Staffbase Security

The Secure Employee Communication Platform.

Staffbase Security

The Secure Employee Communication Platform.

Over 2500 businesses and over one million of their employees around the globe rely on the Staffbase platform and products every day to securely communicate within their company. Our customers have a wide variety of security and privacy needs, with many coming from the most highly regulated and security-sensitive industries in the world. With this in mind, security is of utmost importance to our platform and vision.

At Staffbase, our strong foundation of product features and provider processes ensures industry-leading protection across the board.

Our best-in-class infrastructure protects customer data throughout its entire lifecycle in the platform. A powerful suite of customizable settings and tools also afford our customers the autonomy to further define their own security and privacy parameters.

We strongly believe that security shouldn’t be a second thought. With Staffbase’s enterprise-ready support, all of our customers can fully depend on a safe and reliable platform suited to their needs and concerns.

As of March 2023

Responsible Disclosure

If you have any security vulnerabilities to report on Staffbase-owned systems or products, please forward them to vulnerability@staffbase.com. Currently, critical vulnerabilities with CVSS ratings >= 9.0 are eligible for bounty awards.

Certification

ISO 27001

ISO 27001 is the de facto international standard for information security management. In 2018 Staffbase established an Information Security Management System (ISMS), which has been ISO 27001 certified the same year. Staffbase annually renews the certification through an ongoing auditing process. The most recent certificate can be found here, which outlines the scope of our ISMS.

As part of the Staffbase ISO 27001 certification, Staffbase routinely conducts risk assessments and prepares risk treatment plans to mitigate any identified risks. This way we continuously improve our security controls. The Staffbase Security team is also continually improving the suitability, adequacy and effectiveness of the ISMS.

SOC 2 Type 2

Additionally, all Staffbase products and entities, have been independently audited for SOC 2 compliance and have received a SOC 2 Type 2 report, affirming our commitment to security, availability, and confidentiality. The Staffbase Security team is actively working on maintaining and expanding SOC 2 Type 2 coverage across the entire Staffbase Group.

The report is available on request under NDA.

Organizational Structure and Governance

Staffbase Security and Privacy Teams

Staffbase is unwavering in its commitment to maintaining the highest standards of security, privacy, and data protection. Our Chief Operating Officer (COO) together with our Global Head of Information Security oversee our information security department. Our Security team diligently reviews and implements robust security controls to protect against potential threats.

This team also collaborates with our Legal & Compliance department, supported by a privacy counsel. This collaboration underscores our unwavering dedication to upholding high security, privacy, and data protection standards at Staffbase.

Security Training

For our employees, we provide annual security awareness training as well as frequent security awareness updates about recent security risks and best practices. All developers at Staffbase have regular security training to be up-to-date for common security risks in development, as well as the data privacy of our customers' data. All employees and contractors agree to comply with defined security policies, which include confidentiality, data privacy, and incident reporting.

Confidentiality

Confidentiality terms come standard in all Staffbase agreements with our customers. In addition, all Staffbase employees and contractors are required to sign confidentiality agreements with Staffbase to protect customer data. Staffbase also has confidentiality terms with all vendors that handle personal or confidential information of our customers as part of our vendor review process (see below).

Incident Reporting and Response

All employees, contractors, and key suppliers are required to report security incidents. Staffbase has a plan to promptly and systematically respond to any security or availability incidents that may happen. The Staffbase Incident Response plan is based on NIST 800-61v2 and it is comprised in four stages designed to prevent, identify, correct and remediate security incidents.

Our Incident Response Plan also includes a Problem Management process, designed to identify root causes and correct unknown security incidents. The entire security team is trained to respond according to the established Incident Response Plan. Data breach procedures are included on the Plan and for those incidents, the involvement of the Data Protection and Legal team is required. Affected customers are notified without undue delay in line with applicable laws and legislation.

This plan is reviewed and updated on a regular basis as part of Staffbase’s ISO 27001 certification.

Vendor Reviews

As part of Staffbase’s governance and compliance, we have implemented a policy for detailed review of all vendors to Staffbase that may have a potential impact on security of the service. This is a four-stage review, involving Staffbase Finance, IT, Security and Legal departments. Identified vendors must agree to specific security language, incident reporting, and controls on handling data.

Disaster Recovery and Redundancy

Staffbase has designed a system meant to minimize any service disruptions resulting from natural disasters, hardware failure, or other unforeseen disasters or catastrophes.

Our Disaster Recovery approach includes:

Using state-of-the-art service providers to help deliver our services. Thousands of businesses trust the same providers to deliver their data and services.
Backups. We perform daily backups on all relevant systems, which are stored in geo redundant offsite locations and available for restoration based on identified incidents.
Dual mode. All production systems run at least in dual-mode to provide a fast performing failover.
Global offices. Staffbase operates across six countries, and in the event of regional issues in one of our offices, our teams in other locations can support to help recover smoothly.
Disaster Recovery Planning. Our disaster recovery program focuses on technical disasters for operation of the Staffbase platform and includes plans for different scenarios as well as regular training for the recovery team. The team is therefore able to regain data in cases of emergency.

The operational status of our systems can be found at any time by navigating to the status page available at https://status.staffbase.com/.

Reduced Access

Access to our production systems is reduced to a minimum set of people responsible for maintenance and operations. Staffbase is auditing access to production systems at least annually by following the least privilege principle.

Infrastructure and Hosting

We understand that hosting locations are important for our customers and their compliance requirements. As a result, Staffbase customers can choose between EU hosting or US hosting for the services. More information on our providers can be found at our subprocessor page .

EU Hosting (Germany)

The EU Staffbase servers are hosted by Microsoft Azure (Employee App and Intranet) and Amazon Web Services (Employee Email) in Germany. These facilities are compliant with ISO 27001 and SOC 2.

US Hosting

North American Staffbase servers are hosted by Microsoft Azure (Employee App and Intranet) and Amazon Web Services (Employee Email). These facilities are compliant to ISO 27001 as well as SOC 2. Hosting is at Azure’s secure facilities in Virginia, USA (Employee App/Intranet) and Oregon (Employee Email).

Australian Hosting

Australian Staffbase servers are hosted by Microsoft Azure (Employee App/Intranet/Employee Email). These facilities are located in Australia East (NSW) with redundancies in Australia South-East (VIC) and are compliant with ISO 27001 as well as SOC 2.

Network Security (All hosting locations)

Security: Our network is protected by redundant layer-4 firewalls; secure HTTPS-transport communication over public networks; and key-based authentication for system administrators for maintenance purposes.
Architecture: Staffbase network architecture is designed to minimize the risk of a security breach by permitting access to the minimal required systems only, while other systems, such as database servers, are only accessible internally. All traffic to our application servers is routed through our proxies and gateways. All other systems in our data centers never have direct access to the Internet - neither inbound nor outbound.
Web application firewall (WAF): Staffbase deploys WAFs to protect infrastructure and customer data. Web Application Firewalls allow us to inspect traffic at an application level, as well as prevent or mitigate a variety attack scenarios such as those described in the OWASP Top 10.
Deployment (CDN): Staffbase “Employee App” and “Intranet” products use industry-leading content delivery network (CDN) services from "Cloudflare" to provide multimedia content.

Cloudflare is ISO 27001 and ISO 27701 (privacy certification, including internal Privacy Information Management System) certified. Additionally, SOC 2 Type II and SOC 3 reports are available as well. You may find all of these here.

Delivered multimedia content includes an added layer of security by requiring authentication before accessing the media. This ensures that files are accessible only to authenticated users within a customer instance.
Security Incident Event Management: Staffbase uses a security incident event management (SIEM) system to gather all available logs from our systems to analyze these for correlated events. The SIEM system notifies the Staffbase Security team about the event, and the Staffbase Security team responds to that event according to a dedicated process.
Intrusion Detection and Prevention: Intrusion detection and prevention is done by our hosting providers to ensure maximal security in both of the Staffbase hosting locations.
DDoS Mitigation: Distributed Denial of Service (DDoS) is mitigated by our hosting provider Microsoft Azure and Amazon Web Services.
Logical Access: Access to the Staffbase Production Network is restricted to the core technical operations team, which includes frequently auditing and monitoring all access. All access by the restricted Staffbase team to productive systems is secured with key-based authentication.
Security Incident Response: In case of system alert, security incidents are escalated to our Staffbase Security team. Our employees are trained for security incident response, including communication channels and escalation paths. Treatment of incidents is done according to a defined process for information security events. This process complies to the ISO 27001 standard.

Encryption

Encryption in transit

All communication of our systems over public networks is encrypted using HTTPS with Transport Layer Security (TLS 1.2) and Perfect Forward Secrecy (PFS). We disabled SSLv3 on all systems to help prevent security breaches.

Encryption at rest

We encrypt user passwords by using best-practice one-way hash functions to minimize the impact of a data breach. Almost all of our services use encryption at rest industry best practices symmetric encryption schemes.

Product Security

Our Secure Development Lifecycle (SDLC) describes the processes and tools used in software development & operations to enhance security. The processes and tools are aligned with industry best-practices and related frameworks

Framework Security Controls

Our applications are protected by best practices against common web risks such as CSRF (cross site forgery request), SQLi (SQL injection), and XSS (cross site scripting), following the OWASP recommendations.

Quality Assurance

To ensure a maximum level of QA, we perform a number of automated tests on our code base. We also peer-review all code changes that are submitted to the code base by our developers.

Separate Environments

Staffbases’ testing and staging systems are separated logically from production systems. For testing, Staffbase facilitates dedicated test data.

Penetration Testing

Staffbase contracts with a third party penetration tester to perform independent penetration tests at least annually. Staffbase uses the established CVSS score to evaluate the severity of identified vulnerabilities. The Staffbase Security team is working closely with the product team to prioritize remediation of identified vulnerabilities based on severity.

Our security engineers are continuously testing new and existing features regarding vulnerabilities to increase the security level of our application. Automated dependency checks and remediation treatment measures are established as well to increase security of used libraries and frameworks.
A summary for the most recent penetration test is available on request under a Non-Disclosure Agreement.
We also allow customers to perform their own black box penetration tests on request. These tests are only available for our App/Intranet and Comms Control products at the moment.
We have also launched a private bug bounty program with HackerOne for continuous security testing by a global community of ethical hackers. The bug bounty program has helped improving our security controls for the App/Intranet product with great success. We’re planning to extend it to our other products as well.

External hackers are also welcome to submit findings with CVSS ratings >= 9.0 through our public page here and automatically get invited to our private bug bounty program at hackerone.com.

Privacy and Data Protection

With its roots in Germany and the EU, Staffbase has put privacy and data protection at the core of how we have developed our products, services, and our internal governance. Germany has some of the strictest data privacy laws in the world, and we bring our experience in Germany into the way we develop and build employee communications.

Data Processing Agreements (DPA) - GDPR

Staffbase offers GDPR-compliant data processing agreements (DPAs) for our customers. In addition, through the vendor review process mentioned above, Staffbase has in place relevant data processing agreements with any sub-processors of personal data.

EU General Data Protection Regulation (GDPR)

Staffbase complies with the requirements of the EU General Data Protection Regulation and provides a secure communication platform that protects employee and customer data equally. The privacy rights of our customers, and their employees, and the security of their personal data are our highest priorities.Therefore, under the guidance of our Legal & Compliance department, our Data Protection Officer (DPO), and our Security team, we have created a GDPR compliance program.

Health Insurance Portability and Accountability Act (HIPAA)

Staffbase supports its customers with data protection requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), where relevant. The HIPAA requirements for a business associate are met through Staffbase’s ISO 27001 certification. In addition, Staffbase has drafted a Business Associate Agreement (BAA) that is tailored to our services and meets the HIPAA requirements.

California Consumer Protection Act (CCPA)

Staffbase, as a ‘service provider’, complies with the CCPA rules. We support customers with their obligations under the CCPA and our Data Processing Agreement contains a specific section on Staffbase’s obligations towards customers under the CCPA.

Any further questions on Information Security at Staffbase?

Contact our Security team