We are building an application on Bubble that may require us to store our user’s passwords from another service.
This leads us to ask if the Bubble data is encrypted. We suspect it is not as a rule, and we’re ok with that. We’re considering encrypting the required information (remote service username and password) prior to saving it to Bubble and right after retrieving it from Bubble.
I suspect we can achieve the encryption/decryption through a remote API.
Before we do this work I just wanted to check if the database data being stored by Bubble is encrypted. Also, if it’s not encrypted would it be possible to have Bubble add this feature on a Field by Field basis (i.e. adding a Field Type called “Encrypted Password”) that could protect this data in the event that the Bubble database was ever exposed.
Bubble is hosted on AWS which maintains a state-of-the-art security infrastructure. We encrypt all traffic to bubble.is over https, and encourage and support our clients to use encryption on their own domains. All user passwords are stored salted + encrypted in our database; other user data is not encrypted at rest, but we plan to change this in the next two months as part of a migration from a NoSQL database (elasticsearch) to a SQL database (postgres).
@emmanuel, does this mean that all data will be encrypted at rest when you make the switch to the new database? Or will this be a feature only available to certain paid Bubble tiers? We’re looking at working with folks in industries like healthcare (non-HIPAA, but still healthcare) and financial services - Bubble could be really helpful for them and part of their hesitation to use Bubble right now is around data security.
We can’t commit right now for this, we’ll see. What’s likely to be is on the Dedicated Plan first, and then maybe make it an option on lower plans, we’ll see.
Thank you. I’m curious where the Bubble encryption keys are stored and are there separate keys for each developer account? The reason that I ask is that we are planning to develop a healthcare related app and it must comply to HIPAA security standards.
I know achieving certified HIPAA compliance at the platform level would be a massive dev initiative for Bubble, @emmanuel.
However, I’d also guess with enough interest, this could be productized at quite a premium, given that
It’s table stakes for anyone developing a health care app (demand)
No players in the Visual Programming space offer the option (differentiation)
Clients looking for custom-built apps in the health market typically expect/tolerate a much higher price point. (viability)
I’m thinking you may find Bubblers willing to pay handsomely for a platinum “Dedicated Hosting + HIPPA” tier at $1K+ per month if they truly have an oppty to develop for this space…might be worth a little market research via user survey. Loss leader for a while, but game changer in terms of moving the needle on ARR & LTV when exit time looms
Bottom line, is it worth trying to mobilize a Sponsored Feature campaign, or does this fall in the “you can’t pay me enough to go near that” category, at least for now?
Are any fields indexed? Do users have the ability to index fields that will be searched on? Did the new database give you more capability in this regard?
