Bubble User Account Security

avolaunch · March 25, 2025, 7:15am

Hey everyone!

I’ve worked with Bubble for a while now and I really enjoy how users accounts are set up.

I feel I should know this by now, but what are the technical specifics behind Bubble when it comes to creating users and their passwords, etc?

I have come across 2 potential clients with different security requirements:

A US based health app where HIPAA is essential (Health Insurance Portability and Accountability Act)
A job description that highlights the following requirements:

Auth via NextAuth.js or Clerk

Basically, what could I respond to the potential client with that would put their mind at easy that their data is secure.

Furthermore, are there additional settings or plugins I could use to double down on the default user account security?

Cheers

ahmed.elkaffas · March 25, 2025, 3:38pm

Hey,
First, Bubble is NOT HIPPA Compliant so it’s not the right platform for the Heathcare industry. For such a potential customer, you might want to consider (Supabase OR Xano as a backend + WeWeb as a front end). Whatever your choice is, please make sure of the right plan that meet HIPAA requirements, otherwise you can go for Supabase since it’s open source and self-host it.
Second, I didn’t try myself Auth via NextAuth.js but I think it could be possible. I can’t give you a solid answer.

Finally, When it comes to security, the “Privacy Rules” settings are very important and should be configured correctly to avoid any potential data leaks. You can check out “Flusk” tool (recently acquired by Bubble) that checks for any vulnerabilities in your app.

Hope this helps !

avolaunch · March 25, 2025, 7:28pm

Thank you Ahmed, that’s great feedback, much appreciated.

I had also heard that Bubble wasn’t HIPAA compliant, so I think I was just wondering what else Bubble doesn’t meet the standards of.

I will definitely be checking out Flusk as well, thank you!

ahmed.elkaffas · March 26, 2025, 9:16am

Well I believe you might want to check out these 2 links from Bubble documentation about Bubble security & compliance. It is mentioned here By Bubble that they do not recommend using the platform for apps that require HIPAA compliance.

AJordan12 · April 8, 2025, 11:59am

But as I understand it, this concerns the backend, if we use Xano or Supabase we will have HIPAA compliance even if the frontend is in Bubble.

georgecollier · April 8, 2025, 12:54pm

No, you won’t

ahmed.elkaffas · April 8, 2025, 1:32pm

Unfortunately no, because Bubble logs will have the patient information so we can’t even use Bubble in this case even as as frontend only

code-escapee · April 8, 2025, 2:33pm

To be HIPPA compliant you can only use Bubble for any aspect (front end or back end or both) if you tokenize patient info. It’s doable but not simple and depending on hse case might not be practical

Topic		Replies	Views
Any Update on HIPAA Compliance? Questions	43	6532	July 25, 2024
Would a Bubble frontend with a Xano backend and a HIPAA-compliant iframe to present PHI be considered HIPAA-compliant? Need help	8	127	January 27, 2025
Flusk + HIPPA Compliance Questions	3	94	October 8, 2024
HIPAA Compliance - needed for COVID related nonprofit Questions	3	2441	April 23, 2020
HIPAA Compliance of Apps built on Bubble Need help	4	1100	December 1, 2021

Bubble User Account Security

Related topics