Are my Bubble Privacy Rules actually working?

Often not. Default state on new Data Types leaves data wide-open via the Data API. Even when rules are set, client-side filtering downloads the full unfiltered dataset to the browser. We audit rules, scopes, and the Data API as part of every Bubble security review.

How do I lower my Bubble Workload Unit bill?

Most overspend comes from on-page searches that re-run on every state change, recursive workflows without termination, and bulk operations during user actions. We profile your app's WU usage and refactor the high-cost paths.

Can I migrate off Bubble?

Yes, but it's always a rebuild — Bubble's runtime is proprietary and there's no code export. We extract data via the Data API, redesign the data model in Postgres, and rebuild workflows in Node or NestJS. From $800.

Security

Bubble Security Review

Manual security audit by senior engineers. We trace every auth path, every secret, and every integration in your Bubble app and tell you what's broken.

Request a Security Review

From $300

Security issues we find in Bubble apps

Patterns documented in primary-source research. Most of these ship to production by default.

Privacy Rules missing or 'Everyone else' allowed

Default state on a new Data Type lets any authenticated user (or anonymous user via the Data API) read all rows. Most scanned Bubble apps have at least one Data Type without rules.

Client-side filtering exposes the unfiltered dataset

When constraints are applied client-side, Bubble downloads all matching records and filters in the browser. DevTools shows the full payload, including fields the page never displays.

Data API key exposed and not rotated

Public Data API often left enabled with no privacy rules.

Sensitive fields in API responses

OTPs, password reset tokens, and hidden user fields leak via the Data API if rules aren't field-scoped.

File Uploader allows arbitrary types

No MIME restriction by default. AWS S3 paths are predictable, so files can be discovered without authentication.

Backend workflows callable as API endpoints

Without 'Run as' checks, backend workflows are publicly invokable.

Workload Unit explosion from inefficient searches

On-page heavy searches re-run on every state change. Reports of $10k+/month bills from apps that scaled past included WU.

What a Bubble Security Review covers

Authentication and authorization audit (specific to Bubble's patterns)

Secret exposure scan (env vars, client bundles, git history)

Database and data-access review (RLS, privacy rules, ACLs)

External integration security (Stripe, OAuth, file uploads)

Input validation and output encoding review

Severity-ranked written report with file:line citations

Async Q&A after delivery

Frequently asked questions

Are my Bubble Privacy Rules actually working?: Often not. Default state on new Data Types leaves data wide-open via the Data API. Even when rules are set, client-side filtering downloads the full unfiltered dataset to the browser. We audit rules, scopes, and the Data API as part of every Bubble security review.
How do I lower my Bubble Workload Unit bill?: Most overspend comes from on-page searches that re-run on every state change, recursive workflows without termination, and bulk operations during user actions. We profile your app's WU usage and refactor the high-cost paths.
Can I migrate off Bubble?: Yes, but it's always a rebuild — Bubble's runtime is proprietary and there's no code export. We extract data via the Data API, redesign the data model in Postgres, and rebuild workflows in Node or NestJS. From $800.

Find what's broken before users do.

Manual security review of your Bubble app. From $300.