SOC 2 is the one standard Bubble actually has. They hold a Type II report for the Security category, audited by Sensiba LLP. The catch is the report covers the platform, not your application — Bubble's own manual says the compliance doesn't transfer. The honest plan for almost every B2B SaaS on Bubble is to stay on Bubble, inherit the platform's controls, and run your own readiness engagement and audit. Three paths below, but for once the headline is: you do not need to rebuild.
The honest verdict
Partially. Not the way you’d ship SOC 2 in production.
Bubble has the certification at platform level — but it does not transfer to your app. Bubble holds a Type II report covering the Security category only, audited by Sensiba LLP. The same page is explicit that the compliance doesn't automatically transfer to apps built on Bubble — you still need your own audit. The report itself is gated through Bubble Sales, so factor that into your vendor due-diligence timeline.
Bubble is compliant with the SOC 2 Type II standard for security
Reviewed by
Greg· Founder, bubbletocode.com — has migrated 30+ Bubble apps to code
Bubble's stance
Type II — platform only
Security category, audited by Sensiba LLP
Procurement consequence
Table stakes, not differentiator
~40% of enterprise vendor reviews now demand it
Industries impacted
B2B SaaS · Cloud services · Fintech · Any enterprise vendor
Compliant on Bubble
$30k–$60k · 12–52 weeks
Stay on Bubble, run your own Type II audit
What SOC 2 actually requires
SOC 2 is an AICPA attestation, not a law. A licensed CPA firm tests whether your service organisation operates the Trust Services Criteria controls — at minimum the Security category — over a 3–12 month observation window. There are no fines. The consequence of a qualified opinion is lost enterprise deals.
Meet the mandatory Security category — the common criteria CC1 through CC9 — covering control environment, risk assessment, monitoring, and logical access (TSC 2017/2022 Common Criteria).
Optionally add Availability, Processing Integrity, Confidentiality, or Privacy categories based on what you contractually commit to enterprise buyers (TSC Trust Services Categories).
Document the system description: boundaries, infrastructure, software, people, data flows, and the controls that protect them (AT-C 205 system description).
Operate every documented control consistently across the audit period so the CPA can test operating effectiveness, not just design (AT-C 205 Type II examination).
Engage an independent licensed CPA firm to perform the examination under SSAE No. 18 — not a consultancy, not a compliance SaaS alone (AT-C 105 common concepts).
Remediate every exception the auditor raises and produce a written management assertion that supports the final report (SSAE 18 management assertion).
Official source: aicpa-cima.com
Why Bubble fails SOC 2
Every reason below comes from Bubble’s published platform limits or their own documentation. Reading the list top-to-bottom tells you which one will bite you first.
Bubble's own manual says the SOC 2 compliance "doesn't automatically transfer over" — the report covers Bubble's platform controls, not the controls inside your application. Your privacy rules, your access management, your change management, your customer-facing security commitments all need their own evidence. Auditors treat the Bubble report as inherited infrastructure, not as a substitute for your own examination.
Sources[01]
The Bubble report covers exactly one Trust Services category: Security. Availability, Confidentiality, Processing Integrity, and Privacy are not in scope. If an enterprise customer requires Availability or Confidentiality in their vendor contract — common with regulated buyers — you cannot rely on Bubble's report to cover it. Your own audit must add those categories explicitly, and the underlying platform controls aren't attested there.
Sources[01]
The full SOC 2 report is not self-serve. You request it through Bubble Sales, sign an NDA, and wait. That's manageable for a one-off due-diligence cycle, but it stretches every enterprise security review by days. If you're running a parallel SOC 2 readiness sprint, expect to chase the Bubble sub-service-organisation evidence multiple times — auditors will keep asking.
Sources[02]
The Common Criteria expect continuous monitoring and the ability to investigate incidents historically. Bubble's logs interface limits search to the previous two weeks. That's short for SOC 2 monitoring controls and short for any incident that turns up later than fourteen days after the fact. You can ship logs out, but that's an explicit application-level control you have to design and evidence.
Sources[03]
Plugins execute as client-side JavaScript loaded by the user's browser plus server-side actions running on Bubble's servers. The third-party plugin code is not part of Bubble's SOC 2 audit perimeter. If you rely on a marketplace plugin for auth, payments, file handling, or anything privileged, your auditor will treat it as a subservice provider you own — and you'll need vendor-management evidence for each one.
Sources[04]
Bubble vs a compliant stack
The same 7requirements an auditor will ask about, scored on both stacks. Read across each row — every red cell is a deal you can’t close on Bubble.
Platform-level SOC 2 Type II report exists
Pass
Type II, Security category
Audited by Sensiba LLP — inherit as sub-service org
Pass
Vercel Enterprise / AWS Type 2
Multiple categories already attested
Availability / Confidentiality categories covered
Fail
Security only
Other categories need compensating controls in your audit
Pass
Security + Confidentiality + Availability
Continuous monitoring — log retention
Partial
Two-week search window
Ship logs off-platform for SOC 2 monitoring controls
Pass
Postgres event log + S3 archive
Self-serve sub-service org report
Fail
Sales-gated, NDA required
Pass
Vercel / AWS Artifact self-serve
Third-party / plugin governance
Partial
Plugins outside Bubble's audit
Inventory and manage as your own subservice providers
Pass
npm dependency scanning + SBOM
Application-level controls still your job
Partial
Privacy rules + access reviews on you
Same on any host — SOC 2 always tests user-entity controls
Partial
Same complementary controls apply
Long-running jobs and background workflows
Fail
300s workflow timeout
Pass
Inngest / SQS queues, unlimited duration
What it costs your business
SOC 2 has dropped from "differentiator" to "table stakes" in B2B SaaS procurement. Around 40% of enterprise vendor-risk reviews now require a current Type II report before contract — without one, deals stall at security review, not at the demo. The cost of a qualified opinion isn't a fine; it's the renewal that doesn't close.
An enterprise buyer asks for a current Type II report and bridge letter before signature; without one your deal sits in vendor risk for 4–8 weeks while you scramble for compensating evidence.
A security review checks your sub-processor list and asks for Bubble's SOC 2 report — you wait days for Sales to release it, which auditors and procurement read as a maturity signal.
A buyer requires Availability or Confidentiality categories, not just Security — your audit must add them, and Bubble's platform report doesn't cover them, so your auditor demands compensating controls in writing.
A renewal stalls when a customer's CISO discovers your last SOC 2 expired more than 12 months ago and you have no bridge letter — Compass ITC and Secureframe both report this as the most common involuntary churn trigger in 2026.
Three honest paths forward
We don’t recommend a rebuild for every founder. Below: what each path costs you, what it preserves, and where it breaks for SOC 2.
Cheapest now · riskiest later
ViableInherit Bubble's platform controls, layer your application-level controls on top, engage a CPA firm, complete a 3–12 month Type II observation window. No rebuild. This is the recommended path for almost every B2B SaaS on Bubble.
Pros
Cons
Phased · auditor-defensible
Partial fitCarve specific workloads (long-running jobs, log retention, secrets management) into a separate codebase if you also need Availability or Confidentiality categories beyond what Bubble attests. Most teams don't need this purely for SOC 2.
Pros
Cons
Highest upfront · clean audit
ViableRebuild on Next.js with Vercel Enterprise or AWS as the host. Vercel Enterprise is SOC 2 Type 2 across Security / Confidentiality / Availability, plus PCI SAQ-D and ISO 27001. AWS gives the same plus FedRAMP eligibility. Only worth it when SOC 2 is one of several gates.
Pros
Cons
Composite case study
Pre-A B2B SaaS · 18 months on Bubble
Founder had 11 paying customers and a stalled enterprise pilot whose security review demanded a current SOC 2 Type II before contract. We ran an 8-week readiness sprint on the existing Bubble app — formalised privacy rules, documented change management, set up log shipping to S3, wrote the system description with Bubble as named sub-service organisation. CPA firm completed the Type I bridge in week 10, then a 3-month Type II observation window. The team never left Bubble.
Outcome: Type II report issued at month four with zero exceptions; enterprise pilot signed within 11 days of report delivery, and two competing enterprise conversations that had been sitting in vendor risk closed the same quarter.
Composite case study assembled from patterns we've seen across multiple SOC 2 readiness engagements with Bubble-native B2B SaaS teams. Anonymised for client privacy — happy to walk you through specific engagements in a scoping call.
Frequently asked
Pulled from real conversations with founders running healthcare, fintech, and B2B SaaS apps off Bubble. Every answer is grounded in the source we cited above — no marketing fluff.
Sources
The numbered references in the body link here. We cite first-party documents — regulator guidance, vendor manuals, industry standards — never marketing copy.
Bubble Group Inc.manual.bubble.io
Bubble Group Inc.manual.bubble.io
Bubble Group Inc.manual.bubble.io
Bubble Group Inc.manual.bubble.io
AICPA & CIMAaicpa-cima.com
AICPA & CIMAaicpa-cima.com
Compass IT Compliancecompassitc.com
Want a real answer for your app, not your category?
Free. 10 minutes. No call. Reads every workflow, surfaces every PII / WU / scaling risk, and produces a fixed-price rebuild plan grounded in SOC 2’s real requirements.