Security on mobile devices and apps is one of the most discussed topics of the 21st century. We at Staffbase take thorough precautions to make sure your data is as safe as can be.
The Staffbase App is hosted in Profitbricks and Azure which comply to ISO27001 and SSAE-16 standards to ensure your data security. All information is encrypted using TLS 1.2 and PFS, security incidents are reported 24/7 to our security team and access to the Staffbase production network is restricted to a core team. In addition, we do daily backups and have an uptime of 99.9%.
Staffbase servers are located on Azure by default. Microsoft Azure facilities are compliant to ISO 27001 as well as SSAE-16 certification.
The Staffbase servers hosted on Azure are located in East US (Virginia).
Alternatively, we offer hosting in a EU-based data center. Thus, Staffbase servers are located on Profitbricks. Profitbricks facilities are compliant to ISO 27001 and ISO 9001.
The Staffbase servers in the EU-based data center are located in Frankfurt/Germany.
Our network is protected by redundant layer 4 firewalls, secure HTTPS-transport communication over public networks, VPN only access to our production and testing systems as well as key-based authentication for system administrators for maintenance purposes.
Staffbase network architecture is designed to minimize the risk of a security breach by permitting access only to the minimal required systems, while other systems, such as database servers, are only accessible internally. Every traffic to our application servers is routed through our proxies and gateways. All other systems in our data centers have never direct access to the internet neither inbound nor outbound.
We allow customers to do their own penetration tests on request. Additionally, we provide a summary of previous penetration tests on request.
A security incident event management (SIEM) system gathers all available logs from our systems to analyze these for correlated events. The SIEM system notifies the Staffbase Security team about the event and the Staffbase Security team responds to that event.
Intrusion detection and prevention is done by our hosting providers Microsoft Azure, and Profitbricks to ensure the maximal security in both the international system as well as the German system.
Distributed denial of service (DDoS) is mitigated by our hosting providers Microsoft Azure, and Profitbricks.
Access to the Staffbase Production Network is restricted to the core operations team. This includes frequently auditing and monitoring the accesses. All productive systems are secured by VPN and require key-based authentication.
In case of system alert, security incidents are escalated 24/7 to our Staffbase Security team. Our employees are trained on security incident response, including communication channels as well as escalation paths.
All communication of our systems over public networks is encrypted using HTTPS with Transport Layer Security (TLS 1.2) and Perfect Forward Secrecy (PFS). We disabled SSLv3 on all systems to prevent security breaches.
We encrypt user passwords by using best-practice one-way hash functions to minimize the impact of a data breach.
For all Staffbase services we guarantee a 99.9% uptime.
We perform backups on all relevant systems in daily frequency and store these backups up to a month for restoring based on identified incidents. Also, all productive systems of Staffbase run at least in dual-mode to provide a fast performing failover.
Our disaster recovery program includes plans for different scenarios and a regular training for the recovery team. The team is hence able to regain data in cases of emergency.
Our applications are protected by best practices against common web risk such as CSRF, SQLi and XSS. We regularly run penetration tests and preview all code changes that are submitted by our developers.
We train our developers in a periodic manner to be aware of common security risks for development as well as to be aware about data privacy of our customers data.
Our applications are protected by best-practice mechanisms against common risks in Web applications, such as CSRF, SQLi, and XSS.
For ensuring a maximum level on QA we perform a lot of automated tests on our code base. Also, we peer-review all code changes that are submitted by our developers to the code base.
Staffbase’ testing and staging systems are separated logically from production systems.
While customers are allowed to perform their own penetration tests on request, our employees perform annually penetration tests internally for increasing the security level of our application.
In order for security to be a given within the app you can firstly, customize access privileges and roles regarding individual needs. And, secondly, configure the maximum lifetime of a user session to adjust the security based on company policies.
We offer several ways for onboarding your users into Staffbase. Users can be invited directly by email. You can also use registration based on domain bonding. That is, every user with a certain email domain can register without inviting them individually. Even when you do not know the email address of your users, you can invite them by generating unique access codes for one-time registration. Finally, you can use SSO for registration.
For authentication as well as onboarding you can also use our SSO integrations. Therefor, you can integrate your systems into Staffbase by utilizing SAML and OpenID.
You can use a customized password policy when using SSO. We provide configurable password policies also on request.
Two-factor authentication is available when using SSO.
Passwords in Staffbase cannot be extracted, as they are stored in the database using bcrypt, a one-way-hash function that is designed to be collision free.
Our API that is available for customers is secured by HTTPS and an API token that leverages HTTP Basic authentication.
You can customize access privileges and roles fine-granular in Staffbase regarding your needs individually.
We utilize HTTPS connections for every communication between Staffbase clients and servers.
We facilitate DKIM (Domain Keys Identified Mail) for signing outbound emails from Staffbase.
In Staffbase you can configure the maximum lifetime of a user’s session to adjust the security based on your company policies.
Apart from an annual security awareness training all employees sign a confidentiality agreement complying with the german data secrecy provision and the law for confidentiality of telecommunications. These laws are some of the strictest worldwide.
Our security policies are maintained and audited frequently by our data protection officer.
For our employees we provide an annual security awareness training as well as frequent security awareness updates about recent security risks.
All employees of Staffbase have signed a confidentiality agreement to protect the customers data, and agreements obligating them to comply with the data secrecy provisions of § 5 of the BDSG (Bundesdatenschutzgesetz) and the confidentiality of telecommunications (§ 88 Telecommunications Act).
Access to our production systems is reduced to a minimum set of persons, who are responsible for maintenance and operations.
We do not share any client data any 3rd party. As plugins are optional in Staffbase, they may be excluded from this guarantee.
Where required under applicable data protection law, we will conclude an agreement on commissioned data processing.