How secure is bubble.io for sensitive user data?

Hi,
I have an app idea where every user can put his own data (but it’s sensitive data like insurance documents, id card, passport, etc).

What is bubble server protection level? How good are bubble apps databases protected? Can I create an app that requires good protection against cyber attacks on bubble.io?

As I am french I am under french regulation, and in France if users sensitive data is leaked then you can get a big fine, but only IF you didn’t protect users data enough correctly. As you can imagine I don’t want to get fined for that.

Can someone working at bubble or someone having the knowledge help me on this data protection topic please?

Thing is bubble is as secure as you make it.

With good databases set up and privacy rules on your datatypes to control who see what, you’d be good

Exactly. You can take a car as a comparison, while being safe in itself with tons of security mechanisms, you can still drive into a wall

Bubble in itself is really secured and complies with all industry standards.

There are great ressources about securing your app in the Bubble Manual and our free book

Gem packed book you’ve got here gents. Good insight!

Thanks for the sweet words

Thank you @vnihoul77, both ressources are very interesting (especially the free book, it’s really good!)

In a near future I am certainly gonna get a subscription at your app “Flusk”, because the project I am on needs maximal security since it will have lots of personal data

Happy to hear. Feel free to ask here if you have any more questions

I do have a question that is maybe not completely related to security.
I was reading your book (page 61) and I realised that you store the profile pic of the user in your exemple on a AWS server (and not on the bubble server if i’m correct):

image760×27 21.4 KB

Is there a difference in security by doing that ? Or is it just a preference? Or is it quicker to access?

If i’m not mistaken bubble already uses AWS servers but if it was the case here in the url there would be the word 'bubble" (correct me if I am wrong, I don’t know how this all really works^^)

Good question!
As you guessed the image is indeed stored on Bubble servers which rely on AWS.

You won’t see the bubble word in the URL but you can see the /appforest_uf/ which is the previous name of Bubble.

Ohh okay I see thanks !

Under the hood Bubble does store the file with that URL format still, but they made a change a while back so when you or a user views a file you will see it in this format:

https://[app unique id].cdn.bubble.io/f[file unique id]/[filename with extension]

Also keep in mind at this point in time Bubble support can look at your database/files, when you ask them to investigate a bug they just go in without you having to “grant them access”. I think they mentioned on the enterprise/dedicated plan this isn’t the case?

In terms of protection against the public/data leaks Bubble is secure like others mentioned

Being in France you need to consider data sovereignty laws. That’s is, in which region does Bubble store your data. If that is outside the EU, then you will be in breach.

I would suggest hosting your data in a secure cloud provider like AWS, in an EU region, then connecting with that via your bubble app.

That way you can ensure security as well as compliance to GDPR and other data sovereignty regulations.

Hope this helps. Reach out if you need further assistance.

That sounded fishy to me. Upon a quick Google search, I was surprised to learn it’s true in terms of broad strokes but there are huge exceptions to those EU rules. Finally, if none of those exceptions would apply to a French company, then “hosting your data in a secure cloud provider like AWS, in an EU region, then connecting with that via your bubble app” would probably not help as Bubble would need to interact with the data.

This topic was automatically closed after 70 days. New replies are no longer allowed.