Security, Encryption, Sustainability & GDPR

Good morning all,

I’m relatively new to Adalo (just coming to the end of my first month) and am, so far, really impressed both with the platform and the support I’ve been getting from the team. I can see a bright and exciting future for this project.

I have been a “Bubble”-er for 2-3 years now, and the speed of development which Adalo offers far outstrips that of Bubble, albeit, Bubble’s API connector is a bit more advanced (allowing for much greater scope with apps built there). The ability to deploy to the App Store in one click for iOS is incredible (and works!). I am a big fan already.

While I’m sure it’s irritating, Bubble are a little further ahead in their journey, so I make a few comparisons here. In particular, they recognise that people are investing a lot of time learning their platform and building the future of apps and services using their product. Some of those require investment from third parties. As part of their commitment to the community, they published their ‘guide to Bubble for investors’.

There have also been a number of forum posts to help get some background (the sort of background useful for pitch decks, discussions and website FAQ’s) which I have assimilated below. It would be great to get the Adalo team’s take on these topics and I’m sure the community will find them helpful:

  1. Guarantee
    While we plan on being around for a long time, we’ve committed
    publicly to release our code in open source with migration instructions if we ever
    were to shut down shop and cease offering our service.” - Has Adalo made any such guarantee?

  2. GDPR

  • Have you committed to the EU-US Privacy Shield Framework?
  • If not, is it possible to locate Adalo apps on EU servers?
  • Have you got Data Processing Agreements (DPA’s) with your own sub-suppliers?
  • Will you be offering a DPA to Adalo clients - Bubble have included theirs in their terms of service?
  • Breach notification - in the EU, we have a duty to disclose breaches of clients’ data within ‘a timely manner’ (the thinking seems to be ~72 hours as a max) - will you undertake to notify us within 24-48h of any such breach so that we can do so?
  • Have you/can you release the full list of data sub-processors (see Bubble)
  1. Security & Encryption
  • How would you describe the ‘plus points’ of the current security and encryption regime at Adalo? Have you got roadmapped improvements planned?
  • Are you planning to offer 2FA at all?
  • Same question for Face ID for the iOS apps?
12 Likes

Hey! While our policies are not as well fleshed out as Bubble’s, a lot of our general practices are consistent with the way we handle things. We have not yet made a publish guarantee about source code, but we’d be happy to sign a contract with you directly and put that as a clause. We also should get a document together detailing this for investors / larger customers, that’s a great thing to have.

GDPR

We’re compliant with some aspects, but are lacking in others. We are not yet using EU-US Privacy Shield, and also do not currently offer EU-based servers, however this is something that is rapidly approaching on our roadmap and definitely some we will be addressing in the coming months. In terms of other aspects of GDPR (data processing, transmission, right to be forgotten, storing & transmitting encrypted data), we are in compliance. Adalo does not transmit, sell, or other use any data from users of your Adalo apps. That data is yours to handle as you see fit, or export for use in other systems. We can also commit to notifying our customers of breaches to their users’ data in 24-48 hours from when we are made aware.

Security

We’re currently still in the early stages as a company, but we’re still committed to keeping our users’ data safe and secure. We currently use industry leading encryption for data in-transit and at-rest, and we have added layers of security for some extra-sensitive pieces of data like credit cards (stripe) and passwords (bcrypt). We have several items on our roadmap that will let us automatically track which users have accessed which data, for things like HIPAA compliance, but that is not yet complete. We don’t currently offer 2FA or Face ID currently, but we plan to adding this or other security mechanisms (like SMS-based logins) in the near future.

11 Likes

Thanks so much Jeremy - this is really helpful!

Can you give us an update on this? Have you committed to the EU-US Privacy Shield Framework yet or offer an EU Server option?

3 Likes

We’d also like to know if there’s an update on this? EU servers ideally or Privacy Shield compliance are a must have for us to deploy. It’s such a shame as we love the platform!

4 Likes

Would love an update on this. I can only speak for my small company, but if Adalo gets HIPAA compliance I will be the first to throw all my money at them.

As a mobile engineer, most “plug and play” app tools allow you to do very basic database features, most of them link to a Google firebase DB environment. For companies who’s business is the mobile app itself, their top concern is security compliance. Regardless of how great a mobile building tool may be, without the security it’s a hard pass. Until then, I’ll stick to coding my apps from scratch.

2 Likes

If you are offering EU servers, maybe also have the option of Asia/Australian server.

My current app with Bubble runs on an AWS Sydney server (obviously I pay for the dedicated AWS instance) and the Bubble team manage it and their platform (which I pay for)

The main reason I am looking at Adalo is your native app capability, as this is truly amazing, but being able to run an app with good resources, without resources being drained by either my many users or “noisy” neighbours would be amazing.

1 Like

Hi @jeremy, have you got any feedback regarding all items ongoing for GDPR and security?

In Europe, we won’t be able to go live without a minimum set of GDPR requirements (the most complex could wait a bit I think).

Many thanks, I’m currently working on my whole setup for the incoming launch of my business, based on adalo as the backend and partly front-end.

1 Like

True, no European Market apps without clear GDPR requirement fullfiled here…where are collections stored in Adalo, AWS or some Homebased Adalo servers ?

Just added another thread:

1 Like

Do you have an update? Here or there Taking the Brakes Off

2 Likes

Hi there, can we get any update on that please?

1 Like

Please refer to this request and add your upvote to it in order to be informed when there has been progress made on this. https://ideas.adalo.com/feature-requests/p/gdpr-specific-actions

We are doing our best to put in place the systems needed for these processes and compliance but they take time. We hope you understand and bear with us.

1 Like

Can we use AWS as backend for Adalo app (frontend)? Seems it would help solve a number of issues, is it in works?

3 Likes

Hey!

One quick question : is there any action planned to work on SCC at Adalo? That would / will allow to bypass the Privacy Shield issue, and let European makers (and any maker with European users) build compliant apps…

Many thanks!

1 Like

Hey @ChristopheHK I’m not familiar with SCC, could you provide me some further details for this so I may add it to the ticket regarding GPDR if needed.

Hey @Colin,

Hereafter some useful links dealing with the Standard Contractual Clauses / SCC :

It’s something to put in lawyers hands…

1 Like

Thanks for the info - will pass it through the right channels

3 Likes

Many thanks @colin,
It will be of great interest and help for any UE maker and even any maker building pro apps targeting UE users :pray:t2::+1:t2::crossed_fingers:t2:

2 Likes

Hello everyone, is there any update please regarding GDPR? :slight_smile:

1 Like