Security Overview

Security and Sharing - Complete Guide

At Tadabase, security is a top priority. We implement strict security measures on our end, and you can learn more about them at tadabase.io/security. However, ensuring the security of your application is a shared responsibility. While we provide the tools and features you need, it's crucial that you use them effectively to maintain the security of your app.

This comprehensive guide serves as your central hub for all security and sharing features available within Tadabase. Whether you're building a simple application or need to meet strict compliance requirements like HIPAA, this guide will help you understand and implement the right security measures.

---

Quick Navigation

• Platform Security - Builder and platform-level security
• Authentication & Access Control - How users log in and access your app
• Application Security - App-wide security settings
• User Security - User-specific security features
• Data Security - Protect your data with row-level security
• File Security - Secure file storage and access
• Logging & Auditing - Track all activities for compliance
• Sharing & Collaboration - Share apps safely with team members
• Compliance & Best Practices - HIPAA, GDPR, and security best practices

---

Platform Security Features

These security features apply to the Tadabase builder platform itself, protecting your account and builder access.

Builder Account Security

• Platform Login Logs - Receive email notifications every time your builder account is accessed
• Two-Factor Authentication (2FA) - Add an extra layer of security to your builder account with email-based verification codes
• Builder Activity Logs - Track all changes made in the builder with detailed logs of who changed what and when
• Page Versions - Revert to previous versions of your pages if unauthorized changes occur
• Session Management - Automatic timeout after 15 minutes of inactivity (for HIPAA-designated apps)

Learn more about Builder Security →

Builder Access Logs

Monitor all activity within the app builder with comprehensive logs that track:

• Page modifications and updates
• Component changes
• Data table modifications
• Settings changes
• User and timestamp for each action

Learn more about Builder Update Logs →

---

Authentication & Access Control

Tadabase offers multiple authentication methods to suit your security requirements, from simple email/password logins to enterprise-grade Single Sign-On (SSO).

Authentication Methods

Email & Password

Standard authentication with configurable password policies including complexity requirements, password history, and expiration settings.

Single Sign-On (SSO)

Integrate with popular identity providers for centralized authentication:

• Google SSO - Sign in with Google accounts
• Microsoft Azure SSO - Enterprise Azure Active Directory integration
• Okta SSO - Enterprise identity management with Okta
• Auth0 SSO - Flexible authentication with Auth0
• Facebook, Twitter, GitHub, Slack - Social login options

Magic Links

Passwordless authentication where users receive a secure, time-limited link via email to log in without entering a password.

Learn more about Magic Links →

Two-Factor Authentication (2FA)

Enforce 2FA for app users to add an extra layer of security. Users receive a verification code via email when logging in.

User Management

Control who can access your application with comprehensive user management features:

• Users & Roles - Create roles with different permission levels
• User Status Management - Active, Inactive, or Not Verified user states
• Domain Signup Restrictions - Limit signups to specific email domains
• Signup Disabling - Prevent new user registrations
• Email Verification - Require users to verify their email before accessing the app

Learn more about Users & Roles →

Learn more about User Settings →

---

Application Security Settings

Configure app-wide security settings that apply to all users and pages within your application.

Auto Logout

Automatically log users out after a specified period of inactivity (1-60 minutes). This protects against unauthorized access to idle sessions.

Learn more about Auto Logout →

IP Whitelisting & Blacklisting

Restrict access to your app based on specific IP addresses. You can:

• Allow only specific IP addresses (whitelist)
• Block specific IP addresses (blacklist)
• Display custom messages to blocked users
• Show users their IP address in the message using {ip}

Learn more about IP Security →

Failed Login Protection

Automatically block IP addresses or user accounts after a configurable number of failed login attempts. This helps prevent brute-force attacks.

Read-Only Mode

Put your entire app in read-only mode to prevent any data modifications. Useful during:

• Maintenance windows
• Audits or data reviews
• High-risk periods
• Template app demonstrations

Learn more about Read-Only Mode →

SSL Certificates

When using a custom domain, ensure you use SSL certificates to avoid browser security warnings. Tadabase provides automatic SSL certificate provisioning via CNAME.

---

User Security Features

Configure security settings that apply to individual users and their accounts.

Password Security

Enforce strong password policies with customizable requirements:

• Minimum Character Length - Set minimum password length (e.g., 8, 10, 12 characters)
• Complexity Requirements
  • Require at least 1 uppercase letter
  • Require at least 1 lowercase letter
  • Require at least 1 number
  • Require at least 1 special character
• Common Word Verification - Prevent use of easily guessed passwords
• Password History - Prevent users from reusing recent passwords
• Password Expiration - Force password changes after a specified period

Learn more about Password Policies →

Session Management

Monitor and control active user sessions:

• View Active Sessions - See all active sessions for each user (tracks up to 13 hours)
• Terminate Sessions - Remotely end suspicious or unauthorized sessions
• Session Details - View browser, platform, IP address, and location for each session
• Session Limits - Configure maximum number of concurrent sessions per user

Learn more about Session Management →

Login Tracking

Track all login activity with comprehensive logs:

• Successful logins
• Failed login attempts
• Magic link usage
• SSO authentications
• Login location (geolocation)
• Browser and device information
• Screen resolution tracking

Learn more about User Login Logs →

---

Data Security & Access Control

Control access to your data at multiple levels with Tadabase's granular security model.

Multi-Level Security Model

Tadabase provides security at four different levels, allowing you to control exactly what users can see and do:

1. App-Level Security

Global restrictions that apply to the entire application (IP whitelisting, auto logout, etc.).

2. Layout-Level Security

Control which roles can access specific layouts within your app. Useful for creating separate admin areas or role-specific interfaces.

3. Page-Level Security

Restrict access to individual pages based on user roles. Combine with page rules for dynamic access control.

4. Row-Level Security

The most granular level - control which specific records users can view or edit based on field values, user roles, or relationships.

Learn more about Multi-Level Security →

Page Rules

Create conditional access rules that dynamically control page access based on:

• User role
• Field values
• User status
• Custom conditions

Page rules can redirect users to different pages or show custom messages when conditions aren't met.

Learn more about Page Rules →

Component Security

Control visibility and editability of individual components based on user roles. Hide sensitive components from users who shouldn't see them.

Field-Level Security

Control which fields are visible or editable by specific roles, ensuring users only see data they're authorized to access.

---

File Security

Protect uploaded files with secure storage and access control mechanisms.

Secure File Storage

Files uploaded to Tadabase are stored in private, secure S3 buckets with the following features:

• Private Buckets - Files are not publicly accessible by default
• Time-Limited URLs - Secure file URLs expire after a short period
• Access Control - Restrict file access based on user roles or field values

Secure File Access Restrictions

Control who can download files with three restriction options:

• Restrict by Logged-In User Field - Only the user associated with the record can access files
• Restrict by Logged-In Role - Only users with specific roles can access files
• Restrict by Role OR Field - Combine both restrictions with OR logic for flexibility

File Access Logging

Track all secure file access attempts with detailed logs including:

• User who accessed the file
• IP address and geolocation
• Browser and device information
• Timestamp
• File name and size

Learn more about File Security & Logging →

---

Logging & Auditing

Tadabase provides comprehensive logging capabilities to track all activities within your application for security, compliance, and troubleshooting purposes.

Available Logs

User Activity Logs

• Login Logs - Track successful logins with full metadata
• Failed Login Logs - Monitor authentication failures and potential attacks
• Active Sessions - View and manage all active user sessions
• Magic Link Logs - Track magic link generation and usage

Learn more about User Logs →

Data Activity Logs

• Record Change Logs - Track all modifications to records with before/after values
• Record Delete Logs - Track all deleted records with full data backup
• Batch Operation Logs - Track bulk operations on multiple records

Learn more about Record History →

System Activity Logs

• Page View Logs - Track all page views with user and metadata
• Email Logs - Track all outgoing emails
• Webhook Logs - Monitor outgoing webhook executions
• Task Logs - Track scheduled and on-demand task executions
• Backup & Restore Logs - Track all backup and restore operations
• File Upload Logs - Track all file uploads
• Secure File Access Logs - Track secure file downloads

Log Retention

By default, logs are retained for 7 days. You can extend log retention with add-ons ($39/month per additional month of retention).

App-Side Logs (Pro Feature)

Display logs directly within your application with filtering and search capabilities. Users can view their own activity history for transparency.

Learn more about App-Side Logs →

View All Logging Documentation →

---

Sharing & Collaboration

Share your applications with team members and support staff while maintaining security and control.

App Sharing

Share app builder access with team members with granular permissions:

• Data Table Access - Control who can modify data tables
• Pages Access - Control who can modify pages and layouts
• Settings Access - Control who can change app settings

Support Sharing

Grant temporary access to Tadabase support staff for troubleshooting:

• Control duration of support access
• Limit access to specific areas
• Track support activity with logs
• Revoke access at any time

Minimum Necessary Access

Follow the principle of least privilege - only grant the minimum access necessary for users to perform their tasks.

---

Compliance & Best Practices

HIPAA Compliance

For customers who need to handle Protected Health Information (PHI), Tadabase offers HIPAA-eligible features:

Required HIPAA Features

• Encrypted Communication - All data transmission uses TLS/SSL encryption
• Record Logging - Comprehensive audit trails for all data access and modifications
• Delete Logging - Track all deletions with full data backup
• Secure File Storage - Private buckets with access controls
• Secure Layouts, Pages, and Rows - Multi-level access control
• App Auto Logout - Automatic session timeout
• Login Logs - Track all authentication events
• Password Complexity - Enforce strong passwords
• Support Tickets - Controlled support access with logging

Recommended HIPAA Practices

• HIPAA Training - Ensure all users are trained on PHI handling
• IP Whitelisting - Restrict access to known locations
• Review Sessions - Regularly monitor active sessions
• API Key Management - Name and rotate API keys regularly
• Page Version Comments - Require comments for all page changes
• Review Shared Access - Regularly audit who has builder access
• Review Change Logs - Monitor all builder and data changes
• Verify Backups - Ensure automated backups are working properly
• Limit Batch Operations - Minimize risk of accidental bulk changes

HIPAA Account Designation

Customers seeking HIPAA compliance need to:

1. Acquire a HIPAA Add-On subscription
2. Enter into a Business Associate Agreement (BAA) with Tadabase
3. Designate specific apps as HIPAA-eligible
4. Implement all required security features
5. Follow recommended best practices

Note: HIPAA-designated apps automatically log out builder users after 15 minutes of inactivity for enhanced security.

For detailed HIPAA compliance guidance, contact your Tadabase Account Representative or book a consultation.

General Security Best Practices

Authentication

• Enable Two-Factor Authentication (2FA) for all users, especially admins
• Use SSO for enterprise applications to centralize access control
• Enforce strong password policies with complexity requirements
• Implement password expiration for sensitive applications
• Track password history to prevent reuse

Access Control

• Follow the principle of least privilege - grant minimum necessary access
• Use role-based access control to organize permissions
• Implement row-level security for sensitive data
• Regularly review and audit user access
• Remove access for inactive users promptly

Monitoring & Auditing

• Enable comprehensive logging for security and compliance
• Regularly review login logs for suspicious activity
• Monitor failed login attempts for potential attacks
• Track data changes with record logs
• Review builder activity logs for unauthorized changes
• Extend log retention for compliance requirements

Application Security

• Use IP whitelisting during development to restrict access
• Implement auto logout to protect idle sessions
• Use read-only mode during maintenance windows
• Regularly backup your application data
• Test restore procedures to ensure backups work
• Use SSL certificates for custom domains

File Security

• Use secure file storage for sensitive documents
• Implement file access restrictions based on roles
• Track file access with secure file logs
• Regularly review file permissions

Builder Security

• Enable platform login email notifications
• Use page versions to track and revert changes
• Require comments for page version changes
• Limit builder access to necessary team members
• Review builder activity logs regularly
• Control support access duration and permissions

Security Checklist for New Apps

Before deploying your application to production, review this security checklist:

---

Additional Resources

Documentation Sections

• Login & SSO - All authentication methods and user management
• Logging & Audits - Comprehensive logging documentation
• Academy: User Management & Security - Security tutorials and guides
• Manual: Security & Reliability - Technical security reference

External Resources

• Tadabase Platform Security - Learn about our infrastructure security
• HIPAA-Compliant Solutions - Healthcare application solutions
• Free Consultation - Schedule a call to discuss your security needs

---

Summary

Tadabase provides enterprise-grade security features that give you complete control over your application's security posture. From platform-level security protecting the builder, to granular row-level security controlling individual records, you have all the tools needed to build secure applications that meet even the strictest compliance requirements.

Remember: Security is a shared responsibility. While Tadabase provides the platform and tools, it's essential that you configure and use these features appropriately for your specific security requirements.

If you have questions about security features or need guidance on implementing security for your specific use case, please contact our team.