Data processing addendum

Last revised: April 21, 2025 Effective date: December 8, 2022

THIS DATA PROCESSING ADDENDUM (“ DPA”) supplements the agreement between the customer (“Customer”) and Bubble Group, Inc. (“Bubble”) regarding Bubble's processing of Customer Personal Data. This DPA addresses applicable Data Protection Laws, including but not limited to European data protection laws and US state privacy laws such as the California Consumer Privacy Act.

1. DEFINITIONS
Unless expressly stated otherwise, capitalized terms used in the DPA have the meanings given below or, if not defined, have the meanings given in the Agreement. References to “including” mean “including, without limitation”.

1.1 “Addendum Effective Date” means the effective date of the Agreement.

1.2 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.

1.3 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.4 “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

1.5 “Data Subject Request” means the request of a Data Subject to exercise rights under Data Protection Laws in respect of Customer Personal Data in Bubble’s possession, custody or control.

1.6 “EEA” means the European Economic Area.

1.7 “Customer Personal Data” means Personal Data Processed by Bubble or its Subprocessor(s) on behalf of Customer, or otherwise required to be Processed under and subject to Data Protection Laws, to perform the Services under the Agreement.

1.8 “Data Protection Laws” means the privacy, data and data security laws and regulations applicable to the Processing of Customer Personal Data under the Agreement. “Data Protection Laws” may include, but are not limited to, US State Privacy Laws; the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection (“FADP”); the United Kingdom General Data Protection Regulation (“UK GDPR”); and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).

1.9 “FDPIC” means Swiss Federal Data Protection and Information Commissioner.

1.10 “Personal Data” means information that relates to an identified or identifiable Data Subject.

1.11 “Personal Data Breach” means a breach of Bubble’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Bubble’s possession, custody or control.

1.12 “Process” and inflections thereof refer to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.

1.13 “Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

1.14 “Restricted Transfer” means any disclosure, grant of access, or other transfer of European Customer Personal Data to any person located in (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission described in Chapter 45 of the GDPR (an “EU Restricted Transfer”), (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), and (iii) in the context of Switzerland, a country or territory outside of Switzerland which does not benefit from an adequacy decision from the Swiss Government (a “Swiss Restricted Transfer”), in each case, which would be prohibited without a legal basis under the GDPR.

1.15 “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.

1.16 “Services” means those services performed for Customer by Bubble pursuant to the Agreement.

1.17 “Subprocessor” means any third party engaged directly or indirectly by or on behalf of Bubble to Process Customer Personal Data.

1.18 “Supervisory Authority” means (i) in the context of the EEA and the EU GDPR, “supervisory authority” as defined in the EU GDPR; (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office; and (iii) in the context of Switzerland and the FADP, means the FDPIC.

1.19 “Transfer Mechanism(s)” means the SCCs, UK Transfer Addendum, and/or Swiss transfer mechanism; as applicable to the relevant Restricted Transfer.

1.20 “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO under s119A of the Data Protection Act 2018, in force from 21 March 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).

1.21 "US State Privacy Laws" means all state laws relating to the protection and Processing of Customer Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations ("CCPA"), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act.


2. SCOPE OF THIS DATA PROCESSING ADDENDUM

2.1 The Parties acknowledge and agree that the details of Bubble’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 to the DPA.

2.2 The DPA applies to Bubble’s Processing of Customer Personal Data. For the avoidance of doubt, the DPA does not apply to Bubble’s Processing of Customer Personal Data that does not constitute Customer Personal Data, and/or any other Processing of Personal Data with respect to Customer and Customer’s users conducted by Bubble as a Controller, including business relationship administration and system security.


3. PROCESSING OF CUSTOMER PERSONAL DATA

3.1 Bubble shall not Process Customer Personal Data other than on Customer’s instructions or as required by applicable laws. Customer instructs Bubble to Process Customer Personal Data to provide the Services and as authorized by the Agreement. The Agreement is a complete expression of such instructions, and Customer’s additional instructions will be binding on Bubble only pursuant to an amendment to the DPA signed by both parties. Where Bubble receives an instruction from Customer that, in its reasonable opinion, infringes Data Protection Laws, Bubble shall notify Customer.

3.2 The Parties acknowledge that Bubble’s Processing of Customer Personal Data authorized by Customer’s instructions stated in the DPA are integral to the Services and the business relationship between the Parties. Access to Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.


4. BUBBLE PERSONNEL

Bubble shall ensure that all Bubble employees or other personnel who Process Customer Personal Data are subject to contractual or appropriate statutory obligations of confidentiality with respect to such Customer Personal Data.


5. SECURITY

Bubble shall implement and maintain technical, organizational and physical measures designed to protect the confidentiality, integrity and availability of Customer Personal Data and prevent Personal Data Breaches. Such measures shall include the measures described in Annex 2 of the DPA (the “Security Measures”) and such other measures as are required by Data Protection Laws. Bubble may update the Security Measures from time to time, so long as the updated measures do not decrease in the aggregate the protection of Personal Data.


6. RESTRICTED TRANSFERS

6.1 General. Where Bubble is certified under a scheme (such as the EU–U.S. Data Privacy Framework, UK Extension and/or Swiss–U.S. Data Privacy Framework (as applicable)) that benefits from an adequacy decision of the EU Commission, UK Government and/or Swiss authorities (as applicable), Bubble will rely on such scheme and corresponding adequacy decision for transfers of Customer Personal Data. As soon as and as long as Bubble relies on such scheme and corresponding adequacy decision for transfers of Personal Data, the Transfer Mechanism(s) and corresponding obligations, such as the performance of a transfer impact assessment, shall not apply. In case Bubble withdraws from such scheme, the corresponding adequacy decision is invalidated, and/or such scheme does not otherwise apply to a transfer of Customer Personal Data, Customer and Bubble shall, only if and to the extent permitted and required under the GDPR and/or FADP (if and as applicable) to establish a valid basis under the GDPR and/or the FADP in respect of a Restricted Transfer, be deemed to have automatically (i) in case of an EU Restricted Transfer, entered into Module 2 and 3 (as applicable) of the SCCs by reference and shall comply with their respective obligations set out in the SCCs; and (ii) in case of a UK Restricted Transfer, entered into the SCCs varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum; and (iii) in case of a Swiss Restricted Transfer, entered into the SCCs varied to address the requirements under the FADP. Where requested by Bubble, Customer shall provide executed versions of the relevant set(s) of SCCs and undertakes to agree in good faith on additional supplementary measures.

6.2 Where the SCCs apply to a Restricted Transfer in accordance with Section 6.1, the following shall apply to the SCCs and the Clauses thereof: (i) the optional ‘Docking Clause’ in Clause 7 is not used, (ii) in Clause 9, “option 2: general written authorisation” applies and shall be populated with the respective and corresponding information from section 10.2 of this DPA, (iii) in Clause 11, the optional language is not used and is deleted, (iv) in Clause 13, all square brackets are removed and all text therein is retained and for the Annexes to the SCCs the supervisory authority shall be the competent supervisory authority that has supervision over the Customer in accordance with Clause 13, (v) in Clause 17, “option 1” applies, and for Clauses 17 and 18, the laws and courts of Ireland shall be selected, and (vi) the Annexes to the SCCs are populated with the respective and corresponding information detailed in Annex 1 (Data Processing Details) and Annex 2 (Security Measures) to this DPA and the Subprocessor Site.

6.3 The SCCs as completed and populated as above shall be varied with respect to: 

 (a) UK Restricted Transfers by the UK Transfer Addendum in the following manner: (i) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Section 6.2, (ii) Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked, and (iii) in Part 2 to the UK Transfer Addendum, the Parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum; and

 (b) Swiss Restricted Transfers by the FADP in the following manner: (i) the Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss Restricted Transfers exclusively subject to the FADP, (ii) the terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the SCCs shall be interpreted to include the FADP with respect to Swiss Restricted Transfers, (iii) references to Regulation (EU) 2018/1725 are removed, (iv) references to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the SCCs, (v) where Swiss Restricted Transfers are exclusively subject to the FADP, all references to the GDPR in the SCCs are to be understood to be references to the FADP, (v) where Swiss Restricted Transfers are subject to both the FDPA and the GDPR, all references to the GDPR in the SCCs are to be understood to be references to the FDPA insofar as the Swiss Restricted Transfers are subject to the FADP, (vi) the SCCs as amended by this DPA also protect the Personal Data of legal entities until the entry into force of the revised FADP.


7. US STATE PRIVACY LAWS

7.1 To the extent applicable, Bubble acknowledges that when Processing Customer Personal Data protected under the CCPA and similar US State privacy laws, Bubble acts as a "Service Provider" or "Processor" (as defined in the applicable laws).

7.2 When acting as a Service Provider under applicable US State Privacy Laws, Bubble will: (a) Process Customer Personal Data solely to perform its obligations under this Agreement and for no other commercial purpose except as permitted by applicable law; (b) not "sell" or "share" Customer Personal Data as those terms are defined under applicable US state privacy laws; and (c) comply with its obligations under applicable US State Privacy Laws.

8. DATA SUBJECT REQUESTS

8.1 Bubble, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance by appropriate technical and organizational measures as Customer may reasonably request to assist Customer in fulfilling its obligations under Data Protection Laws to respond to Data Subject Requests.

8.2 Bubble shall promptly notify Customer if it receives a Data Subject Request and not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except as required by Data Protection Laws.


9. PERSONAL DATA BREACHES

9.1 Bubble shall notify Customer of a Personal Data Breach without undue delay after becoming aware of the occurrence thereof. Bubble’s notification of or response to a Personal Data Breach will not be construed as Bubble’s acknowledgement of any fault or liability with respect to the Personal Data Breach.

9.2 If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority or other governmental authority, any Data Subject(s), the public or others under Data Protection Laws in a manner that directly or indirectly refers to or identifies Bubble, where permitted by applicable laws, Customer agrees to notify Bubble in advance and in good faith consult with Bubble and consider any clarifications or corrections Bubble may reasonably recommend or request to any such notification.


10. SUBPROCESSING

10.1 Customer generally authorizes Bubble to appoint Subprocessors in accordance with this Section 10. Without limitation to the foregoing, Customer authorizes the engagement of the Subprocessors listed as of the effective date of the Agreement at the URL specified in Section 10.2.

10.2 Information about Subprocessors, including their functions and locations, is available at: https://bubble.io/subprocessors (as may be updated by Bubble from time to time) or such other website address as Bubble may provide to Customer from time to time (the “Subprocessor Site”).

10.3 When engaging any Subprocessor, Bubble will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in the DPA with respect to Customer Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Bubble shall be liable for all obligations under the Agreement subcontracted to the Subprocessor or its actions and omissions related thereto.

10.4 When Bubble engages any Subprocessor after the effective date of the Agreement, Bubble will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor Site or by other written means at least thirty (30) days before such Subprocessor Processes Customer Personal Data. If Customer objects to such engagement in a written notice to Bubble within ten (10) days after being notified of the engagement on reasonable grounds relating to the protection of Customer Personal Data, Customer and Bubble will work together in good faith to consider a mutually acceptable resolution to such objection. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Bubble and pay Bubble for all amounts due and owing under the Agreement as of the date of such termination.


11. COMPLIANCE ASSISTANCE; AUDITS

11.1 Bubble, taking into account the nature of the Processing and the information available to Bubble, shall provide such information and assistance as Customer may reasonably request (insofar as such information is available to Bubble and the sharing thereof does not compromise the security, confidentiality, integrity or availability of Customer Personal Data Processed by Bubble) to help Customer meet its obligations under Data Protection Laws, including in relation to the security of Customer Personal Data, the reporting and investigation of Personal Data Breaches, the demonstration of Customer’s compliance with such obligations, and the performance of any data protection assessments and consultations with Supervisory Authorities or other government authorities regarding such assessments in relation to Bubble’s Processing of Customer Personal Data, including those required under Articles 35 and 36 of the GDPR.

11.2 Bubble shall make available to Customer such information as Customer may reasonably request for Bubble to demonstrate compliance with Data Protection Laws and the DPA in relation to Bubble’s Processing of Customer Personal Data. Without limitation of the foregoing, Customer may conduct (in accordance with Section 11.3), at its sole cost and expense, and Bubble will reasonably cooperate with, reasonable audits (including inspections, manual reviews, and automated scans and other technical and operational testing that Customer is entitled to perform under Data Protection Laws), in each case, whereby Customer or a qualified and independent auditor appointed by Customer using an appropriate and accepted audit control standard or framework may audit Bubble’s technical and organizational measures in support of such compliance and the auditor’s report is provided to Customer and Bubble upon Customer’s request.

11.3 Customer shall give Bubble reasonable advance notice of any such audits. Bubble need not cooperate with any audit (a) performed by any individual or entity who has not entered into a non-disclosure agreement with Bubble on terms acceptable to Bubble in respect of information obtained in relation to the audit; (c) outside normal business hours; or (d) on more than one (1) occasion in any calendar year during the term of the Agreement, except for any additional audits that Customer is required to perform under Data Protection Laws. The audit must be conducted in accordance with Bubble’s safety, security or other relevant policies, must not impact the security, confidentiality, integrity or availability of any data Processed by Bubble and must not unreasonably interfere with Bubble’s business activities. Customer shall not conduct any scans or technical or operational testing of Bubble’s applications, websites, Services, networks or systems without Bubble’s prior approval.

11.4 If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified and independent third-party auditor pursuant to a recognized industry standard audit framework within twelve (12) months of Customer’s audit request (“Audit Report”) and Bubble has confirmed in writing that there have been no known material changes to the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit under Section 11.3. Bubble shall provide copies of any such Audit Reports to Customer upon request.

11.5 Such Audit Reports and any other information obtained by Customer in connection with an audit under this Section 10 shall constitute confidential information of Bubble, which Customer shall use only for the purposes of confirming compliance with the requirements of the DPA or meeting Customer’s obligations under Data Protection Laws. Nothing in this Section 11 shall be construed to obligate Bubble to breach any duty of confidentiality.


12. RETURN AND DELETION

12.1 Upon expiration or earlier termination of the Agreement, Bubble shall return and/or delete all Customer Personal Data in Bubble’s care, custody or control in accordance Customer’s instructions as to the post-termination return and deletion of Customer Personal Data expressed in the Agreement, or subject to Section 13.5, Customer’s further instructions.

12.2 Notwithstanding the foregoing, Bubble may retain Customer Personal Data where required by applicable laws, provided that Bubble shall (a) maintain the confidentiality of all such Customer Personal Data and (b) Process the Customer Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention.


13. CUSTOMER RESPONSIBILITIES

13.1 Customer agrees that, without limiting Bubble’s obligations under Section 5, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Bubble uses to provide the Services; and (d) backing up Customer Data.

13.2 Customer shall ensure that there is, throughout the term of the Agreement, a valid legal basis for Bubble’s Processing of Customer Personal Data in accordance with the Agreement for the purposes of Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR where applicable). Customer shall ensure (and is solely responsible for ensuring) that all required notices have been given to, and all consents and permissions have been obtained from, Data Subjects and others as are required, including under European Data Protection laws, for Bubble to Process Customer Personal Data as contemplated by the Agreement.

13.3 Customer agrees that the Service, the Security Measures, and Bubble’s commitments under the DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.

13.4 Customer shall ensure that Customer Personal Data made available to Bubble for Processing does not contain any (a) Social Security numbers or other government-issued identification numbers; (b) biometric information; (c) passwords to any online accounts; (d) credentials to any financial accounts; (e) tax return data; (f) any payment card information subject to the Payment Card Industry Data Security Standard; (g) Personal Data of children under 16 years of age; (h) data relating to criminal convictions and offences or related security measures; or (i) information that constitutes special categories of personal data (as defined in the GDPR) or information of a similarly sensitive character regulated by Data Protection Laws, such as "sensitive personal information" as defined under the CCPA.

13.5 Except to the extent prohibited by applicable law, Customer shall compensate Bubble at Bubble’s then-current professional services rates for, and reimburse any costs reasonably incurred by Bubble in the course of providing, cooperation, information or assistance requested by Customer pursuant to Sections 6, 11 and 12.1 of the DPA beyond Bubble’s provision of any self-service tools as part of the Services that Customer can use to obtain the requested cooperation, information or assistance.


14. PRECEDENCE

In the event of any conflict or inconsistency between (a) the DPA and the Agreement, the DPA shall prevail; (b) the DPA and any other agreement made between the parties as relates to Personal Data, the DPA shall prevail.


Annex 1 - Data Processing Details

CUSTOMER / ‘DATA EXPORTER’ DETAILS

Name:
Customer Activities: The use and receipt of Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations
Role:
 (a) Controller – in respect of any Processing of Customer Personal Data in respect of which Customer is a Controller in its own right Module Two of the SCCs would apply; and
 (b) Processor – in respect of any Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person (including its Affiliates if and where applicable) Module Three of the SCCs would apply.


BUBBLE / ‘DATA IMPORTER’ DETAILS

Name: Bubble Group, Inc.
Contact details for data protection: [email protected]
Customer Activities: Visual programming tool and cloud platform
Role: Processor


DETAILS OF PROCESSING

Categories of Data Subjects: Any individuals whose Personal Data is comprised within data submitted to the Services by or on behalf of Customer under the Agreement, which will be as determined by Customer in its sole discretion through its use of the Services – but may include Customer’s and its Affiliates’:

1. “Staff”, namely:
 (a) employees and non-employee workers;
 (b) students, interns, apprentices and volunteers;
 (c) directors and officers;
 (d) advisers, consultants, independent contractors, agents and autonomous, temporary or casual workers.

2. Customers, clients, (sub-)licensees, users and end-users, website visitors and marketing prospects.

3. Suppliers, service providers, consultants, advisers and other providers of goods or services.

4. Distributors, resellers, sales agents, introducers, sales representatives, collaborators, joint-venturers and other commercial partners.

5. Shareholders, partners, members and supporters.

6. Advisers, consultants and other professionals and experts.

Where any of the above is a business or organisation, it includes their Staff.

Each category includes current, past and prospective Data Subjects.

Categories of Personal Data: Any Personal Data comprised within data submitted to the Services by or on behalf of Customer under the Agreement, which will be as determined by Customer in its sole discretion through its use of the Services – but may include:

1. Personal details, including any information that identifies the Data Subject and their personal characteristics, including: name, address, contact details (including email address, telephone details and other contact information), age, date of birth, sex, and physical description.

2. Technological details, such as internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, precise and imprecise location data, internet / application / program activity data, and device IDs and addresses.

Sensitive Categories of Data, and associated additional restrictions/safeguards:

Categories of sensitive data: None – as noted in Section 13.4 of the DPA, Customer agrees that restricted data, which includes ‘sensitive data’, must not be submitted to the Services.

Additional safeguards for sensitive data: N/A

Frequency of transfer: Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.

Nature of the Processing: Processing operations required in order to provide the Services in accordance with the Agreement.

Purpose of the Processing: Customer Personal Data will be Processed: (i) as necessary to provide the Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.

Duration of Processing / Retention Period: For the period determined in accordance with the Agreement and DPA.

Transfers to (sub)processors: Transfers to Subprocessors are as, and for the purposes, described from time to time in the Subprocessor Site (as may be updated from time to time in accordance with Section 10.4 of the DPA).


Annex 2 – Security Measures

Bubble agrees to implement and maintain the following Security Measures:

1. In the software development lifecycle, a code review process for all production code changes, prior to release; code analysis tools to detect security and vulnerability defects; automated and manual vulnerability testing including OWASP top ten testing; continuous monitoring; and automatic network vulnerability detection software to catch vulnerabilities in real time.

2. No direct access to virtual machines for tenants, nor the ability for Bubble to host client virtual machine images.

3. Encryption of all data sent across public networks except as specifically requested by our users, and use of SSH for replication over public networks.

4. Reliance on Amazon Web Services for physical security and physical handling of servers, to which Bubble employees do not have physical access.

5. An annual internal audit that includes identifying and prioritizing security, privacy, legal, and business continuity risks, as well as a review of our business processes and governance, conducted by company executives representing legal, IT security, IT operations and business continuity planning concerns.

6. Security incident response process defining procedures for notifying customers if an incident may have impacted their data.

7. Documented procedures for authenticating customer access.

8. Logical segmentation to ensure customers can only access their own data; there are no scenarios where customers are given general systems access beyond specifically granted access to their data. In addition, for customers on dedicated Bubble clusters, physical segmentation from other customer data as well.

9. Classifying all data provided by our customers and their users as secure by default; users are given tools for implementing their own classification standards and enforcing appropriate levels of access controls via our Privacy Rules functionality.

10. Procedures governing use of production data, enforced by controls including auditing and technical safeguards; use of production data on a strictly as-needed basis for diagnosing issues as requested by clients; and policies governing the circumstances in which production data can be used in this manner.

11. Company policies in place around handling of employee laptops, including HR termination processes involving revoking all access and collecting all assets within 24 hours.

12. Training for all Bubble employees around their job duties and the security obligations inherent in those roles; and mandatory two-factor authentication for all Bubble employees.

13. Procedures to identify, assess and mitigate any reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of systems or files containing Customer Personal Data and evaluate and improve safeguards as necessary.