GDPR Compliance of bubble in EU

Hi all,

I would like to launch my app in a few weeks but I’m still encountering a few issues as I’m in Europe.

How GDPR compliant is Bubble right now? I’ve looked through the forum but it’s hard to keep track of what the current situation really is.

If I would like to use my own server for user data (email, addresses etc.) in Europe in case bubble doesn’t fulfill the GDPR, which tool would I have to use for this to create my own database and send the data back and forth to bubble?

Many thanks in advance!

Cheers,
Philipp

As you say, there is much discussion in the forum around GDPR compliance.

Also, plenty of people externalise the DB from Bubble as a means to help compliance requirements (but in my opinion, it’s not as simple as “externalise the DB to my region” and we are magic-wand compliant"

This announcement is very relevant.

Hi Lindsay,

Thanks for your response! What does this DPA imply in my particular context? I unfortunately don’t quite get the implication here. (Especially because I’m in Germany, not in the UK)

Hope you can help.

Cheers,
Philipp

I’m not an expert at all (in fact, the opposite and find it totally confusing), plus we’re based in the UK - however our lawyers looked at this for us to make sure our standing in relation to GDPR and I think their advice, because it related to the European Standard Contractual Clauses (and UK’s adoption of them), should extend to you in Germany.

What we were told was that Bubble’s DPA (and in our case their updated DPA) bring them in line with the standards previously contained in the now-defunct Privacy Shield agreement between the EU and USA. As the Privacy Shield arrangements were considered GDPR compliant, the European SCCs mirror those arrangements, and now Bubble’s DPA comply with those - the legal reasoning points to GDPR compliancy.

Said another way, Bubble have done what many other similar companies have done and there’s a broad consensus that this is as compliant as you can be (if your data is held in US).

But definitely get local legal advice if you’re in doubt and remember I don’t actually know what I’m talking about .

Hi
I just got in touch with bubble support and was told that bubble is not GDPR compliant. This is terrible. Their solution was to use dedicated servers in the EU to store and process your data. This is extremely pricey and defeats the whole purpose of using bubble in the first place. @philipp.laengle107 is your app already live? How did you overcome this?

You could use weweb and xano!

What exactly did they say considering GDPR compliance (or the lack thereof)? My application is live and running. I signed the DPA together with bubble to confirm that they adhere to the Contractual Clauses.

What would the benefits of that be?

Hi @philipp.laengle107

This is what they wrote:

“Thanks so much for getting back to me; you are certainly correct. I agree that GPDR-regulations do present a hurdle to many Bubble users who are looking to build their apps in the EU, and currently, Bubble users can only be compliant with GPDR with Dedicated servers in EU-based locations, which certainly does have a hefty price tag.”

They offered no DPA signing workaround or anything like that with me. You might want to double-check…

Weweb is based in France (your frontend)
And xano will deploy where you want it. (In the EU for example)

It can be configured to be complaint

image1284×994 133 KB

^^^from the weweb forum

Thats really not a solution for bubble …

No. Hosting a private cluster in the EU is the solution.

By an EU legal entity.

Do you mind me asking why you say its based in France when then following post says its hosted in the US? I have taken a look at Weweb and am already not a big fan of it. Looks like a steep learning curve and is slow.

Cause I type like shit. Sorry!

no worries