I’m currently handling an application that builds on top of Bubble. As my client about to sign a contract with a big partner that concerned about the security of our application.
The detailed concern is about “Data at Rest Encryption” which detailed as below:
• Procedural documents describing how and where encryption is implemented and at what strength
• Screenshot(s) showing database encryption settings
• Screenshot(s) showing bootup password for full device encryption
• Screenshot(s) from backup server configurations showing encryption settings
• Screenshot(s) of NAS configuration settings
I would like to know if there some official documents from Bubble that I can use as references to clarify/answer the above questions.
I’m checking for a while on forum & see that Bubble using AWS RDS which supported the data encryption at rest but also see some comments say that there a plan to move as well.
So I create this topic with the hope of receiving some official information about data security in the Bubble.
I believe this information is IMPORTANT to me & other Bubble users as data security is a MAJOR concern of any clients.
Looking forward to your answer,
TLDR: Bubble can only help you with some of this, the rest of it has to come from your own organization and your information security practices.
I’m not a Bubble representative but I wanted to point out that some of what you’re being asked about is probably your own organization’s responsibility. For example:
Device encryption probably refers to automatic encryption settings on user devices (I guess the devices running the browsers used to interact with your Bubble app.) This will be a matter of the operating system used as well as any third party encryption services installed.
NAS is again probably related to network storage devices accessible from user endpoints.
It’s reasonable to expect Bubble to tell you whether and how their app databases encrypt data while at rest, but as a responsible system designer, you should also think about how you are handling data in flight or with a secondary layer of encryption on top of whatever Bubble provides. For example, you could implement AES256 to encrypt data at rest.
Bubble can’t be responsible for the data you choose to store versus use in client-side memory, or how you choose to protect it. You need to develop your own information security policies and then decide HOW you are going to use Bubble in a way that meets your policies.