Forum Academy Marketplace Showcase Pricing Features

Is Bubble database data encrypted?

We are building an application on Bubble that may require us to store our user’s passwords from another service.

This leads us to ask if the Bubble data is encrypted. We suspect it is not as a rule, and we’re ok with that. We’re considering encrypting the required information (remote service username and password) prior to saving it to Bubble and right after retrieving it from Bubble.

I suspect we can achieve the encryption/decryption through a remote API.

Before we do this work I just wanted to check if the database data being stored by Bubble is encrypted. Also, if it’s not encrypted would it be possible to have Bubble add this feature on a Field by Field basis (i.e. adding a Field Type called “Encrypted Password”) that could protect this data in the event that the Bubble database was ever exposed.

Thanks.

1 Like

Bubble is hosted on AWS which maintains a state-of-the-art security infrastructure. We encrypt all traffic to bubble.is over https, and encourage and support our clients to use encryption on their own domains. All user passwords are stored salted + encrypted in our database; other user data is not encrypted at rest, but we plan to change this in the next two months as part of a migration from a NoSQL database (elasticsearch) to a SQL database (postgres).

6 Likes

Great you guys are planning to change the databas. What are some features and improvements can we expect? Will we have the ability to build query?

This is mostly a behind the scene thing for now, though i’ll probably open some possibilities down the line.

btw, should avoid storing passwords and store hashes instead

Will change of database increase search speed and loading times?

1 Like

Very interested to hear why you are making this transition and what can the average app designer with bubble expect to see as a result?

NoSQL databases are pretty popular nowadays, I’m curious to hear what motivated the move.

2 Likes

@emmanuel, does this mean that all data will be encrypted at rest when you make the switch to the new database? Or will this be a feature only available to certain paid Bubble tiers? We’re looking at working with folks in industries like healthcare (non-HIPAA, but still healthcare) and financial services - Bubble could be really helpful for them and part of their hesitation to use Bubble right now is around data security.

Thanks!

We can’t commit right now for this, we’ll see. What’s likely to be is on the Dedicated Plan first, and then maybe make it an option on lower plans, we’ll see.

1 Like

Thanks for the quick reply, as always.

Emmanuel, has the database migration been performed and are all data encrypted at rest?

Yes, all user passwords are stored salted + encrypted in our database; other user data is encrypted at rest (we’re on AWS RDS).

1 Like

Thank you. I’m curious where the Bubble encryption keys are stored and are there separate keys for each developer account? The reason that I ask is that we are planning to develop a healthcare related app and it must comply to HIPAA security standards.

Unfortunately HIPAA isn’t something that Bubble supports at this stage.

I know achieving certified HIPAA compliance at the platform level would be a massive dev initiative for Bubble, @emmanuel.

However, I’d also guess with enough interest, this could be productized at quite a premium, given that

  1. It’s table stakes for anyone developing a health care app (demand)

  2. No players in the Visual Programming space offer the option (differentiation)

  3. Clients looking for custom-built apps in the health market typically expect/tolerate a much higher price point. (viability)

I’m thinking you may find Bubblers willing to pay handsomely for a platinum “Dedicated Hosting + HIPPA” tier at $1K+ per month if they truly have an oppty to develop for this space…might be worth a little market research via user survey. Loss leader for a while, but game changer in terms of moving the needle on ARR & LTV when exit time looms :slight_smile:

Bottom line, is it worth trying to mobilize a Sponsored Feature campaign, or does this fall in the “you can’t pay me enough to go near that” category, at least for now? :scream:

We would love to do this, and we hope to do this at some point, but it’s not something we can do currently, even on a sponsored basis, unfortunately.

Understood. Thanks for the quick reply, happy to discuss down the road if/when you’re contemplating taking on this initiative.

1 Like

Are any fields indexed? Do users have the ability to index fields that will be searched on? Did the new database give you more capability in this regard?

Hello,

Yes, we automatically create indexes behind the scenes. That’s a built-in feature.