Staffbase Customers

Nearly one million employees around the globe rely on the Staffbase platform every day to securely communicate within their company. Our customers have a wide variety of security and privacy needs, with many coming from the most highly regulated and security-sensitive industries in the world. With this in mind, security is of utmost importance to our platform and vision.

At Staffbase, our strong foundation of product features and provider processes ensures industry-leading protection across the board.

Our best-in-class infrastructure protects customer data throughout its entire lifecycle in the platform. A powerful suite of customizable settings and tools also afford our customers the autonomy to further define their own security and privacy parameters.

We strongly believe that security shouldn’t be a second thought. With Staffbase’s enterprise-ready support, all of our customers can fully depend on a safe and reliable platform suited to their needs and concerns.

Last updated: 24 March 2020

ISO 27001 Certification

ISO 27001 is the de facto international standard for information security management. In 2018 Staffbase established an Information Security Management System (ISMS), which has been ISO 27001 certified the same year. Staffbase annually renews the certification through an ongoing auditing process. The most recent certificate can be found here.

As part of the Staffbase ISO 27001 certification, Staffbase routinely conducts risk assessments, and then prepares risk treatment plans to mitigate any identified risks so that we continuously improve our security controls. The Staffbase Security team is continually improving the suitability, adequacy and effectiveness of the ISMS.

Organizational Structure and Governance

Staffbase Security and Privacy Teams
Staffbase employs a dedicated Chief Information Security Officer (CISO) who oversees a security department. The Staffbase Security team reviews and implements security controls throughout Staffbase. The team also works closely with our Legal & Compliance team, including a dedicated privacy counsel, to review and implement security, privacy, and data protection programs at Staffbase.

Staffbase is a corporate member of the International Association of Privacy Professionals (IAPP), and our Legal & Compliance department has IAPP members and CIPP/E certified professionals on staff, as well as a broad range of privacy and data protection experience, including in Germany, the Netherlands, the United Kingdom, and the United States.
Security Training
For our employees, we provide annual security awareness training as well as frequent security awareness updates about recent security risks. All developers at Staffbase have regular security training to be up-to-date for common security risks in development, as well as the data privacy of our customers' data. All employees and contractors agree to comply with defined security policies, which include confidentiality, data privacy, and incident reporting.
Confidentiality
Confidentiality terms come standard in all Staffbase agreements with our customers. In addition, all Staffbase employees and contractors are required to sign confidentiality agreements with Staffbase that protect customer data. Staffbase also has confidentiality terms with all vendors that handle personal or confidential information of our customers as part of our vendor review process (see below).
Incident Reporting and Response
All employees, contractors, and key suppliers are required to report security incidents, and Staffbase has a plan to promptly and systematically respond to any security or availability incidents that may happen. This plan is reviewed and updated on a regular basis as part of Staffbase’s ISO 27001 certification.
Vendor Reviews
As part of Staffbase’s governance and compliance, we have implemented a policy for detailed review of all vendors to Staffbase that may have a potential impact on security of the service. This is a two-stage review, involving both Staffbase Security and Staffbase Legal. Identified vendors must agree to specific security language, incident reporting, and controls on handling data.
Disaster Recovery and Redundancy
Staffbase has designed a system meant to minimize any service disruptions resulting from natural disasters, hardware failure, or other unforeseen disasters or catastrophes.

Our Disaster Recovery approach includes:
  • Using state-of-the-art service providers to help deliver our services. Thousands of businesses trust the same providers to deliver their data and services.
  • Backups. We perform daily backups on all relevant systems, which are stored for up to a month and available for restoration based on identified incidents.
  • Dual mode. All production systems run at least in dual-mode to provide a fast performing failover.
  • Global offices. Staffbase operates across four countries, and in the event of regional issues in one of our offices, our teams in other locations can support to help recover smoothly.
  • Disaster Recovery Planning. Our disaster recovery program focuses on technical disasters for operation of the Staffbase platform and includes plans for different scenarios as well as regular training for the recovery team. The team is therefore able to regain data in cases of emergency.
Reduced Access
Access to our production systems is reduced to a minimum set of people responsible for maintenance and operations. Staffbase is auditing access to production systems at least annually by following the least privilege principle.

Infrastructure and Hosting

EU Hosting (Germany)

EU-based Staffbase servers are hosted by 1&1 Ionos and SysEleven in Germany. Both facilities are compliant with ISO 27001.

US Hosting

North American Staffbase servers are hosted by Microsoft Azure. These facilities are compliant to ISO 27001 as well as SSAE-16 certification. Hosting is at Azure’s secure facilities in Virginia, USA.

Network Security (All hosting locations)

Security
Our network is protected by redundant layer-4 firewalls; secure HTTPS-transport communication over public networks; and VPN-only access to our production and testing systems; as well as key-based authentication for system administrators for maintenance purposes.
Architecture
Staffbase network architecture is designed to minimize the risk of a security breach by permitting access to the minimal required systems only, while other systems, such as database servers, are only accessible internally. All traffic to our application servers is routed through our proxies and gateways. All other systems in our data centers never have direct access to the Internet — neither inbound nor outbound.
Deployment (CDN)
Staffbase uses industry-leading content delivery network (CDN) services from Amazon CloudFront to provide multimedia content. In general, all URLs to multimedia content stored and accessible on our media servers are based on a random/non-guessable string of 192 characters.

Customers who subscribe to the Enterprise Package and use a CDN to deliver multimedia content can add an additional layer of security by requiring authentication before access to media content. This ensures that files can only be delivered to authenticated users within a customer instance.

For customers that prefer to go without a CDN, use of a CDN for multimedia content can be deactivated on demand. AWS CloudFront is ISO 27001, ISO 27017, and ISO 27018 certified. AWS CloudFront has completed the CSA Consensus Assessments Initiative Questionnaire and regularly provides SOC 1, 2, and 3 reports. The most recent SOC 3 report (security, availability, and confidentiality) is publicly available here.
Security Incident Event Management
Staffbase uses a security incident event management (SIEM) system to gather all available logs from our systems to analyze these for correlated events. The SIEM system notifies the Staffbase Security team about the event, and the Staffbase Security team responds to that event according to a dedicated process.
Intrusion Detection and Prevention
Intrusion detection and prevention is done by our hosting providers to ensure maximal security in both of the Staffbase hosting locations.
DDoS Mitigation
Distributed Denial of Service (DDoS) is mitigated by our hosting providers Microsoft Azure, 1&1 Ionos, and SysEleven.
Logical Access
Access to the Staffbase Production Network is restricted to the core technical operations team, which includes frequently auditing and monitoring all access. All access by the restricted Staffbase team to productive systems is secured by VPN and requires key-based authentication.
Security Incident Response
In case of system alert, security incidents are escalated to our Staffbase Security team. Our employees are trained for security incident response, including communication channels and escalation paths. Treatment of incidents is done according to a defined process for information security events. This process complies to the ISO 27001 standard.

Encryption

Encryption in transit

All communication of our systems over public networks is encrypted using HTTPS with Transport Layer Security (TLS 1.2) and Perfect Forward Secrecy (PFS). We disabled SSLv3 on all systems to help prevent security breaches.

Encryption at rest

We encrypt user passwords by using best-practice one-way hash functions to minimize the impact of a data breach. Almost all of our services use encryption at rest industry best practices symmetric encryption schemes.

Product Security

Framework Security Controls
Our applications are protected by best practices against common web risks such as CSRF (cross site forgery request), SQLi (SQL injection), and XSS (cross site scripting), following the OWASP recommendations.
Quality Assurance
To ensure a maximum level of QA, we perform a number of automated tests on our code base. We also peer-review all code changes that are submitted to the code base by our developers.
Separate Environments
Staffbases’ testing and staging systems are separated logically from production systems. For testing, Staffbase facilitates dedicated test data.
Penetration Testing
Staffbase contracts with a third party penetration tester to perform independent penetration tests at least annually. Our security engineers are continuously testing new and existing features regarding vulnerabilities to increase the security level of our application.

We also allow customers to perform their own black box penetration tests on request.

Staffbase uses CVSS score to identify the severity of identified vulnerabilities. The Staffbase Security team is working closely with the product team to prioritize remediation of identified vulnerabilities based on severity.

A summary for the most recent penetration test is available on request under a Non-Disclosure Agreement.

Security Features of the Staffbase Services

In order to ensure a high level of security within Staffbase Services, our customers can customize settings and access privileges and roles depending on their individual needs. Some of the features below depend on the exact plan selected by our customers.

Registration
Onboarding non-desk employees, some of whom may have never had a company email account or other IT account, creates a unique problem for our customers’ IT and Security departments, and Staffbase offers unique solutions. We offer several ways for onboarding your users onto the Staffbase Services to perfectly support your use case:
  • Use email & password if you know your users' email addresses. Typically you will use company email addresses, but it also works with private email addresses.
  • Use username & password if using email is not an option.
  • Using self-signup with a company email address is an effective and easy way for onboarding a lot of users with company email addresses.
  • Use Single-Sign On (SSO) if you already have a centralized identity management system. The Staffbase platform supports industry standards such as SAML 2.0 and OpenID Connect.
User Session Security
Customers can configure session management in Staffbase to fit existing company policies for IT systems. Staffbase offers the ability to define custom session lifetime for each device. While users are able to use multiple devices such as smartphones, tablets, and desktops for accessing Staffbase, you may also configure how many parallel sessions per user are allowed.
Configurable Password Policy
You may configure passwords in regard to minimum length (between 5 and 160 characters) and complexity (different character types like upper/lowercase letters, numbers, symbols) to fit your needs and policies.
Email Signing
We facilitate DKIM (Domain Keys Identified Mail) for signing outbound emails from Staffbase.
Secure Credential Storage
Passwords in Staffbase cannot be extracted, as they are stored in the database using scrypt, a one-way-hash function designed to be collision free.
API Security & Authentication
Our API available to customers is secured by HTTPS and an API token that leverages HTTP Basic authentication. API documentation is available for integrations on our Developer Portal.
Access Privileges & Roles
Depending on your individual needs, you can customize access privileges and roles to be fine-grained in Staffbase. Please find product documentation about Staffbase user roles on our Support Portal.

Privacy and Data Protection

Please contact us if you have any questions.