You can always refer to the AWS security and compliance documentation and they comply with more than enough, the fact that the data is encrypted at rest and that it sits on an RDS means the data is held under the strictest security regime.
"The AWS Security & Compliance Quick Reference Guide provides an overview of how to maintain a compliance-ready environment through control validation, demonstration of security assurance, and activity monitoring on AWS. "
From my perspective the framework its built on is irrelevant, and if they want to know what the tech stack is its Node.js, javascript ProstgresSQL and other technologies. The details of which are proprietary. Having dealt with many vendors over the years, and having had apps built in python on varying frameworks and platforms at the end of the day the host and compliance around data storage are all that matters.
You can always keep a copy on your own SQL RDS if you need to and I read some where in the forum in the future Bubble may allow for read access for dedicated services.
But YES a dedicated plan for apps which don’t follow the general multi-tenant saas model is the way to go to alleviate the issue which comes with shared hosting!
The fact that it uses Bubbles framework to execute the code should not be an issue, the same way if you used Django for Python or Symfony for PHP or any other framework such as .NET they all come with risks! The fact that bubble is a PAAS is better in the fact that it is a commercial entity and is not open source which many customers still frown at because of its inherent security risks.
Ideally, you would offer a price strutcure for those just wanting to sign to a shared hosting traditional Saas and those who want their own app on their own cluster still Saas and I could name many of the big saas players who do not reveal their technology stack other than here in Australia.
It is the way that you sell the stack rather than an issue with the stack itself. Don’t focus on the fact that its a visual way of programming but rather that it’s about speed and there is still code sitting behind it - again on the roadmap, there are plans to allow downloading aspects of this code - “Ability to export apps as JSON”.
If they have a problem with it they are basically saying that technology built on say Microsoft office 365 (Access databases being a prime example) is just a higher risk if not higher.
So my advice is not focus on selling them Bubble, but focus on the what the app does and that its built on a proprietary framework that allows for rapid feature updates to your compliant AWS cluster and under the hood it has xyz and allows for API etc etc etc…
Hope this helps!