This information is valid as of 1st of January 2020
- Bubble uses Amazon RDS’s AES-256 encryption and Amazon Web Service’s KMS to manage encryption keys.
- Bubble uses SHA256 with a randomly-generated salt that is prepended to the password
- Data encrypted in-transit while using the API connection is using latest SSL certification. See more details: https://www.ssllabs.com/ssltest/analyze.html?d=bubble.io&hideResults=on&latest
- Bubble has documented key management procedures that govern where keys are stored, who owns them, how the keys are used, and the lifecycle of the keys. It uses Amazon Web Service’s KMS to manage encryption keys.
- Bubble prevents parallel login attempts, and apply a linearly-increasing time penalty for subsequent failed password attempts
- All production code changes pass through a code review process prior to release. This code review includes evaluating the changes for potential security defects.
- Bubble uses automatic vulnerability detection software, both internally and hosted by a third party service, to detect application and network vulnerabilities.
- Bubble receive notifications from vendors or other third parties about security advisories related to it’s software components from GitHub + NPM
- Bubble’s software development lifecycle incorporates industry best practices at all stages. We have a number of controls including code review, automated code testing tools, automated and manual vulnerability testing including OWASP top ten testing, and continuous monitoring. Bubble uses code analysis tools to detect security and vulnerability defects. These tools are integrated with a continuous deployment workflow, and code that does not pass is prevented from being deployed.
- Bubble currently protects its networks via intrusion prevention systems including firewalls and authentication layers. Bubble logs application-level events to detect and respond to security incidents. Evaluating IDS systems or web application firewalls for possible implementation is Bubble's security roadmap.