Security, Encryption, Sustainability & GDPR

Good morning all,

I’m relatively new to Adalo (just coming to the end of my first month) and am, so far, really impressed both with the platform and the support I’ve been getting from the team. I can see a bright and exciting future for this project.

I have been a “Bubble”-er for 2-3 years now, and the speed of development which Adalo offers far outstrips that of Bubble, albeit, Bubble’s API connector is a bit more advanced (allowing for much greater scope with apps built there). The ability to deploy to the App Store in one click for iOS is incredible (and works!). I am a big fan already.

While I’m sure it’s irritating, Bubble are a little further ahead in their journey, so I make a few comparisons here. In particular, they recognise that people are investing a lot of time learning their platform and building the future of apps and services using their product. Some of those require investment from third parties. As part of their commitment to the community, they published their ‘guide to Bubble for investors’.

There have also been a number of forum posts to help get some background (the sort of background useful for pitch decks, discussions and website FAQ’s) which I have assimilated below. It would be great to get the Adalo team’s take on these topics and I’m sure the community will find them helpful:

  1. Guarantee
    While we plan on being around for a long time, we’ve committed
    publicly to release our code in open source with migration instructions if we ever
    were to shut down shop and cease offering our service.” - Has Adalo made any such guarantee?

  2. GDPR

  • Have you committed to the EU-US Privacy Shield Framework?
  • If not, is it possible to locate Adalo apps on EU servers?
  • Have you got Data Processing Agreements (DPA’s) with your own sub-suppliers?
  • Will you be offering a DPA to Adalo clients - Bubble have included theirs in their terms of service?
  • Breach notification - in the EU, we have a duty to disclose breaches of clients’ data within ‘a timely manner’ (the thinking seems to be ~72 hours as a max) - will you undertake to notify us within 24-48h of any such breach so that we can do so?
  • Have you/can you release the full list of data sub-processors (see Bubble)
  1. Security & Encryption
  • How would you describe the ‘plus points’ of the current security and encryption regime at Adalo? Have you got roadmapped improvements planned?
  • Are you planning to offer 2FA at all?
  • Same question for Face ID for the iOS apps?
1 Like

Hey! While our policies are not as well fleshed out as Bubble’s, a lot of our general practices are consistent with the way we handle things. We have not yet made a publish guarantee about source code, but we’d be happy to sign a contract with you directly and put that as a clause. We also should get a document together detailing this for investors / larger customers, that’s a great thing to have.

GDPR

We’re compliant with some aspects, but are lacking in others. We are not yet using EU-US Privacy Shield, and also do not currently offer EU-based servers, however this is something that is rapidly approaching on our roadmap and definitely some we will be addressing in the coming months. In terms of other aspects of GDPR (data processing, transmission, right to be forgotten, storing & transmitting encrypted data), we are in compliance. Adalo does not transmit, sell, or other use any data from users of your Adalo apps. That data is yours to handle as you see fit, or export for use in other systems. We can also commit to notifying our customers of breaches to their users’ data in 24-48 hours from when we are made aware.

Security

We’re currently still in the early stages as a company, but we’re still committed to keeping our users’ data safe and secure. We currently use industry leading encryption for data in-transit and at-rest, and we have added layers of security for some extra-sensitive pieces of data like credit cards (stripe) and passwords (bcrypt). We have several items on our roadmap that will let us automatically track which users have accessed which data, for things like HIPAA compliance, but that is not yet complete. We don’t currently offer 2FA or Face ID currently, but we plan to adding this or other security mechanisms (like SMS-based logins) in the near future.

1 Like

Thanks so much Jeremy - this is really helpful!