Bubble's security: FAQ

Bubble complies with the SOC 2 Type II standard for security and offers a GDPR-compliant data processing agreement (DPA).

Yes — the SOC 2 Type II report applies to the entire platform. All apps on Bubble's main cluster and dedicated instances benefit from this compliance, regardless of plan type.

Bubble hosts its infrastructure on Amazon Web Services (AWS), which is SOC 2, CSA CAIQ, and ISO/IEC 27001 compliant.

If you're on an Enterprise Dedicated plan, you can specify the region where your server and data are located from Bubble's growing list of AWS data center regions (found here). For all other app plans, Bubble's servers and data are hosted on AWS West Region. More information about how apps on the main cluster are hosted can be found in this article.

Your data is safeguarded in transit with TLS and at rest with AES-256 encryption through RDS.

Yes. Bubble conducts automated code testing, vulnerability testing (OWASP Top 10), and continuous monitoring. We also conduct pen tests at minimum annually, following OWASP WSTG.

Yes. Bubble uses point-in-time backups to enable recovery for Bubble apps and their underlying databases.

All Bubble users can enable two-factor authentication (2FA) on their account. The Enterprise plan allows admins to streamline user management with SSO account provisioning.

Bubble can connect with any system through the API Connector, which supports a variety of secure authentication methods including OAuth, Bearer Auth, Basic Auth, and more.

You own your data — including your app's design and the data your users upload (subject to your own agreement with them).

You control this. In your app's General Settings under Privacy & Security, you can toggle whether Bubble employees can access the Data – App data tab. Only the app owner can change this setting.

Even with access disabled, Bubble employees can still view and edit the app itself, and can see data exposed in app preview, the deployed live app, or logs.

Bubble apps follow the principle of least privilege in their default API configurations to minimize the DDoS attack surface. We also use Cloudflare and an in-house monitoring system to detect and block attacks — so all apps on Bubble get industry-standard DDoS protection, with our team available to help if issues arise.

The most effective step is configuring Privacy Rules. These rules are enforced server-side and let you control who can access which data types and fields — for example, restricting sensitive fields to specific user roles. You can also use the security dashboard to audit your app for vulnerabilities.

If you think you've found a vulnerability in Bubble itself, report it to our team so we can address it.

If the breach is in your own app — for example, due to misconfigured privacy rules — consult the applicable privacy laws in your and your users' regions to understand your obligations. In general, if a breach poses a risk to an individual's rights, you may need to notify affected users promptly. We can't provide legal advice, but acting quickly is important.

Bubble adheres to industry-leading standards — including encryption protocols, regular security audits, and compliance with GDPR and other global data protection regulations. You can review Bubble's full security posture at bubble.io/security.