// Trust & Security Report
Bubble Group, Inc.
No-code and AI-powered app builder platform for web and mobile applications; sub-products include AI agent for app generation, native mobile builder, and Bubble for Enterprise with dedicated infrastructure
Certifications held
2
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on manual.bubble.io“Bubble is compliant with the SOC 2 Type II standard for security...demonstrated that we have effective controls in place to ensure the security of our platform over time. Auditor: Sensiba LLP. Scope: security trust principle only (3-month initial audit period). Full report available on request via Sales.”
Verify on manual.bubble.io“Bubble has incorporated the Standard Contractual Clauses into its DPAs and maintains agreements with both customers and processors. DPA available at bubble.io/dpa. Bubble serves as a data processor for your company when you deploy your app. EU-based dedicated servers available on Enterprise plan.”
> Show 6 unconfirmed / not-held certifications
source: trust.bubble.ioNo evidence on trust.bubble.io or bubble.io/security that Bubble Group Inc (bubble.io) holds ISO 27001. NOTE: A different company, Bubble Ltd (bubblegroup.com, a UK project-portfolio-management software vendor), holds ISO 27001:2022. The two companies are unrelated; conflation is a documented search-results risk. Bubble.io's own Trust Center lists SOC 2 and GDPR only.
source: manual.bubble.iothe entire Bubble platform and its internal company processes currently do not meet these standards. We currently do not recommend using Bubble for apps that require HIPAA compliance. (Vendor docs make no mention of Bubble offering a BAA; no public evidence one is available.)
source: manual.bubble.ioPCI DSS is referenced in Bubble's compliance documentation as an industry standard developers should be aware of, but there is no public evidence that Bubble Group Inc itself holds PCI DSS certification. No mention on trust.bubble.io.
source: trust.bubble.ioNo public evidence of FedRAMP authorization. Not mentioned on trust center, security page, or compliance docs.
source: trust.bubble.ioNo public evidence. Not mentioned on trust center, security page, or compliance documentation.
source: trust.bubble.ioNo public evidence. Not mentioned on trust center or security documentation.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
US (AWS) by default; EU-based dedicated servers available on Enterprise plan only
Bubble has NOT officially disclosed whether customer app data or end-user data is used to train the Bubble AI model. Multiple community threads (2024-2025) have raised this directly with no Bubble team response. Terms of Service Section 5(d) grants Bubble a license to use 'Direct User Content...solely for the purpose of operating the Platform and providing related services' - community members have questioned whether AI training qualifies but received no clarification. This is an unresolved transparency gap and potential GDPR Article 17 complication. trains_on_customer_data is null (unknown / no public disclosure).
// Security controls
Penetration testing
Annual minimum with third-party providers; results available via Trust Center on request
trust.bubble.ioDDoS protection
Cloudflare integration plus in-house monitoring; Enterprise plan allows custom Cloudflare configurations
manual.bubble.ioIncident response
Incident response plan established, tested, and followed per trust center controls listing
trust.bubble.ioStatic IP / allowlisting
Available for organizations needing strict allowlist-based security
manual.bubble.ioData retention procedures
Data retention procedures established per trust center controls listing
trust.bubble.ioVulnerability disclosure
Vulnerability Disclosure Policy published and linked from Trust Center
trust.bubble.ioInfrastructure
Hosted on AWS; Cloudflare CDN; Enterprise plan offers dedicated infrastructure
manual.bubble.io// Products & data scope
data: App data stored in Bubble's shared US-based AWS infrastructure
No dedicated infrastructure; no SSO; suitable for prototypes and personal projects only
data: App data on Bubble's AWS infrastructure; shared multi-tenant environment
Starter from ~$42/month; Growth ~$209/month; Team ~$549/month. Includes more workload capacity and collaboration features; no dedicated infrastructure
data: Option for dedicated EU or US infrastructure; enhanced data isolation
Custom pricing. Includes SSO, custom Cloudflare settings, static IP, dedicated servers, enhanced SLAs. EU data residency available on this tier only. SOC 2 Type II report accessible via Sales.
data: Prompts and generated app content processed by Bubble's AI; training posture undisclosed
Generates app designs and privacy rules from natural language prompts. No public policy on whether prompt inputs are used for model training.
// What to watch
- ISO 27001 identity-conflation risk: 'Bubble Ltd' (bubblegroup.com, a UK PPM software company) holds ISO 27001:2022. This is a completely different company from Bubble Group Inc (bubble.io). Search results may conflate the two. Bubble.io does NOT hold ISO 27001.
- AI training opacity: Bubble has not publicly disclosed whether customer app data or end-user data is used to train the Bubble AI model despite repeated community requests. Terms Section 5(d) license language is ambiguous. No opt-out mechanism advertised. This creates a potential GDPR Article 17 compliance gap for apps with EU users.
- SOC 2 scope is security-only: The SOC 2 Type II report covers only the security trust service criterion, not availability, confidentiality, processing integrity, or privacy. Procurement teams expecting full five-criteria SOC 2 should note this limitation.
- HIPAA explicitly not supported: Bubble's own documentation states 'the entire Bubble platform and its internal company processes currently do not meet these standards' and recommends against building HIPAA-regulated apps on Bubble. Vendor docs do not mention a BAA; no public evidence one is offered.
- EU data residency is Enterprise-only: GDPR-sensitive deployments requiring EU data hosting can only achieve this on the Enterprise plan; lower-tier plans default to US (AWS) infrastructure.
// At a glance
Pricing model
Freemium with paid tiers (Starter ~$42/mo, Growth ~$209/mo, Team ~$549/mo, Enterprise custom); workload-based scaling
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Bubble Group, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.bubble.io