Trust Center

SafeBase is not affected by the XZ Utils backdoor vulnerability.

Our security team has reviewed all OS versions deployed in our environment and confirmed that none of the impacted operating systems or versions are utilized.

For more details on this vulnerability, please visit https://nvd.nist.gov/vuln/detail/CVE-2024-3094 and https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils.

SafeBase is aware of the recent update that Okta provided customers regarding data leakage with the Customer Support Management System. Based on the information known to us at this time, we have deemed the impact to be minimal for SafeBase and our customers. We had already enabled Admin Session Binding, one of the recommended features suggested by Okta in their notice, as soon as it was made available in our Okta instance. In addition, we use strong, hardware-based MFA, strict session timeouts, and have regular phishing training for all employees.

Our security team has been made aware of the new HTTP/2 Rapid Reset Attack that could potentially cause a denial of service for web servers. Due to proactive mitigations by both Google Cloud and Cloudflare, none of our infrastructure has been affected to our knowledge. In addition, we confirmed that our underlying NGINX servers do not have the HTTP/2 module enabled.

For more details on this vulnerability, please visit https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack.

As a precaution, the security team made the decision to rotate the connection credentials used by our Retool instance despite the Retool team confirming that our instance was not affected. We are confident that with this added step, there should have been no material impact to any SafeBase data from the Retool security incident.

Hi,

As you may be aware, one of our subprocessors, Retool, recently disclosed a security incident that affected a very small number of customers: https://retool.com/blog/mfa-isnt-mfa/. To our knowledge, no SafeBase data was affected. The Retool team has confirmed that our Retool instance was not affected by this incident. We will continue to monitor this situation and will provide updates if we have any going forward.

The SafeBase Security Team

SafeBase engaged Rhymetec to conduct an external facing pen test in August 2023. No Medium or higher findings were identified. You can access our new report and attestation through our Trust Center.

We here at SafeBase have just completed our latest audit for SOC 2 compliance!

This new SOC 2 Type 2 report is for the 12-month monitoring period ending in May 2023. We are proud to say that no exceptions were found.

Documentation is now available in our Trust Center.

Recently, the security team here at SafeBase became aware of the news surrounding a high impact MOVEit vulnerability. Reputable threat intelligence sources have reported that this incident impacts customers of this solution: https://www.securityweek.com/moveit-customers-urged-to-patch-third-critical-vulnerability/.

We want our customers to know that SafeBase is not impacted by this vulnerability.

We do not leverage this technology/software within our product and therefore the confidentiality, integrity, and availability of our systems remain unharmed.

The SafeBase Security Team is happy to announce that we have 2 new Self-Assessment documents available to review:

• MVSP: Minimum Viable Secure Product baseline standard created by folks from leading companies such as Google, Okta, and SafeBase.
• VSAQ: Vendor Security Assessment Questionnaires from the team at Google.

Both of these can be found in our Trust Center under the Self-Assessments card.

While we are carefully monitoring the situation involving California banking regulators closing SVB Financial Group and appointment of the FDIC as receiver on March 10, SafeBase does not have any deposits or other relationship with SVB and we have no reason to believe our financial position will be impacted by this news.

-Al Yang, CEO SafeBase

The SafeBase team has uploaded refreshed versions of our CAIQ/SIG/VSA questionnaires, as well as our network diagram, with updated information that is accurate as of December 28, 2022. These documents are now available to download.

After careful review of our infrastructure and SBOM, the SafeBase team has determined that we are not currently vulnerable to the OpenSSL 3 vulnerabilities CVE-2022-3602 and CVE-2022-3786 that were disclosed on November 1, 2022.

As a helpful resource, you can use this page to determine if certain widely used software in your environment is affected or unaffected: https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md

SafeBase engaged NCC Group for a comprehensive web application security pentest for our web application and customer facing API. An executive summary is now available on our Trust Center.

SafeBase's SOC 2 Type 2 report for the 12 month monitoring period ending in May 2022 is now available to request and download from our Trust Center.

This is a notification that we have added a new Subprocessor:

Name: Flatfile

Location: United States

Website: https://flatfile.com/

Purpose: We have updated our Knowledge Base to use an updated version of Flatfile's data importer with additional features. This version requires server side processing. The previous version of Flatfile ran client side only. Note that this will only affect customers who import files into the SafeBase Knowledge Base. If you do not currently use this feature, this will not affect your usage of the SafeBase platform at this time.

DPA signed: Yes

While the SafeBase product allows customers to authenticate using Okta, we ourselves do not use Okta internally. As a result, at this point in time, we do not have any reason to believe we were affected. Please reach out to us at [email protected] if you have any further questions or concerns.

​

Kevin Qiu

Director of Information Security

SafeBase

As a part of a recent release, we have updated our Security Portal with a list of notable customers who are using SafeBase's Smart Trust Center to proactively build trust and improve sales cycles.

​

All SafeBase vendors now have the ability to add their own trusted customers to their Security Portal to help instill additional confidence with prospective buyers.

​

Reach out to [email protected] with any questions!

As you may have seen in the news over the weekend, a recent major security vulnerability was discovered with the popular logging utility Log4j.

​

After reviewing our logs, communicating with our vendors, and reading all the information that is publicly available as of Tuesday, December 28, 2021, we have no reason to believe that any SafeBase internal or customer data has been affected at this point in time. Should this change, we will communicate this to you as soon as we are able to.

​

As it stands, none of our code is written in Java, nor do we use any Apache tools throughout our entire tech stack.

​

As an additional reminder, our Subscribe feature is available as a means to send updates such as these to customers. You can Subscribe to SafeBase updates yourself at the top of this Security Portal. In the near future, we will be releasing a new feature in which you will be able to post a public notice about high impact breaches such as this one.

​

Please feel free to reach out to us at [email protected] if you have any questions or concerns.