Explaining to clients our app abides by standard security/compliance practices

Hey Bubblers!

My team and I are in the early stages of selling access to sub-app spin-offs of our main app. Exciting times! However, four out five prospects that we’ve demo’d the app to have brought up concerns over the safety/security of their user data. We have been very transparent about using Bubble as our technology stack and have explained to the best of our ability how and why Bubble is a better alternative than if we were launching a hand-written PHP app on our own AWS server.

Specifically, people have brought up in conversation: SOC 1 and SOC 2 compliance, penetration testing, auditing abilities of user actions, and passing compliance testing by a 3rd party associated with an enterprise-level client.

If anyone here has experience explaining these types of things to their clients I’d really love to hear from you, and I think the community as a whole would benefit by having a structured/standardized way of expressing these issues that will inevitably come up in the lifecycle of building and marketing a successful app.

Thanks!

5 Likes

I’d also love to have a structured way of expressing these types of questions. I know from previous threads there are in-production apps that likely have the same concerns. If they’ve been addressed, I’m not sure.

If you haven’t done it, I think reaching out to support@bubble.is would be the best way to get faster answers. If you’re able, please share the results!

Also, congratulations on your application’s new chapter! It is indeed an exciting time!

1 Like

I sent an email to Support. Thanks for chiming in @skylershelton! I’ll reply back if I hear anything.

4 Likes

Please do, I bet there alot of people are curious what the result will be, I know I am.

1 Like

I think this is the type of information that should be discussed on the forum. This is an important topic that we need a very clear set of guidelines on. Clearly, AWS is SOC 2 compliant, but it would seem documentation and privacy rules are a big piece of the equation, both of which are are subject to Bubble user error. As a community we need two pieces of information on this: 1) a general perspective on how to approach this topic with prospective customers and 2) a specific set of protocol to follow to ensure that we’re doing what’s within our control to pass an audit if necessary. If using Bubble will never be SOC 2 compliant, this could be a big issue for anyone that’s thinking about building an enterprise SAAS product (like myself…). I understand audits & vulnerability assessments will be cost prohibitive for most Bubble users, but if we’re going to invest in the production plan, we have to know that we can sell to the enterprise with confidence!

4 Likes

Has anyone heard anything from Bubble Support on this thread’s question?? I have been looking high and low but am unable to find anything on this.

I hope Bubble addresses this. It’s a question everyone should consider.

I haven’t heard anything about it.

If I had a client who was concerned about security, I would do an audit myself.

Bubble’s architecture is based off existing technologies, and I don’t think it’s such a big leap to logic out how these fit into your products big picture.

Alternatively, the best way to get answers from J&E would likely be to post very specific questions that have clear answers.

For example: Does Bubble support SSL certification? As opposed to “What does SSL offer my clients, security-wise”.

I know it’s not a copy paste answer, but thinking deeper about this question I see that some answers people might be searching for could be isolated use cases, in which case it’s up to them to provide answers to their clients questions, not the bubble team. That said, questions about particular security features, such as “Yes, Bubble supports SSL certification” is something either the community or J&E would be able to answer.

Also, don’t forget all paid tiers come with support. There’s never any harm in shooting support@bubble.is an email - the couple of times I’ve done it, the response has been nearly instant.

1 Like

I did hear back from Emmanuel on this:

Hello,

We take security very seriously (our largest client deals with personal financial information we have to be careful with this). The most important thing you can do security-wise is define some rules on who can see which information. This is an advanced feature, but you can do this in the Data Tab → Privacy. These rules are checked server-side for a higher security.

Generally speaking, Bubble is hosted on AWS West Region (Oregon, US) which maintains a state-of-the-art security infrastructure. We encrypt all traffic to bubble.is over https, and encourage and support our clients to use encryption on their own domains. All user passwords are stored salted + encrypted in our database; other user data is encrypted at rest (we’re on AWS RDS).

You can add a SSL connection to your own domain under the Professional Plan.

For bigger clients, our dedicated plans offer the ability to be on their own cluster, which leads to more reliable performance as it’s not shared with other people. That is also more secure as the servers only have a few apps.

Everything that touches data is logged which enable audit if needed.

Lastly, regarding external audits, we haven’t invested in these certifications yet (they are quite expensive), and you wouldn’t have that either if you were working with a PHP Developer.

Best,


Emmanuel Straschnov
Bubble
support@bubble.is

Everything here seems very reasonable and is what I expected. On this note:

The most important thing you can do security-wise is define some rules on who can see which information. This is an advanced feature, but you can do this in the Data Tab → Privacy. These rules are checked server-side for a higher security.

I do wish there was more information and detailed examples available to me as a developer on the topic of the Privacy tab. For how crucial this one aspect is, I don’t see many people discussing it or sharing how they’ve implemented security in this manner. I understand it’s partly my role as developer to ensure the privacy of my app data, but I don’t even know where to start once the data becomes more complicated in structure.

Does anyone know if CoBubble looks into these sorts of things in sessions?

7 Likes

Tell the client that security = vigilance. No way around that. If they aren’t the logical type, send them to the security measures posted by Amazon for aws. If reading isn’t their thing, sell them a security package where you watch the logs. If that doesn’t work, drop the client.

If you just need nonsense for a proposal make it up. Nothing in this business is secure. Bubble requires a leap of faith.

6 Likes
5 Likes

I’m trying to get similar information from Bubble.is for the purposes of using them on a pilot project, and received more or less the same response as above. Due to the nature of the business we have specific questions that need to be answered, but we aren’t making much progress.

I understand this involves time and expense on their end, but I would guess that once it has been created it would take minimal time to revise for each inquiry. In our case, we are even willing to consider a dedicated plan on a sooner time frame to make it work – I don’t know if that will make a difference.

Has anyone had any further experience with this?

I emailed support a few weeks ago about asking specifically a) if bubble had any SOC 1, 2, or 3 certification and b) for the uptime commitment for the Bubble platform.

In a word: no.

You can always refer to the AWS security and compliance documentation and they comply with more than enough, the fact that the data is encrypted at rest and that it sits on an RDS means the data is held under the strictest security regime.

"The AWS Security & Compliance Quick Reference Guide provides an overview of how to maintain a compliance-ready environment through control validation, demonstration of security assurance, and activity monitoring on AWS. "

From my perspective the framework its built on is irrelevant, and if they want to know what the tech stack is its Node.js, javascript ProstgresSQL and other technologies. The details of which are proprietary. Having dealt with many vendors over the years, and having had apps built in python on varying frameworks and platforms at the end of the day the host and compliance around data storage are all that matters.

You can always keep a copy on your own SQL RDS if you need to and I read some where in the forum in the future Bubble may allow for read access for dedicated services.

But YES a dedicated plan for apps which don’t follow the general multi-tenant saas model is the way to go to alleviate the issue which comes with shared hosting!

The fact that it uses Bubbles framework to execute the code should not be an issue, the same way if you used Django for Python or Symfony for PHP or any other framework such as .NET they all come with risks! The fact that bubble is a PAAS is better in the fact that it is a commercial entity and is not open source which many customers still frown at because of its inherent security risks.

Ideally, you would offer a price strutcure for those just wanting to sign to a shared hosting traditional Saas and those who want their own app on their own cluster still Saas and I could name many of the big saas players who do not reveal their technology stack other than here in Australia.

It is the way that you sell the stack rather than an issue with the stack itself. Don’t focus on the fact that its a visual way of programming but rather that it’s about speed and there is still code sitting behind it - again on the roadmap, there are plans to allow downloading aspects of this code - “Ability to export apps as JSON”.

If they have a problem with it they are basically saying that technology built on say Microsoft office 365 (Access databases being a prime example) is just a higher risk if not higher.

So my advice is not focus on selling them Bubble, but focus on the what the app does and that its built on a proprietary framework that allows for rapid feature updates to your compliant AWS cluster and under the hood it has xyz and allows for API etc etc etc…

Hope this helps!

9 Likes

Great advice here @StevenM. Now that Bubble is on Cloudflare is Bubble still hosted on AWS West Region and is this AWS security and compliance guide still relevant @peterj ?
Looking for advice to give prospective client on data security and compliance

Glancing back over this, Emmanuel’s email from 2017 is still largely correct. Even though we’re behind Cloudflare now, little else has changed. We use full SSL from our servers all the way through to users; less than 1% of all our request traffic of any kind is over HTTP, and of that most is initial page requests (http://bubble.io immediately redirecting to SSL, for instance.)

2 Likes