Asking whether Bubble.io is secure is a natural first step when you decide on a no-code platform for your project. This article goes in-depth on the topic of security from different angles to help you determine whether Bubble.io is the right framework for you. For a more general approach to Bubble, you may also want to check out our in-depth Bubble.io review. For more than 300 pages of Bubble security best practices, you may also be interested in our book The Ultimate Guide to Bubble Security.
Before we dig into the good stuff, keep in mind that this article takes the perspective of building apps 100% in Bubble. There are many ways to implement third-party solutions that can increase or decrease your app’s security (such as using external databases or data processors): this guide assumes you’re using Bubble as it is out of the box.
What is Bubble.io security?
Let’s first discuss briefly what exactly security is. You may have found this Bubble security guide with a specific question in mind, but to be able to provide a good answer to any question about this, we need to agree on one premise: security is a lot of things. Think about it:
- There’s compliance which determines how your app is legally bound to be designed according to regional and sectorial laws and regulations (such as GDPR and CCPA)
- There’s privacy, meaning the expectations that your Users have for your app to keep their data private
- There’s security from a technical perspective, meaning how well Bubble is set up to take take of the two first points
We’ll mainly look at the first and the third point in this article. That doesn’t mean privacy isn’t important or unrelated to the other two: it means that what we’re exploring in this article is how well Bubble is suited to technically maintain the level of security that allows your app to be both compliant and privacy-focused. Speaking of compliant – let’s begin there.
What is data compliance?
What exactly does compliance mean? In the context of web application security we are talking about laws and regulations that dictate how your app needs to manage private User data to avoid legal ramifications such as fines. These regulations are set up to give consumers a higher degree of control over the data they upload to the internet and attempt to rein in the historically wildly unregulated world of private data being sold, analysed and lost more or less without scrutiny.
The General Data Protection Regulation (GDPR) introduced by the European Union in 2016 is perhaps the most famous one and laid the groundwork for a lot of similar regulations to be suggested and implemented all over the world. GDPR works well as a case study of data regulation, as it introduced a few key principles that were controversial at the time but make very good sense from the perspective of privacy advocates:
- It moved the focus from the company to the User: meaning that GDPR laws apply to any kind of software platform, no matter where they are geographically and jurisdictionally located, as long as the user accesses it from the European Union. In other words, a regional set of laws introduced in Europe affected companies globally.
- The EU can impose fines up to up to 20 million Euros or 4% of global turnover for the preceding financial year. To illustrate just how astronomical that small percentage point can potentially be, Amazon was fined 746 million Euros for failing to adhere to GDPR’s regulations on cookie consent. The EU are not kidding around – you can read more about the biggest GDPR fines given so far in this article.
- It forces every software company to disclose and verify that both the Data Controller and all its Data Processors and Sub-Processors are also compliant with GDPR. We’ll look at this more closely in the section below.
As you can see, GDPR has taken drastic measures to move the control of private data away from the company and over to the user, and they are willing to impose serious consequences for companies that don’t adhere to the regulations.
The Data Controller, the Data Processor and the Data Sub-Processor
Ok, so running a software business with users covered by the GDPR means your company and all its software needs to be compliant with those regulations. But a question then quickly emerges: what about the services that my company uses? Services like… Bubble? Indeed, since you are relying on data being stored and processed by one or more third parties, for GDPR to have any value at all you need to know that they are also compliant. Luckily for you as a Bubble developer, most of the bigger providers (including Bubble) have been GDPR compliant for a long time.
But… what about the services that they use you may ask, imagining a never-ending staircase of legal checks that you have to do. But keep in mind, for one of them to be compliant, they need to know that their Data Processors to be compliant: you only ever need to verify the step directly connected to you.
So let’s now talk a little bit more about these different levels, as it’s closely related to whether Bubble.io is GDPR compliant.
The Data Controller
The Data Controller is the service that the User signed up for. When you sign up for Facebook, Facebook is the data controller, and when you as a developer sign up for Bubble, Bubble is the data controller. However, when a User visits or signs up to your app, you are the Controller and Bubble is a Data Processor.
The Data Processor
The Data Processor is any third-party service that the Data Controller uses to process personal data. As mentioned above, Bubble is a Data Processor to your app, and so is services like Mixpanel or Google Analytics.
The Data Sub-Processor
As the name suggests, the Sub-Processor is any service used by a Data Processor to process personal data, including any analytics solutions they use to understand their business. For Bubble developers, Amazon AWS is also a Sub-Processor.
Is my Bubble app GDPR compliant?
So for the million-dollar question: is my Bubble app compliant with GDPR? The reason this question is important to ask (even if your app is targeted towards non-EU users and falls under different regulations than GDPR) is that answering it requires and understanding of the three data management levels we discussed above: as you can see, yes, Bubble is compliant with GDPR, but that doesn’t automatically mean that your app is. Bubble has made sure that their platform is legally and technically operating within the regulations of GDPR, but your app is a standalone product, a Data Controller that in itself needs to be designed and documented in a compliant way. Bubble is simply one of the Sub-Processors that you happen to use, and even if the entire app operates on their platform, that doesn’t guarantee your own compliance: there are plenty of ways you can set up your app to be in breach of regulation, whether it’s GDPR, CCPA or something else.
The reason we’re going on about compliance is that it highlights an important point: Bubble gives you the tools to build secure, compliant apps, but it doesn’t enforce them. You are free to set up your app more or less as insecure and questionably private as you feel like or are able to, so it’s important to understand that while Bubble gives you a revolutionarily easy-to-use no-code toolbox, you are still a developer and responsible for keeping your app built in a secure way.
How secure is Bubble?
Let’s circle back to our original question then, and ask ourselves: how secure is Bubble? The very short answer is: pretty secure. Bubble is built on top of Amazon Web Services (itself certified with SOC 2, CSA, ISO 27001, and more) and together Bubble and Amazon take care of an enormous list of security concerns that you never need to worry about:
- Keeping server parks secure from break-ins, power outages, fires, natural disasters and other physical threats
- Updating and patching software with the newest security updates
- Performing ongoing vulnerability testing (including the including OWASP Top 10)
- Continually saving point-in-time backups of your app and its database
- Maintaining AWS RDS’s AES-256 encryption while data is it rest
- Protecting database data with server-side Privacy Rules
It’s on par with any SaaS provider or social media platform, meaning that an app built in the right way can be expected to keep User data as secure as can be expected in today’s online software landscape. Does that mean it’s as secure as your bank? Or as an end-to-end encrypted messaging platform like Signal? Most likely not: and it’s not supposed to be.
To truly be able to answer the question whether Bubble is secure, you first need to specify your requirements and expectations. Bubble is built to offer tools that can safely deliver security to regular internet users and small/medium companies, but the more particular you are about certain specific security details, the more you increase the chance of Bubble not being able to offer a solution to that particular corner case. To explain what I mean by that, let’s look at a few examples:
Platforms managing financial data
If you’re building the next stock trading platform or online bank, you are moving into territory that requires a high level of security both from the perspective of your users and legally. You may be subject to strict regulations, and it’s not given that Bubble is compliant with these. The same goes for…
Platforms managing health data
Health and medical data is considered highly private in most regions, and again we are talking about applications that are both legally and ethically bound to offer higher-than-average security. As is the case with finance apps, you’ll need to take into consideration that Bubble may not be built for this in its current iteration.
Apps like Signal offer end-to-end encryption, meaning that not even Signal can access the data. Again we are not talking about regular messaging but a corner case where particular care has gone into keeping the conversations private and secure. Bubble would not (and are not likely planning to) match that level of security.
Enterprise-level business requirements
Many bigger companies have implemented strict security protocols that dictate how data is stored and processed, where it’s geographically located, how you sign in as a user and hundreds if not thousands of other highly specific points that your app must strictly adhere for them even to consider you as a service provider. Not only is it there no guarantee that Bubble can offer the specific security features they require, there’s also a chance that the flexibility needed to offer your service to multiple enterprise client with differing needs will be hard to implement. That’s not to say that Bubble can’t handle enterprise level software: only that planning and research is key to avoid wasting months moving in the wrong direction. There’s not much use in building a revolutionary piece of software for Walmart or JPMorgan Chase if their internal compliance regulations throws you right out of the door before the meeting even gets started.
While these highly specific examples may not apply to you directly, we’ve included them to highlight the point that Bubble’s security tools serve a general landscape of applications – highly particular needs may mean you need to look elsewhere, and you can save yourself a lot of headaches by making that decision early on instead of finding out later.
How do I find out if Bubble is secure enough for my project?
Ok, so you may not be building a bank or health insurance database but still have particular security needs. How should you apprach the question of whether Bubble is secure enough for your project?
Ask first, built later
First off: don’t rush into the editor and start building your app before you know if Bubble is the right platform. I’ve seen projects sometimes weeks or months into development where its founders have failed to do the proper research before starting out, only to realise that Bubble doesn’t support their needs. Take the time to do the research, and not only for security. Find out if Bubble is the right tool for you before you build.
Start with compliance
The first thing you should check is what kind of regulations apply to your project. Regulations are typically applied based on two criteria:
- The sector in which your app operates: like our previous examples of the financial and medical sectors
- The region in which you operate and your users are: where on planet earth (or elsewhere if you’re Elon Musk) are you located, and where are your users accessing your app from?
Asking these two questions can help you determine what kind of regulations (keep in mind there may be several) that your project falls under. As an example, Bubble is not compliant with the Health Insurance Portability and Accountability Act (HIPAA) at the time of writing this: knowing this before you decide to invest makes obvious sense. Getting some legal council to help with this can be a good idea if you’re unsure.
Get in touch with Bubble support
For many questions I direct users towards the Bubble forum or Twitter: they’re both fast ways to get a quick response. In this case, getting in touch with Bubble’s support channels is the best way to go. Prepare the questions that you want to ask in-depth: what kind of app you’re building, where you are operating, what kind of regulations that apply to your project. The more information you can provide, the more helpful Bubble will be. Unlike Twitter and forum posts, they can also provide highly specific technical data as well as plans for future features and compliance that may apply.
Take into account that Bubble is a young company
Let’s be clear about one thing in case you were wondering: Bubble is a lock-in platform and is likely to remain one for the foreseeable future. While it has proven to be a major player, if not the player in the no-code market, it’s still a young company that is will go through changes in strategy, pricing, positioning, management and ownership over the coming years and decades. Historically, Bubble have a great track record of taking user feedback and concerns extremely seriously: they’ve signalled on many occasions that they are in it for the long run and have received financial backing to keep developing their product and growing their company and user base. As a Bubble users for many years, I’ve seen them cross successfully from being a startup to a more mature, but still young company. While there’s nothing to suggest now that Bubble won’t continue their trajectory towards becoming one of the internet’s biggest service providers, it makes no sense to tiptoe around the fact that you will be basing your project on a privately owned lock-in service over which you have no control technically, financially or strategically.
I’ve built my business around Bubble: you can take that as a pretty strong hint about what my thoughts are for the future. But as far as business risk management is concerned, going with Bubble is a balance between efficiency and autonomy: you’ll be able to build apps faster and a drastically lower budget, but you’re also locking yourself in with a third party and there’s no easy way to export your Bubble app or move out of that ecosystem once you’ve started building.
Will I be able to build a secure app with Bubble.io?
This is a question that takes a bit of personal reflection: how experienced are you with Bubble or web development in general? While Bubble does make app building a whole lot faster and easier and basically anyone can pick it up fairly quickly, setting up apps to be secure at the level expected by a professional service is not as easy as many think.
Bubble have done a lot to improve their documentation and onboarding videos over the last couple of years and will likely continue to do so. Still, it’s a concerning fact that best practices regarding security are not as well established as the hundreds of thousands of apps already created should warrant: in our work coaching Bubble clients and hosting Bubble bootcamps it often becomes apparent that even fairly experienced developers and agencies are blissfully unaware that their apps have significant security holes. This can hardly be blamed on Bubble as a platform: the tools are there, but it’s up to the developer to use them properly. Bubble naturally attracts an audience with limited tech experience, and setting up secure web applications is no trifling matter no matter what framework you use.
Our book The Ultimate Guide to Bubble Security is our attempt to establish and spread good development habits and help new developers understand how their decisions affect the security of their app.
To end the article, let’s repeat our short answer from earlier: yes, Bubble is a secure platform that offers tools that can rival many of the web’s most popular online services. For most projects, you need not worry about security as long as your app is built right.
If your app falls under specific regulations or has highly specific security requirements, you should not take for granted that Bubble supports these out of the box: do your research and determine whether Bubble is the right tool for you before you begin by exploring regulations, customer expectations and technical requirements before you build anything. Get in touch with Bubble and give provide them with all relevant details to give you a recommendation.
Lastly: the biggest security threat to your app is not Bubble, but your work as a developer. Setting up a highly secure application can be done with the right experience and testing, but it’s also very easy to circumvent Bubble’s built-in security tools and expose data and workflows unintentionally. Approach your building with a sensible level of humility and appreciate the fact that it’s hard to know what you don’t know: security is a complex field no matter what development framework you use.
- The Ultimate Guide to Bubble Security: 300 pages on building secure, privacy-focused Bubble applications
- Bubble security: Bubble’s own page for security
- Understanding the OWASP Top 10: how Bubble and others use this continually updated list for vulnerability testing
- Tinkso Security Test: renowned Bubble agency Tinkso offers a free automated security test that can reveal a lot of typical vulnerabilities in your app
If you have questions or think we’re missing something, let us know in the comments below.