Forum Academy Marketplace Showcase Pricing Features

Bubble is not inherently compliant with GDPR (confirmed by customer support)

Hey all,

As some of you might be aware, since the Schrems II regulation was confirmed, privacy sheild as a transfer mechanism is no longer compliant. Since then we got standard contractual clauses, however these are not adequate for EU to US data transfers, due to FISA 702 . So right now, if you’re collecting European user data and are not using a dedicated European instance, your bubble instance is not compliant with gdpr, so neither is your business provided you keep the European customer data there.

I asked customer support about this and they have confirmed it. The only solution is:

  • Pay several thousands a month for a dedicated instance.
  • Hopefully wait for an new EU to US data transfer agreement like privacy shield.

I’m a bit disappointed because I can’t launch my product now and cannot afford a dedicated instance. So I’ll just need to use it for validation purposes. If anyone has any suggestions of alternatives, please let me know.

Thanks!


3 Likes

Hey Darius,

Wanna that about alternative solutions?! Code/no code. It’s your choice!

Let’s chat!!

We are not a legal firm, but have engaged client’s legal firms on this matter, and as there are standard contractual clauses within Bubble’s agreement, then this would be suffice for implementation of GDPR in their applications while using shared infrastructure.

The legal firms engaged has stipulated and reviewed these Bubble clauses and thus recommended their clients to engage / continue with Bubble re European data.

Note further for reference:

In addition, like your screenshot, Bubble are not inherently GDPR European compliant, as there is additional steps a Bubble Developer, would have to implement, i.e privacy rules, data retention, deletion of user personal data. These can be implemented in a programmable way, thus you can make your application compliant with the current tools on shared infrastructure.

SCC’s are fine for Third Party country transfers, but it doesn’t do well with US due to FISA 702 if you’re using a US hosted instance vs EU hosted. The privacy rules interpretation is completely different because those are mechanisms you should be applying as the CONTROLLER of the data, where bubble would be the processor in this scenario.

What you’ve been informed on is incorrect.

Maybe, as stated before we are not legal, but our client’s have had legal reviews on this matter and it seems to satisfy these solicitors in these jurisdictions - as we understand it ,SCC are currently compliant from their point of view. EU hosted though would be the preference if the cost justified the implementation.

But also this is a good subject to discuss, as we all would like Bubble to be compliant as much as possible.

From a quick search online, you may be on to something:

1 Like

Oh yes, if you’re referring to solicitors who have reviewed the SCC’s on the basis it’s hosted within a third party country that’s not the US, then of course it’s fine.

I think the main issue is that you need to pay a lot for a dedicated instance in order to use Bubble.io to collect EU personal data. This is a very frustrating situation that doesn’t fall on bubble.io at all, a result of snap regulation implementation and lack of US privacy law. It’s a pain, it’ll be fixed eventually.

1 Like

Hey all,

We have absolutely the same situation. :frowning:
A dedicated plan costs as much as smaller companies are unable to pay (nearly ten times as much as a production plan) and if that cannot be changed, it’s probably not a viable option for these companies.
We put a lot of work into the bubble implementation by the time it turned out. :frowning:
As a result, we are now facing a relatively impossible situation.

I don’t think that can be a goal for Bubble either, I look forward to the news about this…

It’s like a cross border transfer mechanism like privacy shield will be agreed by the US and EU in coming months. EU-US data transfers deal could be finalized by end of year, says bloc – TechCrunch

You could always offload all of your data to xano. Have you considered using a different backend and using bubble as your frontend app builder?

1 Like

Thank you @jared.gibb , I liked the idea (Xano) but unfortunately, I am not sure that Bubble will become GDPR compliant from that change.

I usually see 3 options to solve this issue, but there are blockers in any of them:

  1. Do not store personal data outside of EU in Bubble
  • Even if we will save data in a custom database somewhere in EU, can we say that Bubble will not store any data that do not belong there? (like in logs, backup, history or so…)
    We have a bad experience because for example if you use an API connector the response is stored in the file manager even if you do not want that… (and there is no solution for that as well) :frowning:
  • Could it be a problem if the backend still processes the personal data? (not fully obvious)
  1. Use a different backend like Xano
  • The question could be the same if we use it, can we say that Bubble will not store anything that we do not want in any way? (logs, backups, history…) I guess the Bubble backend will send it to the custom backend and not the browser itself if you know what I mean.
  1. As far as I understood we can live with the Bubble database if we anonymize all the data before storing it.
  • I think it is more complex than the previous 2 together and could have performance issues as well. :blush:

Beyond that the user is the first entity that should be offloaded so I have bad feelings about this, because how would the complete Bubble admin side works if it does not have a user entity at all? (or does it make sense to have the user with a simple unique id (coming from Bubble) and store the personal part in a different database connected to the same unique id as a foreign key?)

So questions, questions, questions and everything counts after months of work in it and there is no way out if we can’t find a solution.
If you have any idea about the answers I would like to thank you in advance…

@jared.gibb i’d looked into Xano also backendless.com ( of course the two are different offerings as Xano is dedicated to being a backend. But one thing i couldn’t quite work out is how Xano handles the equivalent of Bubble’s privacy settings…

Example. In bubble I can get a logged in user which protects my things in the bubble DB. Equally I can expose those same things via Bubble API with a token ( all is good in the world).

Now in Bubble (as the frontend and Xano has the backend) I can authenticate using Xano method with JWT but they don’t seem to have the equivalent of Bubble privacy being I cannot control access to xano with what bubble has meaning a token allow me to control access… If that makes sense