SafeBase helps B2B SaaS companies close enterprise deals faster by streamlining the security assessment process. We take security seriously and have a dedicated internal security team. Our security team's controls and policies are detailed on this Trust Center. Email us at firstname.lastname@example.org if you have any additional questions not answered by this Portal.
- Description of service/product being provided.
- List data types needed to provide services.
- Does your organization have a Data Classification Policy?
- Does your organization have an Internal and External Communication Policy?
- Does your organization have a BYOD Policy?
Trust Center Updates
SafeBase Response to Okta October Customer Support Security IncidentSubprocessorsCopy link
SafeBase is aware of the recent update that Okta provided customers regarding data leakage with the Customer Support Management System. Based on the information known to us at this time, we have deemed the impact to be minimal for SafeBase and our customers. We had already enabled Admin Session Binding, one of the recommended features suggested by Okta in their notice, as soon as it was made available in our Okta instance. In addition, we use strong, hardware-based MFA, strict session timeouts, and have regular phishing training for all employees.
SafeBase not affected by HTTP/2 Rapid Reset AttackVulnerabilitiesCopy link
Our security team has been made aware of the new HTTP/2 Rapid Reset Attack that could potentially cause a denial of service for web servers. Due to proactive mitigations by both Google Cloud and Cloudflare, none of our infrastructure has been affected to our knowledge. In addition, we confirmed that our underlying NGINX servers do not have the HTTP/2 module enabled.
For more details on this vulnerability, please visit https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack.
SafeBase Acknowledgement of Retool Security IncidentIncidentsCopy link
As a precaution, the security team made the decision to rotate the connection credentials used by our Retool instance despite the Retool team confirming that our instance was not affected. We are confident that with this added step, there should have been no material impact to any SafeBase data from the Retool security incident.
As you may be aware, one of our subprocessors, Retool, recently disclosed a security incident that affected a very small number of customers: https://retool.com/blog/mfa-isnt-mfa/. To our knowledge, no SafeBase data was affected. The Retool team has confirmed that our Retool instance was not affected by this incident. We will continue to monitor this situation and will provide updates if we have any going forward.
The SafeBase Security Team
SafeBase 2023 Pen Test Report Now AvailableGeneralCopy link
SafeBase engaged Rhymetec to conduct an external facing pen test in August 2023. No Medium or higher findings were identified. You can access our new report and attestation through our Trust Center.
New SOC 2 Type 2 Report Available for DownloadComplianceCopy link
We here at SafeBase have just completed our latest audit for SOC 2 compliance!
This new SOC 2 Type 2 report is for the 12-month monitoring period ending in May 2023. We are proud to say that no exceptions were found.
Documentation is now available in our Trust Center.
SafeBase Not Impacted by MOVEit VulnerabilitiesIncidentsCopy link
Recently, the security team here at SafeBase became aware of the news surrounding a high impact MOVEit vulnerability. Reputable threat intelligence sources have reported that this incident impacts customers of this solution: https://www.securityweek.com/moveit-customers-urged-to-patch-third-critical-vulnerability/.
We want our customers to know that SafeBase is not impacted by this vulnerability.
We do not leverage this technology/software within our product and therefore the confidentiality, integrity, and availability of our systems remain unharmed.
MVSP and VSAQ Self-Assessments Now AvailableComplianceCopy link
The SafeBase Security Team is happy to announce that we have 2 new Self-Assessment documents available to review:
- MVSP: Minimum Viable Secure Product baseline standard created by folks from leading companies such as Google, Okta, and SafeBase.
- VSAQ: Vendor Security Assessment Questionnaires from the team at Google.
Both of these can be found in our Trust Center under the Self-Assessments card.
SafeBase Not Impacted by News about SVBIncidentsCopy link
While we are carefully monitoring the situation involving California banking regulators closing SVB Financial Group and appointment of the FDIC as receiver on March 10, SafeBase does not have any deposits or other relationship with SVB and we have no reason to believe our financial position will be impacted by this news.
-Al Yang, CEO SafeBase
Q4 2022 Questionnaires and Network Diagram UpdateComplianceCopy link
The SafeBase team has uploaded refreshed versions of our CAIQ/SIG/VSA questionnaires, as well as our network diagram, with updated information that is accurate as of December 28, 2022. These documents are now available to download.
SafeBase's Response to the 2022 OpenSSL 3 VulnerabilitiesIncidentsCopy link
After careful review of our infrastructure and SBOM, the SafeBase team has determined that we are not currently vulnerable to the OpenSSL 3 vulnerabilities CVE-2022-3602 and CVE-2022-3786 that were disclosed on November 1, 2022.
As a helpful resource, you can use this page to determine if certain widely used software in your environment is affected or unaffected: https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md
2022 Pentest Report Now AvailableComplianceCopy link
SafeBase engaged NCC Group for a comprehensive web application security pentest for our web application and customer facing API. An executive summary is now available on our Trust Center.
SafeBase SOC 2 Type 2 Report Available for DownloadComplianceCopy link
SafeBase's SOC 2 Type 2 report for the 12 month monitoring period ending in May 2022 is now available to request and download from our Trust Center.
New Subprocessor Added: FlatfileSubprocessorsCopy link
This is a notification that we have added a new Subprocessor:
Location: United States
Purpose: We have updated our Knowledge Base to use an updated version of Flatfile's data importer with additional features. This version requires server side processing. The previous version of Flatfile ran client side only. Note that this will only affect customers who import files into the SafeBase Knowledge Base. If you do not currently use this feature, this will not affect your usage of the SafeBase platform at this time.
DPA signed: Yes
SafeBase update on OktaIncidentsCopy link
While the SafeBase product allows customers to authenticate using Okta, we ourselves do not use Okta internally. As a result, at this point in time, we do not have any reason to believe we were affected. Please reach out to us at email@example.com if you have any further questions or concerns.
Director of Information Security
Notable Customers Added to SafeBase's Security PortalGeneralCopy link
As a part of a recent release, we have updated our Security Portal with a list of notable customers who are using SafeBase's Smart Trust Center to proactively build trust and improve sales cycles.
All SafeBase vendors now have the ability to add their own trusted customers to their Security Portal to help instill additional confidence with prospective buyers.
Reach out to firstname.lastname@example.org with any questions!
Security Update - Log4jIncidentsCopy link
As you may have seen in the news over the weekend, a recent major security vulnerability was discovered with the popular logging utility Log4j.
After reviewing our logs, communicating with our vendors, and reading all the information that is publicly available as of Tuesday, December 28, 2021, we have no reason to believe that any SafeBase internal or customer data has been affected at this point in time. Should this change, we will communicate this to you as soon as we are able to.
As it stands, none of our code is written in Java, nor do we use any Apache tools throughout our entire tech stack.
As an additional reminder, our Subscribe feature is available as a means to send updates such as these to customers. You can Subscribe to SafeBase updates yourself at the top of this Security Portal. In the near future, we will be releasing a new feature in which you will be able to post a public notice about high impact breaches such as this one.
Please feel free to reach out to us at email@example.com if you have any questions or concerns.