Update on Bubble's GDPR compliance work


@josh @elisa I have been working on updating our pp but a the same time I have also been waiting on updates from Bubble’s side as you have done so very regularly (and for which I’m very thankful)

Can we expect something soon in regards to this concerning the Bubble supply chain that we as data processors need to lay out to our users?

I’m getting so many ‘we have updates our privacy policy’ emails lately! :joy:

1 Like

@StevenM Yes, that’s right re: Oregon today, although we may host main cluster apps anywhere in the US in the future (if we expand to international hosting – I know there are a number of users who’d prefer that but can’t afford dedicated right now – we’d make that an opt-in choice).

@vincent56 The update is we have signed contracts with all but two sub-processors. Of the remaining two, one offered us a contract that we do think adequately protects our user’s data but that we have some other issues with, so we’re negotiating, and the other one is very non-critical so we may just stop doing business with them if it looks like getting an agreement in place will push back the timeline significantly. We have a DPA drafted and a GDPR-compliant privacy policy almost finalized. So I’m still feeling confident that we will be able to offer our customers Privacy Shield compliance and DPAs in the near future.


Thank you, Josh.

Although it doesn’t affect my app that much, others may be affected - GDPR comes into effect on 25th May, so one may need DPA from Bubble before then.

Would you say this is achievable?



Please, tell me - if I am using Bubble in order to create Web Application which allows users to sign up (so it stores some data) - do I need to worry about GDPR? Or bubble handles it and that’s it :slight_smile: ?

Thanks in advance for the answer!

If you are targeting EU citizens and you store their email(bubble does on sign-up) you need to worry about GDPR.
That is why this thread is so important and has such visibility :slight_smile:


Hi there @wozniak.mateusz.1993!

It is a good question and of course, quite a complex one when it comes down to the details. If you take a look at the post I put up on this thread on 5th April you will get some more background.

I hope it is helpful!

Best wishes,

Hi @josh,

We are 10 days away from implementation day. How are things going on this front?



Thank you for following up on this, and thanks to all in the community for your engagement and patience as we prepare for this sea change legislation.

Here’s what you need to know about Bubble’s GDPR preparation:

Shield. As of this week, Bubble has received all vendor DPAs. They are all now signed, which allows Bubble to self-certify to Privacy Shield. This process will take a few days of review from 1) our independent dispute resolution provider, TrustArc (formerly called TRUSTe, which, as mentioned in previous posts, is also being used by AWS and other major companies) and 2) subsequent review by the Department of Commerce. We are in the process of this final certification, which we anticipate to happen shortly. We will confirm when it has been officially processed.

Privacy Policy. Together with our legal team, Bubble has prepared an updated Privacy Policy (as well as updated Terms of Service, which incorporate Bubble’s DPA - see below) in accordance with GDPR. The Privacy Policy will include our Cookie policy. We plan to have both Terms & Policy available on Monday 5/21.

Note that our Privacy Policy will be updated to reflect our participation in Privacy Shield as soon as our certification has been processed by the Department of Commerce.

Bubble’s DPA. Also with our legal team, Bubble has prepared a Data Processing Addendum that governs how we process data sent to us by apps built on Bubble. This is incorporated into our Terms of Service. We also plan to share it on Monday 5/21.

Note that the DPA will also be updated to reflect our participation in Privacy Shield as soon as our certification has been processed by the Department of Commerce.

Security. Bubble has been building out and documenting our security processes and will publish a white paper on this in the coming months.

Please let us know if any questions in the meantime!


This is great news.


1 Like

Hello @josh,
have you released the full list of data sub-processors yet?

I believe it’s my duty under GDPR to be able to tell my customers all the services involved in the processing and storage of their data.

Just found the list here:
https://bubble.io/subprocessors :slightly_smiling_face:


Thank you very much for your update! Will you provide a dpa for download and to sign based on GDPR, as other services also do? Or is there no need for that as you provided it as part of your terms & conditions? Kind Regards

Hello! The DPA is incorporated into our terms and governs the way that we process personal data, so it’s included in our commitments to you when you accept the terms. We’ve seen a few other services using the same model. Please let me know if any additional questions on this.


Any news on the Privacy Shield compliance? I can’t see Bubble on the site.

Thanks for following up on this! Our application is still being processed – the Department of Commerce alerted us that they are experiencing an “unusually high volume of applications,” no doubt due to the GDPR deadline.

We will provide an update as soon as it’s available. Please note that, in the interim, Bubble agrees to conduct its activities in accordance with the requirements of the Privacy Shield Principles as laid out in section 4 of our Privacy Policy.

Please let us know if any additional questions!


Great news! Bubble has officially self-certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

Please look out for an email from our team announcing the changes to our Privacy Policy, posted here. To learn more about the Privacy Shield Framework, and to view Bubble’s certification, please visit https://www.privacyshield.gov. Please note that it may take a few days for Bubble’s name to appear on the Privacy Shield site.


In the process of researching pros and cons about the Bubble platform alongside documentation and just want to chime in and let you guys at Bubble know that as a potential prospect I see enormous potential in what your doing and appreciate your vision and devotion… it does seem to be potentially self-empowering stuff you got going on!

Thus I sort of feel with you in regards to the potential stress of these rules and regulations - although I think GDPR should be regarded more as a needed move towards transparency rather than a hinderance. Following updates on this as your DPA / GDPR efforts in general - seems your not on the Privacy Shield list yet but guess there is an external validation process involved as well…(?)

Tremendous task to reexamine the platform, policies, procedures, sub-processors and break all this down to valid and deadsimple answers. However, think thats key if you want to leave current and potential users 100% assured that their a**** wont get burned trusting Bubble as a key data processor :slight_smile:

Personally, another significant bump on the road before jumping ship with Bubble is there seems to be timeframe for an option of choosing EU located AWS server(s) on lower level plans. Think it’s been up before in the forums and you sort of could not commit to a deadline due to other priorities…

This is a shame as it puts a practical limit to the vision. Sure shield is a foundation for GDPR compliance but the notion of not being able to regulate where data is stored is a dealbreaker for many operating in the EU. Don’t think anybody in their right mind would go dedicated right off the bat… improved load times of having the app hosted in relative near proximity to target users wouldn’t hurt either :slight_smile:


Its May 2019. Where is Bubble on GDPR compliance now?
If I use bubble.is to build a website or application in the EU, then I want all the data to reside in that EU jurisdiction, plain an simple. This will be any logins, and any user data stored need to be ideally on the EU AWS region.

is this so ? as it’s the law now, and my website or application would be useless othwerwise.

@pat.scanlan Data will be stored in AWS Oregon (USA) unless you have a Dedicated box located in EU. That said, as @elisa noted above, Bubble has officially self-certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

1 Like

Dedicated Box ??
surely the EU region is large enough customer base for Bubble.is to warrant provision of an EU region … say in Dublin for instance …
I don’t understand the US/EU statement at all. could you write plain English please…