The most common security mistake in Bubble apps has nothing to do with the platform itself. It's a default setting: every new data type you create in Bubble ships with privacy rules that let "Everyone" view all fields and all records. Skip the privacy rules configuration step and Bubble's Data API exposes your entire database to the open internet.
Bubble as a platform is solid. SOC 2 Type II certified, hosted on AWS, no training on customer data. The risk is what your configuration leaves open, not what Bubble does behind the scenes.
TL;DR
Bubble is safe to use as a no-code platform. The critical gotcha is privacy rules: every new data type defaults to public access, and Bubble's built-in Data API at yourapp.bubbleapps.io/api/1.1/obj/{typename} will return all records if those rules aren't set. Before you launch, walk through every data type in the Data section and set explicit "This User is Current User" or role-based conditions. The generated code Bubble produces also needs review for logic-layer auth gaps.
What Bubble Controls (Platform Security)
Bubble hosts your app on AWS (us-east-1 by default). SSL is included for custom domains. The platform is SOC 2 Type II certified, which means an independent auditor has verified Bubble's controls for availability, security, and confidentiality on an ongoing basis.
For most indie founders and small teams, this is sufficient. Bubble handles OS patching, infra scaling, and database management. You don't run a server. Bubble does.
What Bubble doesn't control: your data model, your privacy rules, your API settings, and the logic you build. Those are fully your responsibility.
The Privacy Rules Default Problem
When you add a new data type in the Bubble editor, the default privacy rule is:
- Find this in searches: Everyone
- View all fields: Everyone
This means any request to https://yourapp.bubbleapps.io/api/1.1/obj/user (or any other type name) will return all records in that table with no authentication required.
The Data API is enabled per-app, not per-type. If the Data API is on (check Settings > API > Enable Data API), every data type without explicit privacy rules is publicly readable by anyone who knows your app URL.
The fix: In the Data section, click each data type, open Privacy, and add conditions. For user-owned data, the rule is usually:
When: Current User's [field] = This User's [field]
Allow: Find this in searches, View all fields
For admin-only tables (config, logs, etc.), the rule should be:
When: Current User's role = "admin"
Allow: Find this in searches, View all fields
If a data type should never be exposed via the Data API, add a rule that allows nothing, or disable that type in the Data API settings individually.
The Data API Endpoint Pattern
Every Bubble app exposes REST endpoints automatically:
GET https://yourapp.bubbleapps.io/api/1.1/obj/{typename}
GET https://yourapp.bubbleapps.io/api/1.1/obj/{typename}/{id}
POST https://yourapp.bubbleapps.io/api/1.1/obj/{typename}
These endpoints respect your privacy rules when a user is authenticated, but unauthenticated requests get the "Everyone" context. Any type with "Everyone can view" on its privacy rules returns data to unauthenticated API calls.
Check Settings > API > Enable Data API before launch. If you enabled it for development or a plugin, turn it off or configure per-type access if you're not using it in production.
Bubble Enterprise for Stricter Requirements
The standard Bubble plan runs on shared infrastructure. Bubble Enterprise provides dedicated database clusters, custom data residency options, and stricter SLAs. It also opens the door to compliance negotiations (including HIPAA BAA discussions).
If your app handles sensitive regulated data (healthcare, financial, legal), contact Bubble about Enterprise before building. Retrofitting compliance controls after launch is much harder than planning for them upfront.
What Bubble Does Not Do
- No model training on your data. Bubble does not use your database content or app logic to train AI.
- No code export. Bubble's runtime is proprietary. You can export your data, but not a runnable codebase.
- No self-hosting. The app runs on Bubble's infrastructure. Enterprise dedicated clusters are hosted by Bubble, not by you.
Pre-Launch Security Checklist for Bubble Apps
Is Bubble safe for production apps?
Bubble is safe as a platform: SOC 2 Type II certified, AWS-hosted, and no training on your data. The risk is configuration, not the platform itself. You must set explicit privacy rules on every data type and audit the Data API before going live.
Does Bubble expose my data publicly?
By default, yes. Every new data type in Bubble ships with "Everyone" as the default viewer. Bubble's built-in Data API at yourapp.bubbleapps.io/api/1.1/obj/{typename} will return all records for any type that lacks explicit privacy rules.
Is Bubble HIPAA compliant?
Bubble does not offer a standard HIPAA BAA for regular plans. Bubble Enterprise can accommodate specific compliance requirements, but you need to contact Bubble's sales team to negotiate terms. Do not store PHI on a standard Bubble plan without explicit compliance confirmation.
Can I self-host a Bubble app?
No. Bubble runs on Bubble's infrastructure (AWS us-east-1 by default). The Enterprise plan offers dedicated cluster options, but there is no option to export and self-host the Bubble runtime.
Does Bubble train AI on my app data?
Bubble states it does not use customer data to train AI models. Your database records and app logic stay within your Bubble account and are not shared for model training.
Scan Your Bubble App
CheckYourVibe checks your Bubble app's exposed endpoints, auth configuration, and API settings for the gaps that most no-code security reviews miss.