Bubble Docs
  • Introduction
  • New? Start Here
  • What is Bubble?
  • The Glossary
  • User manual
    • Getting started
      • What is Bubble?
      • Building for...
        • Web
        • Native iOS and Android
          • Mobile app quick start guide
          • What is a native mobile app?
          • Native mobile vs. web development
          • Differences in native and web elements
          • Native mobile app terminology
      • Building your first app
        • Planning features
        • Database structure
        • Design and UX
        • eCommerce and payments
          • Shopping cart
          • Checkout page
          • One-time payments
          • Subscriptions
          • Marketplace
      • Creating and managing apps
      • The Bubble editor
        • Tabs and sections
          • Design tab
            • The element tree
            • The property editor
          • Workflow tab
          • Data tab
          • Styles tab
          • Plugins tab
          • Settings tab
            • Application settings
              • Custom headers/body
              • Visual settings
              • Social media sharing
              • Translating your app
              • Email settings
              • Collaboration
            • Custom domain and DNS
          • Logs tab
        • Tools
          • Key features
          • The search tool
          • The Issue Checker
          • The element tree
          • The element property editor
          • The debugger
          • Notes
        • Previewing your app
      • Transitioning to Bubble from...
        • JavaScript
        • HTML and CSS
        • SQL
    • Design
      • Elements
        • Web app
          • The page
          • Containers
            • Groups
            • Repeating groups
            • Table elements
            • Popups
            • Floating groups
            • Group focus
          • Visual elements
          • Input forms
            • Text and numbers
            • Dates and time
            • File uploads
            • Selection controls
        • iOS and Android app
          • The view
          • Containers
          • Visual elements
          • Input forms
          • Mobile reusable elements
        • The element hierarchy
          • The element tree
        • Reusable Elements
      • Styling
        • Color variables
        • Font variables
        • Styles
        • Custom Fonts
      • Responsive design
        • Building responsive pages
        • Legacy articles
          • The Basics (Legacy)
          • Building Responsive Pages (Legacy)
          • Migrating Legacy Pages
          • Tips When Designing (Legacy)
      • Templates
      • The Component Library
      • Importing from Figma
    • Data
      • The database
        • Data types and fields
        • Creating, saving and deleting data
        • Finding data
        • Displaying data
        • Protecting data with privacy rules
        • The database editor
        • Export/import data
          • Exporting data
          • Importing data (CSV)
        • Working with location data
        • Using Algolia
        • Database structure by app type
          • Marketplace Apps
          • Directory & Listings Apps
          • Social Network Apps
          • SaaS Apps
          • Project Management Apps
          • CRM Apps
          • Professional Services Apps
          • On-demand Apps
          • Documentation/ CMS Apps
          • Applicant Tracking System (ATS) Apps
          • Portfolio Apps
          • Gallery Apps
          • Online Store / Ecommerce Apps
          • Blog Apps
          • Messaging App
          • Dashboards
          • Building Block Apps
          • Bubble as a backend
      • Files
      • Images
      • Static data
        • App texts (translations)
        • Option sets
      • Temporary data
        • Custom states
        • URL parameters
      • User accounts
        • Authentication plugins
          • Facebook plugin
          • Fitbit plugin
          • Google plugin
          • Instagram plugin
          • LinkedIn plugin
          • Pinterest plugin
          • Slack plugin
          • Wistia plugin
          • YouTube plugin
        • Cookies set by Bubble
      • Time, dates and time zones
    • Logic
      • The frontend and backend
      • Workflows
        • Events
          • Frontend events
            • Recurring workflows
            • Custom events
          • Backend events
            • Database trigger events
        • Actions
        • API Workflows
      • Dynamic expressions
      • Conditions
      • Navigation
        • Single-page applications (SPA)
        • Multi-page applications
        • Page slugs
      • Device resources
        • Location services
        • Camera/photo library
    • Workload
      • Understanding workload
        • Activity types
        • The workload calculation
        • Client-side and server-side processing
      • Tracking workload
        • Measuring
          • Using App Metrics
        • Monitoring
          • Workload notifications
          • Infinite recursion protection
      • Optimizing workload
        • Optimization framework
        • Optimization checklist
          • Page load
          • Searches
          • Workflows and actions
          • Backend workflows
        • Agency showcases
          • Minimum Studio
          • Neam
          • Support Dept
    • Security
      • Bubble's security features
      • Planning app security
      • Client-side and server-side
      • Bubble account security
      • App security
      • Page security
      • Database security
      • API security
        • API Connector security
        • Data API security
        • Workflow API security
      • Flusk
        • Overview
        • Flusk plan features
        • Getting started with Flusk
        • Flusk security tools
          • The Issues Explorer
          • Issue details
          • Tools and settings
            • Pages rating
            • Database rating
        • Flusk FAQ
      • Cookies
      • Security checklist
    • Previewing your app
      • Previewing a web app
      • Previewing a mobile app
    • Publishing your app
      • Web app
      • Native mobile app
        • Global native mobile settings
        • iOS App Store
        • Google Play Store
        • Publishing FAQ
    • AI
      • Generate apps with AI
        • About AI app generation
      • AI page designer
      • Connect to AI agents
    • Maintenance
      • Collaborators
      • Version control
        • Best practices: Version control
        • Transitioning from the legacy version control
        • Terminology: Version control
        • Version Control (legacy)
      • Commenting
      • Database maintenance
        • Copying the database
        • Restoring database backups
        • Bulk operations
          • Bulk operation methods compared
        • Wiping change history
      • Performance
        • Hard limits
        • Capacity Usage (legacy)
        • Notes on queries
      • SEO
        • Introduction to SEO
        • SEO: App
        • SEO: Page
      • Testing and debugging
        • Introduction to testing and debugging
        • The debugger
        • The server logs
        • Supported browsers
      • API workflow scheduler
    • Integrations
      • API
        • Introduction to APIs
          • What is a RESTful API?
        • The Bubble API
          • Bubble API terminology
          • Authentication
            • How to authenticate
            • No authentication
            • As a User
            • As an admin
          • The Data API
            • Data API Privacy Rules
            • Data API endpoints
            • Data API requests
          • The Workflow API
            • Workflow API privacy rules
            • Workflow API endpoints
            • API workflows
              • Creating API workflows
              • Scheduling API workflows
              • Recursive API workflows
              • API Workflow Scheduler
              • Case: Stripe notifications
        • The API Connector
          • Authentication
          • API Connector security
          • API guides
            • OpenAI
              • Authentication
              • Calls
                • ChatGPT
                  • Chat
            • Google Translate
              • How to setup Google API keys
          • Streaming API
        • API security
        • Plugins that connect to APIs
        • API Glossary
      • Plugins
        • What Plugins Can Do
        • Installing and using Plugins
        • Authentication plugins
        • Special Plugins
      • SQL Database Connector
      • Bubble App Connector
      • WorkOS
        • WorkOS SSO
        • WorkOS API
    • Infrastructure
      • Sub-apps
      • Bubble release tiers
      • Hosting and scaling
        • How Bubble hosting works
        • Scaling with Bubble
        • CDN (Cloudflare)
        • Bubble app names
        • Domain and DNS
      • Compliance
        • GDPR
        • SOC 2 Type II
        • HIPAA
        • Other frameworks and standards
    • Bubble for Enterprise
      • Hosting and infrastructure
        • Dedicated instance
          • The Dedicated editor experience
          • Technical specs
          • Main cluster dependencies
          • Customizable options
          • Migration process
            • Pre-migration
            • During migration
            • Post-migration
      • Security and compliance
        • Single sign-on (SSO)
        • GDPR
        • SOC 2 Type II
        • HIPAA
        • Other frameworks
        • Bubble's security features
      • Admin and collaboration
      • Priority support
      • Billing and Payment Guideline for Dedicated Instances
  • Core Reference
    • Using the core reference
    • Bubble's Interface
      • Design tab
      • Design tab (Legacy)
      • Workflow tab
      • Data tab
      • Styles tab
      • Styles tab (Legacy)
      • Plugins tab
      • Settings tab
      • Logs tab
      • Template tab
      • Toolbar
      • Top and context menu options
      • Deployment and version control
        • Deployment & Version Control Dropdown (legacy)
      • Notes
    • Elements
      • Native mobile elements
        • View element
        • List component
      • General properties
      • General properties (Legacy)
      • Styling properties
      • Styling Properties (Legacy)
      • Responsive Properties
      • Responsive Properties (Legacy)
      • Conditional formatting
      • States
      • Page Element
        • Page Element (Legacy)
      • Visual Elements
      • Containers
      • Container Layout Types
      • Containers (Legacy)
      • Input Forms
      • Reusable Elements
      • Element Templates (legacy)
    • Workflows
    • Events
      • General events
      • Element events
      • Custom events
      • Recurring event
      • Database trigger event
    • Actions
      • Account
      • Navigation
      • Data (things)
      • Email
      • Element
      • Custom
    • On-device resources
    • Data
      • Data Sources
      • Operators and comparisons
      • Search
      • Privacy
    • Styles
    • API
      • The Bubble API
        • The Data API
          • Authentication
          • Data API endpoints
          • Data API requests
        • The Workflow API
      • The API Connector
        • Authentication
        • Adding calls
    • Bubble-made Plugins
      • AddtoAny Share Buttons
      • Airtable
      • API Connector
      • Blockspring
      • Box
      • Braintree
      • Bubble App Connector
      • Chart.js
      • Circle Music Player
      • Draggable Elements
      • Dropzone
      • Facebook
      • Fitbit
      • Full Calendar
      • Google
      • Google Analytics
      • Google Optimize
      • Google Places
      • Ionic Elements
      • iTunes
      • Slidebar Menu
      • LinkedIn
      • Localize Translation
      • Mixpanel
      • Mouse & Keyboard Interactions
      • Multiselect Dropdown
      • Progress Bar
      • Rich Text Editor
      • Rich Text Editor (Legacy)
      • Screenshotlayer
      • SelectPDF
      • Slack
      • Segment
      • Slick Slideshow
      • SQL Database Connector
      • Star Rating
      • Stripe
      • Tinder-like Element
      • Twitter
      • YouTube
      • Zapier
    • Application Settings
      • App plan
      • General
      • Domain / email
      • Languages
      • SEO / metatags
      • API
      • Collaboration
      • Sub-apps
      • Versions
  • Account & Marketplace
    • Account and billing
      • Pricing and plans
        • Plans and billing
        • Billing cycle
        • FAQ: Pricing and Workload
      • Account Management
      • Building Apps for Others
      • Selling on the Marketplace
      • Plans & Billing (legacy)
    • Official Bubble Certification
      • Hiring certified developers
    • Building Plugins
      • The Plugin Editor
      • General Settings
      • Updating to Plugin API v4
      • Adding API Connections
      • Building Elements
      • Building Actions
      • Loading Data
      • Publishing and versioning
      • Github Integration
    • Building Templates
    • Application and data ownership
    • Marketplace policies
    • Bug reports
  • Vulnerability Disclosure Policy
  • Beta features
    • About the Beta features section
    • Native mobile apps
Powered by GitBook
On this page
  • What is SOC 2?
  • SOC 2 Type II report
  • Is Bubble SOC 2 compliant?
  • Does that mean my Bubble app is also SOC 2 compliant?
  • SOC 2 terminology

Was this helpful?

  1. User manual
  2. Infrastructure
  3. Compliance

SOC 2 Type II

This section covers Bubble and SOC 2 compliance

Last updated 1 year ago

Was this helpful?

Legal disclaimer: This article is meant only to be educational content to help give you a start on these regulatory compliance matters and is strictly not intended to be legal advice. The information presented may not be applicable to your specific situation and may not reflect the most recent developments in this area.

Always consult a qualified legal professional for advice regarding specific regulatory compliance obligations relevant to your circumstances. Details about your specific idea, app or context could make a difference in how you approach these obligations.

Moreover, this article is meant to be an introductory- level guide and will not cover all the fine details of these topics.

Bubble has put in place a comprehensive and robust security program to protect all data, including personal data, on your app from a possible data breach or other problem. A description of our security program can be found at: . We also continually test our security to make sure it works as it’s supposed to.

What is SOC 2?

SOC 2, short for Service Organization Control 2, is a set of standards that companies follow to manage and secure customer data. It's like a rulebook for handling information, especially when it comes to using a trusted Software as a Service (SaaS) provider like Bubble.

SOC 2 audits and trust principles

SOC 2 reports are issued by independent auditors who assess the effectiveness of an organization's controls according to the criteria established by the.

SOC 2 audits are made in two different ways, Type I and Type II, each serving a different purpose:

  1. SOC 2 Type I: This is like a snapshot of a company's systems and controls at a specific moment in time. It looks at how a company describes its controls and whether they are designed properly. Think of it as checking if all the locks in a house are in place. Type I is more about the planning and structure of the service than how it performs over time.

  2. SOC 2 Type II: This audit is more thorough. It's like checking those locks over a period of time (3 months in Bubble’s case) to see if they actually work, day in and day out. A Type II report doesn't just look at the design of the controls, but also how they operate over a defined period. It digs into the nitty-gritty and makes sure everything is working as it should be.

These audits ultimately lead to a report, which requires that Bubble adheres to at least one of the SOC 2's Trust Principles:

  • security

  • availability

  • integrity

  • confidentiality

  • privacy

SOC 2 Type II report

Is Bubble SOC 2 compliant?

Looking ahead, we may consider extending our compliance to cover other Trust Principles.

Does that mean my Bubble app is also SOC 2 compliant?

Bubble's SOC 2 Type II report for security means that our platform itself meets the specific standards needed to be compliant. But when it comes to an individual app created using Bubble, the compliance doesn't automatically transfer over.

Think of Bubble like a set of tools in a workshop. We make sure the tools meet certain standards, but how someone uses those tools to build something is up to them. If a user wants their app to be SOC 2 compliant, they'll need to ensure that the way they design and operate the app meets the necessary trust principles and complete a separate audit.

What do I need to do to obtain a SOC 2 report?

Note: the following is a general guide for users looking to make their app compliant with SOC 2 standards while using Bubble. This is not legal or professional compliance advice, and the specific requirements can vary widely depending on factors like your industry, region, or the particular needs of your end users. It's always a good idea to consult a legal or secuity professional who understands your unique situation to ensure that you're meeting all the necessary requirements.

With that said, here's a general overview that might help you get started on your path to compliance.

  1. Understand the requirements: First, figure out what compliance standards you need to meet. SOC 2 has specific trust principles, so understanding what they require will be your starting point. You may want to obtain a report in one or more of the trust principles.

  2. Assess your app: Look at your app and identify where you might be handling sensitive information or where particular security measures need to be in place. Think of this like spotting the weak links in a chain.

  3. Implement controls: Put measures in place to ensure that your app meets security standards. This might involve things like setting up privacy rules and server-side conditions to ensure data remains protected.

  4. Documentation: Keep records of what you're doing to meet security standards. This is essential if you need to prove compliance later.

  5. Regular monitoring and testing: Compliance isn't a one-time thing; you'll need to keep an eye on things and make sure your controls are working as they should be.

  6. Consider professional assistance: Depending on your needs and the complexity of your app, you might want to consider hiring a professional who specializes in compliance. They can help you navigate specific requirements and make sure you're on the right track.

  7. Consider Bubble security assistance platforms: Organizations like Flusk and ncScale can assist by checking for data leaks and safe authentication protocols, performing penetration tests, detecting inefficiencies, monitoring error logs, mapping dependencies, minimizing exposure, and more.

  8. Stay informed: Compliance standards can change, so it's essential to keep up to date with the latest requirements

SOC 2 terminology

Term/phrase
Description

SOC 2

System and Organization Controls 2, a framework for auditing and reporting on controls at a service organization with a focus on security, availability, and other areas.

Type I

A SOC 2 Type I report evaluates the design of a service organization's controls at a specific point in time.

Type II

A SOC 2 Type II report assesses the design and operational effectiveness of controls over a designated review period.

AICPA

American Institute of Certified Public Accountants, the governing body that provides the SOC 2 framework.

Trust Principles

The five trust principles are Security, Availability, Processing Integrity, Confidentiality, and Privacy. They form the basis of the SOC 2 report.

Attestation Report

The final document provided by the auditors that outlines the effectiveness of the controls in meeting the trust principles.

Auditor

A qualified third-party entity that conducts the SOC 2 assessment.

Monitoring & Review

An ongoing process in which a service organization continually reviews and updates its controls to maintain SOC 2 compliance.

Yes. Specifically, Bubble is compliant with the SOC 2 Type II standard for security. Bubble has undergone a thorough external audit process by the independent auditor, , and demonstrated that we have effective controls in place to ensure the security of our platform over time.

If you have questions about SOC 2 or want to learn more about Bubble’s Enterprise security, please .

https://bubble.io/security
American Institute of Certified Public Accountants (AICPA)
Sensiba LLP
contact Sales