Introducing SOC 2 and Bubble for Enterprise

This is awesome! I just want to confirm – all apps built on bubble are SOC 2 compliant now? Or would they still have to go through a third party review?

1 Like

Dedicated is renamed to Enterprise right?

1 Like

I’ve got to start by saying, “Wow!” The news you’ve just dropped is seriously fantastic, and I couldn’t be happier. You’re rocking it!

I’ve got to share a little personal insight from my time working in healthcare. You know I’ve had my fair share of experiences with bubble over the years and here’s the thing: I’ve had some amazing opportunities to whip up healthcare apps and cool innovations. Yet, every time I hit that roadblock of data hosting in a different location with Bubble, it’s like a massive disappointment every time.

It’s all about the cost of that dedicated plan is, honestly, off the charts. And for startups projects it’s just not affordable. I’ve lost nine promising projects over the years as soon as I started discussing the price tag for data hosting in another location. My customers are like thanks but no thanks everytime.

Unless you’re a big player in the game, it’s almost impossible. So, you can imagine how many cool projects end up on the back burner or slip through our fingers because of these costs.

Don’t get me wrong, Bubble has been a total game-changer for my career, but it’s like a Roadblock in some areas of health It’s a real bummer.

In a perfect world, we could switch up the data location without breaking the bank, and Bubble would be the ultimate solution, hands down. You’ve already supercharged my career, and I’m forever grateful, but, man, this dedicated server cost. It’s such a brick wall.

Bottom line, if we could find a way to tackle this data location and affordability challenge, Bubble would be unstoppable. @bubble @fabian.keim


Keep up the good work!

1 Like

Awesome announcement!


That is great news. Can we get access to the SOC 2 report? Or a SOC 2 compliance certificate of some kind that we can share with third parties to demonstrate the Bubble is SOC 2 compliant?

1 Like

Hi everyone,

Thank you all for your support and celebrating this milestone with us! I’m jumping back in to address some of the common questions and themes that have come up in the comments.

Dedicated Server on the Enterprise Plan

On the Enterprise plan, you can choose to host your app on our shared infrastructure or get a dedicated instance with a server located in an AWS hosting region of your choice.

SOC 2 Type II Compliance for Bubble Apps

Bubble’s SOC 2 Type II report means that our platform itself meets the standards needed to be compliant. This compliance does not automatically transfer over to apps built on Bubble. If a user wants their app to be SOC 2 Type II compliant, they’ll need to ensure that the way they design and operate the app meets the necessary trust principles and complete a separate audit.

If you’re interested in getting a copy of our SOC 2 report, please contact our Sales team for more details.

Bubble Employee Access to the Database

We determine the type and level of database access granted to employees based on the principle of least privilege. In this case, only approved employees have access to customer data. As part of our commitment to SOC 2 Type II compliance, we’ve implemented strict security controls to protect against unauthorized access to data.

Bubble SSO vs SSO Integration for End-users

With the Enterprise plan, we’ve introduced Bubble SSO, which allows an organization to secure member logins for the Bubble platform. This is different from the SSO integration for end-users via the WorkOS plugin or the API Connector, which remains a feature available on all plans.

GDPR Compliance on Bubble’s Main Cluster

We take the protection of your personal information seriously and have implemented measures designed to meet the standards of applicable data privacy laws, including the General Data Protection Regulation in the EU and the UK. These measures apply to all apps on any plan, including those on Bubble’s main cluster. It is ultimately up to each customer to decide if they want or need to go beyond that and store their data in the EU. We recommend that you consult a qualified legal professional for advice regarding specific regulatory compliance obligations relevant to your circumstances.

If you have any additional questions, please get in touch with our Sales team. Happy Bubbling!


As part of our own compliance audit we need to get a sense of how our sites are being protected. Are you able to provide Bubble’s Cloudflare settings with respect to WAF and DDoS, File Upload Limitation/scanning settings.

We are currently doing a SOC2 audit for our company and need to explain the security settings for our site. We use Cloudflare for DNS but presumably none of the setting we have matter since it is being routed directly to bubble. If you could provide an overview of the Cloudflare settings that Bubble has enabled that would be great.

All the best,


any update??? @josh