[{"data":1,"prerenderedAt":309},["ShallowReactive",2],{"blog-is-safe/bubble":3},{"id":4,"title":5,"body":6,"category":281,"date":282,"dateModified":282,"description":283,"draft":284,"extension":285,"faq":286,"featured":284,"headerVariant":293,"image":294,"keywords":295,"meta":296,"navigation":297,"ogDescription":298,"ogTitle":294,"path":299,"readTime":300,"schemaOrg":301,"schemaType":302,"seo":303,"sitemap":304,"stem":305,"tags":306,"twitterCard":307,"__hash__":308},"blog/blog/is-safe/bubble.md","Is Bubble Safe? Security Review for No-Code App Builders (2026)",{"type":7,"value":8,"toc":271},"minimark",[9,13,16,27,34,39,42,45,52,56,59,74,81,87,93,103,106,112,115,119,122,128,131,137,141,144,147,151,171,175,203,240,259],[10,11,12],"p",{},"The most common security mistake in Bubble apps has nothing to do with the platform itself. It's a default setting: every new data type you create in Bubble ships with privacy rules that let \"Everyone\" view all fields and all records. Skip the privacy rules configuration step and Bubble's Data API exposes your entire database to the open internet.",[10,14,15],{},"Bubble as a platform is solid. SOC 2 Type II certified, hosted on AWS, no training on customer data. The risk is what your configuration leaves open, not what Bubble does behind the scenes.",[17,18,19],"tldr",{},[10,20,21,22,26],{},"Bubble is safe to use as a no-code platform. The critical gotcha is privacy rules: every new data type defaults to public access, and Bubble's built-in Data API at ",[23,24,25],"code",{},"yourapp.bubbleapps.io/api/1.1/obj/{typename}"," will return all records if those rules aren't set. Before you launch, walk through every data type in the Data section and set explicit \"This User is Current User\" or role-based conditions. The generated code Bubble produces also needs review for logic-layer auth gaps.",[28,29,31],"verdict-badge",{"verdict":30},"caution",[10,32,33],{},"Use with Caution",[35,36,38],"h2",{"id":37},"what-bubble-controls-platform-security","What Bubble Controls (Platform Security)",[10,40,41],{},"Bubble hosts your app on AWS (us-east-1 by default). SSL is included for custom domains. The platform is SOC 2 Type II certified, which means an independent auditor has verified Bubble's controls for availability, security, and confidentiality on an ongoing basis.",[10,43,44],{},"For most indie founders and small teams, this is sufficient. Bubble handles OS patching, infra scaling, and database management. You don't run a server. Bubble does.",[10,46,47,51],{},[48,49,50],"strong",{},"What Bubble doesn't control:"," your data model, your privacy rules, your API settings, and the logic you build. Those are fully your responsibility.",[35,53,55],{"id":54},"the-privacy-rules-default-problem","The Privacy Rules Default Problem",[10,57,58],{},"When you add a new data type in the Bubble editor, the default privacy rule is:",[60,61,62,69],"ul",{},[63,64,65,68],"li",{},[48,66,67],{},"Find this in searches:"," Everyone",[63,70,71,68],{},[48,72,73],{},"View all fields:",[10,75,76,77,80],{},"This means any request to ",[23,78,79],{},"https://yourapp.bubbleapps.io/api/1.1/obj/user"," (or any other type name) will return all records in that table with no authentication required.",[82,83,84],"danger-box",{},[10,85,86],{},"The Data API is enabled per-app, not per-type. If the Data API is on (check Settings > API > Enable Data API), every data type without explicit privacy rules is publicly readable by anyone who knows your app URL.",[10,88,89,92],{},[48,90,91],{},"The fix:"," In the Data section, click each data type, open Privacy, and add conditions. For user-owned data, the rule is usually:",[94,95,100],"pre",{"className":96,"code":98,"language":99},[97],"language-text","When: Current User's [field] = This User's [field]\nAllow: Find this in searches, View all fields\n","text",[23,101,98],{"__ignoreMap":102},"",[10,104,105],{},"For admin-only tables (config, logs, etc.), the rule should be:",[94,107,110],{"className":108,"code":109,"language":99},[97],"When: Current User's role = \"admin\"\nAllow: Find this in searches, View all fields\n",[23,111,109],{"__ignoreMap":102},[10,113,114],{},"If a data type should never be exposed via the Data API, add a rule that allows nothing, or disable that type in the Data API settings individually.",[35,116,118],{"id":117},"the-data-api-endpoint-pattern","The Data API Endpoint Pattern",[10,120,121],{},"Every Bubble app exposes REST endpoints automatically:",[94,123,126],{"className":124,"code":125,"language":99},[97],"GET  https://yourapp.bubbleapps.io/api/1.1/obj/{typename}\nGET  https://yourapp.bubbleapps.io/api/1.1/obj/{typename}/{id}\nPOST https://yourapp.bubbleapps.io/api/1.1/obj/{typename}\n",[23,127,125],{"__ignoreMap":102},[10,129,130],{},"These endpoints respect your privacy rules when a user is authenticated, but unauthenticated requests get the \"Everyone\" context. Any type with \"Everyone can view\" on its privacy rules returns data to unauthenticated API calls.",[132,133,134],"warning-box",{},[10,135,136],{},"Check Settings > API > Enable Data API before launch. If you enabled it for development or a plugin, turn it off or configure per-type access if you're not using it in production.",[35,138,140],{"id":139},"bubble-enterprise-for-stricter-requirements","Bubble Enterprise for Stricter Requirements",[10,142,143],{},"The standard Bubble plan runs on shared infrastructure. Bubble Enterprise provides dedicated database clusters, custom data residency options, and stricter SLAs. It also opens the door to compliance negotiations (including HIPAA BAA discussions).",[10,145,146],{},"If your app handles sensitive regulated data (healthcare, financial, legal), contact Bubble about Enterprise before building. Retrofitting compliance controls after launch is much harder than planning for them upfront.",[35,148,150],{"id":149},"what-bubble-does-not-do","What Bubble Does Not Do",[60,152,153,159,165],{},[63,154,155,158],{},[48,156,157],{},"No model training on your data."," Bubble does not use your database content or app logic to train AI.",[63,160,161,164],{},[48,162,163],{},"No code export."," Bubble's runtime is proprietary. You can export your data, but not a runnable codebase.",[63,166,167,170],{},[48,168,169],{},"No self-hosting."," The app runs on Bubble's infrastructure. Enterprise dedicated clusters are hosted by Bubble, not by you.",[35,172,174],{"id":173},"pre-launch-security-checklist-for-bubble-apps","Pre-Launch Security Checklist for Bubble Apps",[176,177,178,183,187,191,195,199],"checklist-section",{},[179,180],"checklist-item",{"description":181,"label":182},"Open each data type. If any show 'Everyone can view', add explicit conditions.","Privacy rules audit",[179,184],{"description":185,"label":186},"Settings > API. Disable the Data API if you're not using it. If enabled, verify per-type access.","Data API review",[179,188],{"description":189,"label":190},"Audit any enabled API workflow endpoints. Each should require authentication unless intentionally public.","Workflow API",[179,192],{"description":193,"label":194},"Any data type or workflow restricted to admins should verify role via Bubble condition, not just page-level redirect.","Admin role check",[179,196],{"description":197,"label":198},"Files uploaded to Bubble are stored in S3. Check whether file URLs are guessable or public. Enable private file uploads if needed.","File upload exposure",[179,200],{"description":201,"label":202},"Run your app URL through a security scanner before launch. Bubble-generated logic can have auth gaps like any other app.","Generated code scan",[204,205,206,213,222,228,234],"faq-section",{},[207,208,210],"faq-item",{"question":209},"Is Bubble safe for production apps?",[10,211,212],{},"Bubble is safe as a platform: SOC 2 Type II certified, AWS-hosted, and no training on your data. The risk is configuration, not the platform itself. You must set explicit privacy rules on every data type and audit the Data API before going live.",[207,214,216],{"question":215},"Does Bubble expose my data publicly?",[10,217,218,219,221],{},"By default, yes. Every new data type in Bubble ships with \"Everyone\" as the default viewer. Bubble's built-in Data API at ",[23,220,25],{}," will return all records for any type that lacks explicit privacy rules.",[207,223,225],{"question":224},"Is Bubble HIPAA compliant?",[10,226,227],{},"Bubble does not offer a standard HIPAA BAA for regular plans. Bubble Enterprise can accommodate specific compliance requirements, but you need to contact Bubble's sales team to negotiate terms. Do not store PHI on a standard Bubble plan without explicit compliance confirmation.",[207,229,231],{"question":230},"Can I self-host a Bubble app?",[10,232,233],{},"No. Bubble runs on Bubble's infrastructure (AWS us-east-1 by default). The Enterprise plan offers dedicated cluster options, but there is no option to export and self-host the Bubble runtime.",[207,235,237],{"question":236},"Does Bubble train AI on my app data?",[10,238,239],{},"Bubble states it does not use customer data to train AI models. Your database records and app logic stay within your Bubble account and are not shared for model training.",[241,242,243,249,254],"related-articles",{},[244,245],"related-card",{"description":246,"href":247,"title":248},"Step-by-step guide to locking down privacy rules, the Data API, and file uploads in your Bubble app","/blog/guides/bubble","Bubble Security Guide",[244,250],{"description":251,"href":252,"title":253},"Security review for no-code data platforms: API key exposure, base sharing, and access control","/blog/is-safe/airtable","Is Airtable Safe?",[244,255],{"description":256,"href":257,"title":258},"Security and privacy review for Lovable-built apps and what vibe-coded apps get right and wrong","/blog/is-safe/lovable","Is Lovable Safe?",[260,261,264,268],"cta-box",{"href":262,"label":263},"/","Start Free Scan",[35,265,267],{"id":266},"scan-your-bubble-app","Scan Your Bubble App",[10,269,270],{},"CheckYourVibe checks your Bubble app's exposed endpoints, auth configuration, and API settings for the gaps that most no-code security reviews miss.",{"title":102,"searchDepth":272,"depth":272,"links":273},2,[274,275,276,277,278,279,280],{"id":37,"depth":272,"text":38},{"id":54,"depth":272,"text":55},{"id":117,"depth":272,"text":118},{"id":139,"depth":272,"text":140},{"id":149,"depth":272,"text":150},{"id":173,"depth":272,"text":174},{"id":266,"depth":272,"text":267},"is-safe","2026-05-13","Bubble is SOC 2 certified and runs on AWS, but its privacy rules default to public access on every new data type. What you need to lock down before you go live.",false,"md",[287,288,290,291,292],{"question":209,"answer":212},{"question":215,"answer":289},"By default, yes. Every new data type in Bubble ships with 'Everyone' as the default viewer. Bubble's built-in Data API at yourapp.bubbleapps.io/api/1.1/obj/{typename} will return all records for any type that lacks explicit privacy rules.",{"question":224,"answer":227},{"question":230,"answer":233},{"question":236,"answer":239},"amber",null,"is bubble safe, bubble no-code security, bubble privacy rules, bubble data api security, bubble.io security, bubble soc2, no-code app security",{},true,"Bubble is SOC 2 certified and runs on AWS, but privacy rules default to open. Here's what to lock down before you launch a Bubble app.","/blog/is-safe/bubble","7 min read","[object Object]","Article",{"title":5,"description":283},{"loc":299},"blog/is-safe/bubble",[],"summary_large_image","_B-jGf-o8PnRNoeCZNW2F865cVIKmlVhrCONqqlqDFQ",1778818942539]