Update on Bubble's GDPR compliance work

Hi all,

A few Bubble users have reached out to us with questions about GDPR, which is the upcoming privacy and data protection legislation that is coming into effect in the European Union in May. We’ve been doing extensive work related to this, and want to give a brief, interim update on what Bubble is doing to be compliant and help our users be compliant with the new regulations.

GDPR overview

GDPR, or the General Data Protection Regulation, is a data protection regime adopted by the European Commission intended to strengthen data protection and security for personal data in the EU. It will go into effect on May 25, 2018.

Bubble’s approach

To start, we take privacy extremely seriously, and achieving compliance with GDPR is a priority for Bubble. GDPR is a complicated framework that marks a big change in how a lot of online companies process and store data. Over the past few months, Bubble has been working closely with our attorneys to ensure we comply with GDPR. Although GDPR only governs how data about people residing in EU member states is used and processed, we are taking this as an opportunity to review our data privacy regime for the entire Bubble platform.

The first step we are taking is participating in EU-US Privacy Shield Framework, which was designed by the US Department of Commerce and the European Commission to provide companies with a data protection compliance mechanism when transferring data to the US from the EU. The Privacy Shield sets a standard for data protection for all of our users and is enforceable and subject to investigation by US authorities.

Bubble’s certification as a Shield participant has two benefits:

  1. Shield aims to enable the compliant transfer of personal data from data controllers in the EU to data controllers (or processors) in the US. It’s a mechanism used by such companies as AWS and Google to transfer EU data to the US.

  2. Shield certification requires thorough review of our data processes, which we are using as an opportunity to confirm that they are GDPR compliant.

We’ve finished an internal audit of Shield compliance and found that our current data management processes are largely in line with the framework’s requirements. However, one key component of official Shield certification is ensuring that all third party vendors we use to help us process data are also compliant. We are currently in the process of working through this with our vendors. Because this is an ongoing conversation, we will update the community when we have a concrete deadline for Shield certification.

Moving forward

In addition to certifying as a Shield participant, we plan to take further measures for GDPR compliance. These may include providing a Data Processing Agreement for our customers to make use of, as well as additions to our Privacy Policy. We’ll continue to provide updates as our conversations with our vendors progress, and as we take additional measures to make GDPR compliance on the Bubble platform as simple as possible.

35 Likes

This sounds great. If you can also provide a standard DPA for your clients, I think you are complete. That would mean you can confidently brand yourself as GDPR compliant.

6 Likes

Cool, is HIPPA every going to be on the roadmap?

5 Likes

Thanks a lot for this update

1 Like

@Blake Yeah, we’d love to be HIPPA compliant, or have a HIPPA compliant offering. It’s not something we have short-term plans for, though (from our initial investigations, it looks like it would go substantially beyond what we need to do for GDPR), so it’s unlikely to happen this year.

1 Like

Hi @josh
Thanks so much for this update. I’m really delighted you are taking this so seriously. It give me great faith in my decision to use Bubble!

I have been reading about GDPR for the first time today, and there seem to be two main areas that stood out to me as to where us European app developers need Bubble’s help to make sure we are compliant “processors” of our client’s data. These are:

  1. Breach disclosure
    Our app clients will be required by law to disclose a breach of their client’s data within 72 hours. If the breach happens at Bubble HQ, then we all have about a day each - for you to tell us app developers, us to tell our app clients, and them to make the declaration. Will you have a commitment to us in place by 25th May to ensure we can meet our own client’s need to make this 72 hour declaration?

  2. Data Encryption
    From what I have read, while data encryption is not a requirement of GDPR, it is a highly recommended feature. Is Bubble data stored on your servers in an encrypted way at the moment, or if not, will there be an option in Bubble for us to choose encrypted storage where we feel it is necessary?

Thanks for all your focus on this,
Best wishes,
Antony.

2 Likes

Hey Antony,

As far as breach disclosure, we do intend to report data breaches in a timely manner and will likely publish information about our policy here as part of our ongoing compliance efforts. Our initial understanding, which we are still confirming with our legal counsel, is that your app clients, as data controllers, have 72 hours to report breaches once they are aware of them, which depends on when they are notified by their data processors. As data processors, Bubble and your own company have an obligation to report breaches to our controllers “without undue delay”… we are still making sure our interpretation of that is correct, so don’t take this as legal advice please. But our preliminary understanding is that your client’s 72 hour obligation would begin once you informed them of any data breach.

For data encryption, we do encrypt data stored in Bubble at rest currently.

2 Likes

So happy to see this!

Hey Josh,

Thanks for your reply a few weeks ago and sorry for taking a few weeks to reply.

Yes, I agree with your comments on the breach disclosure - a closer read of the details in the GDPR has confirmed to me that the reporting in a “timely manner” is what the regulation requires. Thanks for the clarity on that.

About encryption, could you clarify the term “at rest” for please? And also what may be behind the word “currently”? Encryption is really important in the GDPR, and if there is a data breach which causes us “lead processors” to be in the firing line, to have data stored in encrypted form is going to act like an insurance policy for us and really reducing our risk of facing a big fine, because we can show we have taken a big step in protecting our customer’s data.

It is very important to me, and I am sure many of your other Bubble users now the GDPR is upon us, that you can commit to us contractually that our data will be stored in encrypted form, or at least give us an option for that within the Bubble environment so we can control the possibility ourselves.

Which leads me on to some more details I have learned about the GDPR that are going to effect the relationship between Bubble.is and all your customers… and for background reading, I have learned this information from two very informative and clearly written articles that you can read here:

One more from the point of view of our (Bubble user’s) customers, the data “controllers”:
https://www.hiscox.co.uk/business-blog/wp-content/uploads/2017/11/Hiscox-UK-GDPR-Guide.pdf

And one from the point of view of us Bubble Users as the “lead processors”, Bubble.is as “the second line processors” and AWS and anyone else that you use to process data as the “third line processors”:
https://www.frontierprivacy.com/blog/the-effect-of-gdpr-on-data-processors/

I am personally developing a bubble based app this year which I will sell to hundreds of small businesses over the following few years. Each business will store quite confidential information information about their clients (“data subjects”), and I have to be totally confident that the levels of “processors” behind me are, in terms of procedures and especially in terms of contractual commitment, completely aligned with all the requirements of the GDPR.

The main reason for this absolute need is that the GDPR moves a lot of liability from the data “controller” and the 2nd/3rd line (sub) processors onto the lead processor. It is also possible for both the data controller and the data subject to litigate against us poor lead processors in the case of a data breach causing psychological or financial damage.

Us, your Bubble customers, are really in the firing line now!

So as I understand it, as the “lead processors”, we have to give a contractual commitment to our “controller” customers that:

  1. All processing of their data, whether done by us or the sub processors, meets the requirements of the GDPR.

  2. We will process all personal data in accordance with their instructions.

  3. We will give prior written consent for the use of each sub processor that stores their data.

  4. That we will inform them of any change or addition of sub processor so they have the chance to object and change where their data is stored.

  5. That the responsibilities we have to our controller clients will be reflected in the agreements between all the sub processors further down the line.

  6. All processing and movement of their data will be specifically documented and available for inspection should a data breach occur.

Furthermore, the GDPR requires us to have specific commitments in our contracts with our data controllers clients which are specified for us under Article 28 (3). Here is a link to those details:

https://gdpr-info.eu/art-28-gdpr/

And we need the same clear contractual commitments from all our sub processors; so yourselves at Bubble HQ, and for you to be clear about what other organisations are storing the data and the specific contractual commitments you have from each of them.

So there are lots of details here Josh, and I’d like to distill it all down to a few simple questions about how things will be once you have completed your GDPR review.

  1. Is your understanding of the GDPR requirements the same as I have described here?

  2. Will you be able to make all the contractual commitments to your users that the GDPR requires?

  3. Will you be able to do that by 25th May?

  4. Will you be able to contractually commit to our data being stored in encrypted format?

I look forward to hear from you!

Best wishes,

Antony.

9 Likes

Oh and Josh, I also wanted to say how much I appreciate your efforts to help us meet all these GDPR requirements and I look forward to us finding a solution that works for us all! :slight_smile:

4 Likes

Hey Antony,

“Encrypted at rest” refers to data being stored on the hard drive of computers in an encrypted state. It protects against a scenario where a bad actor is able to physically penetrate your data center, steal the hard drive from your servers, and attempt to access your data. Data that is encrypted at rest cannot be accessed by someone who is able to take physical possession of your hard drive.

In practice, physical hard drive theft is unlikely to occur. Bubble’s servers are hosted by Amazon Web Services, which maintains a high level of both physical and electronic security. They provide extensive documentation of their security practices on their web site; if you’d like to learn more, I would start by reading the material on https://aws.amazon.com/security/. Their white papers are freely available to the public and you can use them to help reassure your own customers that you are taking security seriously, since you benefit from the precautions that AWS takes on our behalf.

In terms of providing contractual commitments to our customers, our legal team is reviewing our next steps here, and we’re in the process of establish contracts with our downstream processors. I can tell you that we certainly intend to at the very least maintain the current level of our security practices, and we may choose to implement additional safeguards as we continue to research these issues.

I can’t confirm right now what our timeline will be for offering Data Processing Agreements for our customers, but we will update this forum thread with any concrete information as it becomes available. What I can tell you is that we are actively working on putting together a standardized DPA for our customers, and that we intend to make sure our customers have what they need to be compliant.

9 Likes

Hi there Josh,

Many thanks for your reply and the time you have put into the details.

Having this thread has been a real encouragement for me to understand what the GDPR is all about, so I look forward to see the details of your new DPA when it is complete.

Best wishes,
Antony.

1 Like

Dear Josh,

I understand Bubble is built on AWS, so is there a way to use DPA from AWS and, if I may say so, “go around“ Bubble? To some extent to have a form of collateral warranty? Perhaps, given Bubble is big enough, maybe you could talk to AWS directly?

Also, in respect to where data is held, is there a chance to request London located server for an app?

Thanks for all above clarifications, very useful.

Hi,
I am also worried about the location of the servers Bubble apps are running on. In fact, if European Bubble users build apps on Bubble, they should be able to choose if the app is running on EU-based servers. Otherwise it would be too much of a risk for EU-based app creators to run apps on Bubble.

We’ve already signed a DPA with AWS, so they’ve contractually committed to us, and by extension, you, to process your data in secure way that enables you to protect the privacy of your users. The next step is for Bubble to contractually commit to you that we’ll do the same. As of a couple days ago we finished drafting a DPA, and we’ll make it available to you to sign as soon as we finish confirming that we can in fact live up to the obligations it commits us to. The main sticking point right now is that we have a couple sub-processors who haven’t finished their own DPAs; we’re waiting on them to wrap up and investigating alternatives in case they don’t deliver as promised. We can’t make commitments until we’re sure that everyone who processes data on our behalf can make the same commitments. However, our most important sub-processors, including AWS, have finished, so I don’t anticipate any insurmountable obstacles here.

Given that we run Bubble out of the US, and rely on a number of US based companies in order to manage our infrastructure, we aren’t able to provide our services while keeping user data entirely in the EU. However, the good news is that GDPR makes explicit provisions for transferring data out of the EU legally, so it’s quite possible for European companies to use a US-based company to do their data processing.

We are working on getting Privacy Shield certified and developing a DPA for us and our customers to sign because we want to make sure that our users feel secure from a legal, technical, and privacy standpoint about using Bubble to host their apps.

11 Likes

Dear Josh,

Thank you very much.

Is there a chance you could disclose those other sub-processors?

I understand under GDPR one may be required to NAME people to whom data goes, so we may need to know these details and how data is processed by them?

Look forward to seeing Bubble DPA too :slight_smile:

Thank you

Alex

@funwtp raises a very good point.

If we are asked that question who else has access to the data given that Bubble has disclosed there are sub processes, I couldn’t answer who else has access to the data other than AWS, Sendgrid.

1 Like

Hello from Bubble’s Director of Operations! Josh and I have been working closely together with our legal team on the topic of GDPR compliance and I wanted to provide an update on some questions raised here: Bubble’s DPA, Shield registration, and our sub-processors.

Shield. Bubble is still in the process of registering in Shield. As Josh mentioned in his initial post, we’ve found that we already engage in many of the practices required under Shield. The largest step we need to complete is getting signed DPAs from all of our sub-processors. We have been in contact with all of them, and many have DPAs ready. For the remainder, we believe they are acting in good faith and are taking the required steps to offer these by May 25th. However, we can’t officially register in Shield until this major provision is complete.

DPA. Bubble has developed a DPA for our users in conjunction with our legal team. However we cannot execute the DPA until we have signed DPAs from our sub-processors. As mentioned, we believe these sub-processors are all making good faith efforts to meet the May 25th deadline. We will notify users when the DPA is available.

Sub-processors. Our list of sub-processors will be released with our DPA.

Next steps. As mentioned above, we’ve been in contact with all of our sub-processors and have every reason to believe that they are making good-faith efforts to comply with GDPR within the set time frame, including providing us with a signed DPA. However, should we find that our sub-processors cannot make DPAs available to us within a time frame that allows us to be compliant on the May 25th deadline, we will kick off a contingency plan which includes replacing the sub-processors that do not have a DPA for us.

12 Likes

HI @josh or anyone, apologies if this has already been answered, but can’t find it, I have been asked by a pilot customer in which US AWS region the current main bubble cluster is located.

Thanks!

2 Likes

Update: I believe it is AWS West Region 2 (Oregon, US)