, they may be excluded from this guarantee.

Data Processing Agreements (DPA)

Where required under applicable data protection law, we will conclude an agreement on commissioned data processing.

EU General Data Protection Regulation (GDPR)

Staffbase complies with the requirements of the EU General Data Protection Regulation and provides a secure communication platform that protects employee and customer data equally. The privacy rights of our customers and the security of their personal data are our highest priorities. Therefore, under the guidance of our Data Protection Officer (DPO), we have assembled a team that guarantees strict compliance with all regulations. Read More >


Employee-app, Employee-engagement-App, Internal-Communications-App, Infrastructure & Systems Security, Application Security, Product Security Features, Data Privacy & Data Security
Security Whitepaper - Infrastructure and Systems Security, Application Security, Product Security Features, Data Privacy, and Data Security