since topics like this are all closed but with not answer - here we go again: Can someone give some insight if new startups from e.g. Germany should start a project or not. It is crucial that the project is compliant.
@hi_bubble This doc is up to date and gives you all the info you should need. Yes bubble apps can be GDPR compliant, but you need to ensure the way you build your app complies with the regulations such as those set out in this doc.
This topic and a lot of the forum posts have seen some confusion over the years because GDPR as a law has changed so many times, particularly in terms of transferring user data outside the EU.
The problem from a privacy perspective with Bubble is the custom PostgreSQL database in each project created. This database, like Bubble itself, is hosted on the Amazon Web Services infrastructure. According to various forum posts, it is the aws-us-west-2 region, i.e. in the USA.
I find this article dodgy in many ways but it still is the nr1 result on search engines and I need to be sure for 100%.
You do not need to host EU data in the EU so long as the organisation is a commercial organisation certified by the EU-US Data Privacy Framework (Press corner | European Commission). This is a link to the EU ‘Adequacy’ decisions which includes the USA, the EU has a list of countries who have ‘adequate’ privacy laws and the transfer of data is allowed. US companies are allowed so long as they are a signatory to this agreement.
Bubble is a signatory (Privacy Shield) - (Ignore the name privacy shield here, the privacy shield agreement is invalid but the info on the page is up to date, it appears they have not changed their domain name), and so my understanding is you do not need to host the data in the EU.
This is my personal understanding of the situation, I am not a privacy lawyer, but there is a lot of conflicting advice particularly given by online nocode platforms or communities. The law also changes periodically. Bubble also does still have a SCC which I believe was not invalidated by the Privacy Shield being revoked, and also grants the right to transfer data separately.
Note: This is all just my personal understanding of the situation as a bubble dev, I’d advise getting feedback from a lawyer or a gov department if it is something you want a concrete answer for.
Thanks for reaching out to Bubble. Cadyn here from the Sales team.
Bubble has implemented measures designed to meet the standards of applicable data privacy laws, including the General Data Protection Regulation in the EU and the UK.
We have implemented Standard Contractual Clauses to our DPA as the legal mechanism for transferring data out of the EU (in this case, to the US, since Bubble is a US-based company). It’s our understanding from our legal counsel that since our DPA is published publicly here, it is in effect for all customers.
Our terms cover this in further detail, and we walk through frequently asked questions about GDPR in this Intro Guide. We also continue to update this forum thread with the latest in our compliance efforts and answer questions there.
It is our understanding from our legal counsel that Bubble apps can be GDPR compliant given the provisions we have in place; however, we cannot affirm that any singular app is GDPR compliant since every app is custom. We recommend checking with your legal counsel to see if your app is GDPR compliant.
Additionally, we offer Enterprise plans that allow us to host your application outside of the United States (i.e., the European Union). Is this something that you are interested in learning more about?
> It is our understanding from our legal counsel that Bubble apps can be GDPR compliant given the provisions we have in place