Is bubble.io with EU regulations like GDPR (DSGVO) compliant or not?

Hello guys,

since topics like this are all closed but with not answer - here we go again: Can someone give some insight if new startups from e.g. Germany should start a project or not. It is crucial that the project is compliant.

In this article Bubble’s Intro to GDPR for Bubble Apps is not a single word about the database and whether this makes it a problem or not.

He is just one example of a closed topic with no answer… many of them exist in the forum.

@josh @emmanuel @grace.hong it would be nice if someone from the bubble team could bring light into this dicussion.

Thank you!

Hi there,

I don’t have the simple answer you might be looking for, but I found Bubble has a document that hopefully can help get you the answers you’re looking for:

I would also recommend connecting directly with Bubble support to get clarification on any of this: support@bubble.io

1 Like

@hi_bubble This doc is up to date and gives you all the info you should need. Yes bubble apps can be GDPR compliant, but you need to ensure the way you build your app complies with the regulations such as those set out in this doc.

This topic and a lot of the forum posts have seen some confusion over the years because GDPR as a law has changed so many times, particularly in terms of transferring user data outside the EU.

Thank you! Yes that I understand. That is basically the case with any website. Be aware of cookies, manage users GDPR compliant, give the right to delete etc… right?

But what I was asking is more towards the facts that I cannot change at all for example the server location of the buildin bubble database. Or in other words: do I have to use an external DB in order to be compliant like this article suggests: Making Bubble.io GDPR compliant - 3 important factors - VisualMakers Blog

Factor 1: Database

The problem from a privacy perspective with Bubble is the custom PostgreSQL database in each project created. This database, like Bubble itself, is hosted on the Amazon Web Services infrastructure. According to various forum posts, it is the aws-us-west-2 region, i.e. in the USA.

I find this article dodgy in many ways but it still is the nr1 result on search engines and I need to be sure for 100%.

Thank you very much for taking the time.

You do not need to host EU data in the EU so long as the organisation is a commercial organisation certified by the EU-US Data Privacy Framework (Press corner | European Commission). This is a link to the EU ‘Adequacy’ decisions which includes the USA, the EU has a list of countries who have ‘adequate’ privacy laws and the transfer of data is allowed. US companies are allowed so long as they are a signatory to this agreement.

Bubble is a signatory (Privacy Shield) - (Ignore the name privacy shield here, the privacy shield agreement is invalid but the info on the page is up to date, it appears they have not changed their domain name), and so my understanding is you do not need to host the data in the EU.

This is my personal understanding of the situation, I am not a privacy lawyer, but there is a lot of conflicting advice particularly given by online nocode platforms or communities. The law also changes periodically. Bubble also does still have a SCC which I believe was not invalidated by the Privacy Shield being revoked, and also grants the right to transfer data separately.

Note: This is all just my personal understanding of the situation as a bubble dev, I’d advise getting feedback from a lawyer or a gov department if it is something you want a concrete answer for.

This is bubbles answer to my email:

Hi,

Thanks for reaching out to Bubble. Cadyn here from the Sales team.

Bubble has implemented measures designed to meet the standards of applicable data privacy laws, including the General Data Protection Regulation in the EU and the UK.

We have implemented Standard Contractual Clauses to our DPA as the legal mechanism for transferring data out of the EU (in this case, to the US, since Bubble is a US-based company). It’s our understanding from our legal counsel that since our DPA is published publicly here, it is in effect for all customers.

Our terms cover this in further detail, and we walk through frequently asked questions about GDPR in this Intro Guide. We also continue to update this forum thread with the latest in our compliance efforts and answer questions there.

It is our understanding from our legal counsel that Bubble apps can be GDPR compliant given the provisions we have in place; however, we cannot affirm that any singular app is GDPR compliant since every app is custom. We recommend checking with your legal counsel to see if your app is GDPR compliant.

Additionally, we offer Enterprise plans that allow us to host your application outside of the United States (i.e., the European Union). Is this something that you are interested in learning more about?

Best,

> It is our understanding from our legal counsel that Bubble apps can be GDPR compliant given the provisions we have in place

So this means once and for all (for now)

BUBBLE IS COMPLIANT :rocket:

Thanks to everybody that participated!