GDPR-compliance of apps built on Bubble?

Hi all,

Further to the thread on Bubble’s GDPR compliance, I am wondering how we, bubblers, can go about formulating and proving the GDRP compliance of our own apps to clients.

I approached Bubble’s support team about this, and quite understandably they can’t provide specific, contextual advice on what we should say or how we should say it. It would require to analyze in great details what each and every apps do, which clearly is not possible at the scale Bubble has reached. I guess there is also the issue that it would constitute legal counseling, which is not Bubble’s scope (obviously).

This being said, I’m assuming that some Bubblers have already had by now to engage in this kind of discussions, especially with their Enterprise clients, and I was hoping that someone would be willing to share insights and point the rest of us in the right direction (even if, of course, we should all eventually seek legal advice from a professional in order to get recommendations truly tailored to our own apps).

If this can already be of some help, Bubble’s support team shared the following resources in response to my inquiry:

1. You can find a specific overview of the Privacy Shield Framework here: Fact Sheet: Overview of the EU-U.S. Privacy Shield Framework | Department of Commerce

2. You can find our Privacy Shield certificate here: Privacy Shield

3. The certification outlines two sets of commitments Bubble has made:

• 1. The transfer of our Direct Users’s personal data (customers with a Bubble account, like you) from the EU + Switzerland to the US, where Bubble operates. In this relationship, we are the Data Controller.
• 2. The transfer of our End Users’s personal data (our customers’ users – visitors to sites built on Bubble) to the US where we process it only as directed by our Direct Users in their capacity as Data Controller . In this relationship, you are the Data Controller and we are the Data Processor.

4. Our Shield Certification covers the transfer to the US because this is where we operate and process data. You can learn more about that by reading the “purpose of data collection” section on the Certificate, as well as our Privacy Policy.

5. We will report any breaches in accordance with GDPR’s Article 33.

6. Plugins or API Connections that write data to their own servers or to external servers would have their own requisites.

Thanks for sharing @Lucien!

Let’s be serious. Most European companies will not accept (i.e. be able to live with) Bubble’s current GDPR approach.

Hi Phil

Can you elaborate on your comment? What do you think could specifically be the blocking points?

Thanks!

I assume that you underestimate the attitudes that GDPR has formed. Many companies even try to host more services on their own servers. There are also many companies that try to reduce the number of subprocessors. That’s what the IT departments are doing. In addition, data protection officers have a very close look on the processes and rather deny approval if they are uncomfortable with the solution. Especially, the EU-US Privacy Shield is not accepted by many. With an increasing number of companies being sceptical about cloud solutions, a hosting in Europe is more or less expected.

Thanks for your answer.

What you’re saying does not sound targeted at Bubble specifically though. Especially, your last point is not really a blobker since with Bubble we can have our applications hosted in Europe (on dedicated plans).

Just saw that @NigelG and @help (Reece) have a great privacy policy for their bubble-built web application SendPilot detailing all their own data processors’ privacy policies.

Thanks! That was done in about 15 minutes using Iubenda - costs $8 a month!

Isn’t this good news? As I understand bubble uses AWS to store data.

Hello,

I see this link doesn’t currently work. Is this resource still available somewhere else?

Thanks,
George