I did hear back from Emmanuel on this:
Hello,
We take security very seriously (our largest client deals with personal financial information we have to be careful with this). The most important thing you can do security-wise is define some rules on who can see which information. This is an advanced feature, but you can do this in the Data Tab → Privacy. These rules are checked server-side for a higher security.
Generally speaking, Bubble is hosted on AWS West Region (Oregon, US) which maintains a state-of-the-art security infrastructure. We encrypt all traffic to bubble.is over https, and encourage and support our clients to use encryption on their own domains. All user passwords are stored salted + encrypted in our database; other user data is encrypted at rest (we’re on AWS RDS).
You can add a SSL connection to your own domain under the Professional Plan.
For bigger clients, our dedicated plans offer the ability to be on their own cluster, which leads to more reliable performance as it’s not shared with other people. That is also more secure as the servers only have a few apps.
Everything that touches data is logged which enable audit if needed.
Lastly, regarding external audits, we haven’t invested in these certifications yet (they are quite expensive), and you wouldn’t have that either if you were working with a PHP Developer.
Best,
–
Emmanuel Straschnov
Bubble
support@bubble.is
Everything here seems very reasonable and is what I expected. On this note:
The most important thing you can do security-wise is define some rules on who can see which information. This is an advanced feature, but you can do this in the Data Tab → Privacy. These rules are checked server-side for a higher security.
I do wish there was more information and detailed examples available to me as a developer on the topic of the Privacy tab. For how crucial this one aspect is, I don’t see many people discussing it or sharing how they’ve implemented security in this manner. I understand it’s partly my role as developer to ensure the privacy of my app data, but I don’t even know where to start once the data becomes more complicated in structure.
Does anyone know if CoBubble looks into these sorts of things in sessions?