Bubble is not inherently compliant with GDPR (confirmed by customer support)

Hey all,

As some of you might be aware, since the Schrems II regulation was confirmed, privacy sheild as a transfer mechanism is no longer compliant. Since then we got standard contractual clauses, however these are not adequate for EU to US data transfers, due to FISA 702 . So right now, if you’re collecting European user data and are not using a dedicated European instance, your bubble instance is not compliant with gdpr, so neither is your business provided you keep the European customer data there.

I asked customer support about this and they have confirmed it. The only solution is:

• Pay several thousands a month for a dedicated instance.
• Hopefully wait for an new EU to US data transfer agreement like privacy shield.

I’m a bit disappointed because I can’t launch my product now and cannot afford a dedicated instance. So I’ll just need to use it for validation purposes. If anyone has any suggestions of alternatives, please let me know.

Thanks!

image1170×2532 328 KB

image1170×2532 395 KB

Hey Darius,

Wanna that about alternative solutions?! Code/no code. It’s your choice!

Let’s chat!!

We are not a legal firm, but have engaged client’s legal firms on this matter, and as there are standard contractual clauses within Bubble’s agreement, then this would be suffice for implementation of GDPR in their applications while using shared infrastructure.

The legal firms engaged has stipulated and reviewed these Bubble clauses and thus recommended their clients to engage / continue with Bubble re European data.

Note further for reference:

• Standard Contractual Clauses (SCC) | European Commission

• Press corner | European Commission

In addition, like your screenshot, Bubble are not inherently GDPR European compliant, as there is additional steps a Bubble Developer, would have to implement, i.e privacy rules, data retention, deletion of user personal data. These can be implemented in a programmable way, thus you can make your application compliant with the current tools on shared infrastructure.

SCC’s are fine for Third Party country transfers, but it doesn’t do well with US due to FISA 702 if you’re using a US hosted instance vs EU hosted. The privacy rules interpretation is completely different because those are mechanisms you should be applying as the CONTROLLER of the data, where bubble would be the processor in this scenario.

What you’ve been informed on is incorrect.

Maybe, as stated before we are not legal, but our client’s have had legal reviews on this matter and it seems to satisfy these solicitors in these jurisdictions - as we understand it ,SCC are currently compliant from their point of view. EU hosted though would be the preference if the cost justified the implementation.

But also this is a good subject to discuss, as we all would like Bubble to be compliant as much as possible.

From a quick search online, you may be on to something:

Oh yes, if you’re referring to solicitors who have reviewed the SCC’s on the basis it’s hosted within a third party country that’s not the US, then of course it’s fine.

I think the main issue is that you need to pay a lot for a dedicated instance in order to use Bubble.io to collect EU personal data. This is a very frustrating situation that doesn’t fall on bubble.io at all, a result of snap regulation implementation and lack of US privacy law. It’s a pain, it’ll be fixed eventually.

Hey all,

We have absolutely the same situation.
A dedicated plan costs as much as smaller companies are unable to pay (nearly ten times as much as a production plan) and if that cannot be changed, it’s probably not a viable option for these companies.
We put a lot of work into the bubble implementation by the time it turned out.
As a result, we are now facing a relatively impossible situation.

I don’t think that can be a goal for Bubble either, I look forward to the news about this…

It’s like a cross border transfer mechanism like privacy shield will be agreed by the US and EU in coming months. EU-US data transfers deal could be finalized by end of year, says bloc – TechCrunch

You could always offload all of your data to xano. Have you considered using a different backend and using bubble as your frontend app builder?

Thank you @jared.gibb , I liked the idea (Xano) but unfortunately, I am not sure that Bubble will become GDPR compliant from that change.

I usually see 3 options to solve this issue, but there are blockers in any of them:

1. Do not store personal data outside of EU in Bubble

• Even if we will save data in a custom database somewhere in EU, can we say that Bubble will not store any data that do not belong there? (like in logs, backup, history or so…)
  We have a bad experience because for example if you use an API connector the response is stored in the file manager even if you do not want that… (and there is no solution for that as well)
• Could it be a problem if the backend still processes the personal data? (not fully obvious)

2. Use a different backend like Xano

• The question could be the same if we use it, can we say that Bubble will not store anything that we do not want in any way? (logs, backups, history…) I guess the Bubble backend will send it to the custom backend and not the browser itself if you know what I mean.

3. As far as I understood we can live with the Bubble database if we anonymize all the data before storing it.

• I think it is more complex than the previous 2 together and could have performance issues as well.

Beyond that the user is the first entity that should be offloaded so I have bad feelings about this, because how would the complete Bubble admin side works if it does not have a user entity at all? (or does it make sense to have the user with a simple unique id (coming from Bubble) and store the personal part in a different database connected to the same unique id as a foreign key?)

So questions, questions, questions and everything counts after months of work in it and there is no way out if we can’t find a solution.
If you have any idea about the answers I would like to thank you in advance…

Hi @zsoldoszsolt_beam ,

I’m currently facing the exact same issue. The development of my application is basically finished, but now I struggle with these legal issues.

Did you find a solution that works for you and doesn’t cost several thousand euros?

Cheers,
Philipp

Unfortunately NOT , I guess the only viable solution is to move all your sensitive data to an external database.
However, I think this solution limit and overcomplicates several things in Bubble but no other option currently.

Hello,

You should check this topic here

I had the same questions and contacted customer support to ask them if is a solution and they confirmed that now Bubble has officially self-certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Also, they implemented Standard Contractual Clauses as the legal mechanism for transferring data out of the EU

Hey, I am looking to launch an app this month. I had previously read that it was compliant but after reading this and seeing the emails from Bubble it sounds like there is no why other than the ones @zsoldoszsolt_beam has listed.

Is anyone in the UK/EU not on a dedicated plan or using an external database achieving compliance?

Or can bubble support please be more clear?

Bubble’s EU based dedicated instance is (by my knowledge) not inherently GDPR compliant. Unless Bubble installs a completely separate cluster, data is still being transferred to the US. A separate cluster would be completely shut off and hard to maintain as Bubble would not be able to access it directly.

Bubble has installed a European Data Processing Addendum using Standard Contractual Clauses to substitute the defunct Privacy Shield. This should set a legal basis for GDPR compliance when using Bubble and engaging with EU user data. Bubble GDPR Intro Guide - Bubble Blog

However, it’s important to note the purpose of GDPR. It is about keeping your users data out of the hands of parties that should not have access. It would be too easy to simply hide behind a bunch of fancy words hoping bigger powers keep you out of harms way…

Yes, to a point this is handled through Bubble’s DPA but as with many third party services you use (from transactional email to analytics etc.), you rely on those services to handle your data with care.

You can and should do a lot yourself in order to keep your users’ data safe as there are many ways this data can be exposed unprotected. Using our app checker is a good first step in understanding what is exposed externally: https://check.tinkso.com

We are currently talking with Bubble about a move to dedicated and this definitely isn’t the impression that we have been left with, which is concerning.

Would you mind saying a bit more about what you mean by '…data is still being transferred to the US`?

Dedicated EU instance doesn’t mean it is not accessible from the US. Bubble’s employees have access from the US. There are subprocessors in place that have access to user’s data (like Sendgrid by default) and if I understand correctly, data still passes to the main Bubble box for processing (like user authentication).

I was recommended the book, GDPR for Dummies and it’s been quite enlightening. Bubble is a data processor and will supply you with a signed agreement if you request it. I’m attempting to get the same from Twilio and Microsoft. That said, you as a data controller, have the responsibility to have a number of things in place to be compliant, that have nothing to do with Bubble. Since fines have gone up, I think the book is a good investment. We are also trying to get SOC 2 compliance as well.

Bubble is also a data controller. You can get the signed DPA, but this is not more or less legal than the one they have on their website.

Also, if this is a business critical topic, I would get some real legal advise and not rely on a for dummies book .But it never hurts to read up on stuff!

Finally, being GDPR compliant means much much more than a signed DPA from Bubble. It means going through all data subprocessors to understand what they use from your users. It means making sure you have your own solid privacy policy in place and above anything else: it means you have to take data security and privacy very seriously for your own app.

This is where the biggest issue lies in my opinion: there is too little knowledge on how your data is exposed to the public without Bubble users knowing.

VPNs are available.

This x1000000. Nothing, literally (and figuratively) is ‘GDPR compliant’ out-of-the-box.

Well, it is probably compliant until the first human gets their hands on it.