Our team takes security extremely seriously, as we do understand that many of our clients deal with sensitive information. The most important thing that you can do to keep your data secure is to define Privacy Rules within your applications; these rules are checked server-side whenever data is accessed in your application.
For instance, apply privacy rules to specific data types by unchecking the "View all fields" option under general privacy rules for sensitive data. Additionally, define role-specific rules such as allowing "Partner" users access to designated fields for collaboration.
Bubble’s main cluster applications are hosted on AWS West Region (Oregon, US; this can be customized if you're on a Dedicated Plan) which maintains a state-of-the-art security infrastructure. We encrypt all traffic to bubble.io over https, and encourage and support our clients to use encryption on their own domains. All user passwords are stored salted and encrypted in our database; other user data is encrypted at rest (we're on AWS RDS). Our servers use up-to-date, patched versions of Linux and are constantly updated. SSL connection and Cloudflare integration are standard on all custom domains.
Additional measures, such as implementing firewalls, employing one-way hashing for passwords, and using Bubble’s Security Dashboard to audit vulnerabilities, can further strengthen security.