// Trust & Security Report

    Bubble Group, Inc. logo

    Bubble Group, Inc.

    No-code and AI-powered app builder platform for web and mobile applications; sub-products include AI agent for app generation, native mobile builder, and Bubble for Enterprise with dedicated infrastructure

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Bubble is compliant with the SOC 2 Type II standard for security...demonstrated that we have effective controls in place to ensure the security of our platform over time. Auditor: Sensiba LLP. Scope: security trust principle only (3-month initial audit period). Full report available on request via Sales.

    Verify on manual.bubble.io
    GDPR (posture)
    HELD

    Bubble has incorporated the Standard Contractual Clauses into its DPAs and maintains agreements with both customers and processors. DPA available at bubble.io/dpa. Bubble serves as a data processor for your company when you deploy your app. EU-based dedicated servers available on Enterprise plan.

    Verify on manual.bubble.io
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No evidence on trust.bubble.io or bubble.io/security that Bubble Group Inc (bubble.io) holds ISO 27001. NOTE: A different company, Bubble Ltd (bubblegroup.com, a UK project-portfolio-management software vendor), holds ISO 27001:2022. The two companies are unrelated; conflation is a documented search-results risk. Bubble.io's own Trust Center lists SOC 2 and GDPR only.

    source: trust.bubble.io
    HIPAA
    NOT CONFIRMED

    the entire Bubble platform and its internal company processes currently do not meet these standards. We currently do not recommend using Bubble for apps that require HIPAA compliance. (Vendor docs make no mention of Bubble offering a BAA; no public evidence one is available.)

    source: manual.bubble.io
    PCI DSS
    NOT CONFIRMED

    PCI DSS is referenced in Bubble's compliance documentation as an industry standard developers should be aware of, but there is no public evidence that Bubble Group Inc itself holds PCI DSS certification. No mention on trust.bubble.io.

    source: manual.bubble.io
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization. Not mentioned on trust center, security page, or compliance docs.

    source: trust.bubble.io
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence. Not mentioned on trust center, security page, or compliance documentation.

    source: trust.bubble.io
    CSA STAR
    NOT CONFIRMED

    No public evidence. Not mentioned on trust center or security documentation.

    source: trust.bubble.io

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    US (AWS) by default; EU-based dedicated servers available on Enterprise plan only

    Bubble has NOT officially disclosed whether customer app data or end-user data is used to train the Bubble AI model. Multiple community threads (2024-2025) have raised this directly with no Bubble team response. Terms of Service Section 5(d) grants Bubble a license to use 'Direct User Content...solely for the purpose of operating the Platform and providing related services' - community members have questioned whether AI training qualifies but received no clarification. This is an unresolved transparency gap and potential GDPR Article 17 complication. trains_on_customer_data is null (unknown / no public disclosure).

    // Security controls

    Encryption in transit

    TLS (all data in transit)

    trust.bubble.io

    Encryption at rest

    AES-256 via AWS RDS; encryption key access restricted

    trust.bubble.io

    Penetration testing

    Annual minimum with third-party providers; results available via Trust Center on request

    trust.bubble.io

    Intrusion detection

    IDS utilized; logged and monitored

    trust.bubble.io

    DDoS protection

    Cloudflare integration plus in-house monitoring; Enterprise plan allows custom Cloudflare configurations

    manual.bubble.io

    Incident response

    Incident response plan established, tested, and followed per trust center controls listing

    trust.bubble.io

    SSO

    Available - integrates preferred identity providers on Enterprise plan

    manual.bubble.io

    Static IP / allowlisting

    Available for organizations needing strict allowlist-based security

    manual.bubble.io

    Log retention

    Log management utilized; retention varies by plan

    trust.bubble.io

    Data retention procedures

    Data retention procedures established per trust center controls listing

    trust.bubble.io

    Vulnerability disclosure

    Vulnerability Disclosure Policy published and linked from Trust Center

    trust.bubble.io

    Subprocessors

    Subprocessors list published and linked from Trust Center

    trust.bubble.io

    Infrastructure

    Hosted on AWS; Cloudflare CDN; Enterprise plan offers dedicated infrastructure

    manual.bubble.io

    // Products & data scope

    Bubble FreeNo-code app builder

    data: App data stored in Bubble's shared US-based AWS infrastructure

    No dedicated infrastructure; no SSO; suitable for prototypes and personal projects only

    Bubble Starter / Growth / TeamNo-code app builder (paid tiers)

    data: App data on Bubble's AWS infrastructure; shared multi-tenant environment

    Starter from ~$42/month; Growth ~$209/month; Team ~$549/month. Includes more workload capacity and collaboration features; no dedicated infrastructure

    Bubble EnterpriseNo-code app builder (enterprise)

    data: Option for dedicated EU or US infrastructure; enhanced data isolation

    Custom pricing. Includes SSO, custom Cloudflare settings, static IP, dedicated servers, enhanced SLAs. EU data residency available on this tier only. SOC 2 Type II report accessible via Sales.

    Bubble AI AgentAI-powered app generation

    data: Prompts and generated app content processed by Bubble's AI; training posture undisclosed

    Generates app designs and privacy rules from natural language prompts. No public policy on whether prompt inputs are used for model training.

    // What to watch

    • ISO 27001 identity-conflation risk: 'Bubble Ltd' (bubblegroup.com, a UK PPM software company) holds ISO 27001:2022. This is a completely different company from Bubble Group Inc (bubble.io). Search results may conflate the two. Bubble.io does NOT hold ISO 27001.
    • AI training opacity: Bubble has not publicly disclosed whether customer app data or end-user data is used to train the Bubble AI model despite repeated community requests. Terms Section 5(d) license language is ambiguous. No opt-out mechanism advertised. This creates a potential GDPR Article 17 compliance gap for apps with EU users.
    • SOC 2 scope is security-only: The SOC 2 Type II report covers only the security trust service criterion, not availability, confidentiality, processing integrity, or privacy. Procurement teams expecting full five-criteria SOC 2 should note this limitation.
    • HIPAA explicitly not supported: Bubble's own documentation states 'the entire Bubble platform and its internal company processes currently do not meet these standards' and recommends against building HIPAA-regulated apps on Bubble. Vendor docs do not mention a BAA; no public evidence one is offered.
    • EU data residency is Enterprise-only: GDPR-sensitive deployments requiring EU data hosting can only achieve this on the Enterprise plan; lower-tier plans default to US (AWS) infrastructure.

    // At a glance

    Pricing model

    Freemium with paid tiers (Starter ~$42/mo, Growth ~$209/mo, Team ~$549/mo, Enterprise custom); workload-based scaling

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Bubble Group, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.bubble.io

    > Browse all vendor trust reports