Our Bubble Architecture Standards Document
Every application that leaves our studio meets a defined set of architecture standards. Not aspirational guidelines — pass/fail criteria applied to every data type, workflow, search, and API integration. Published here so founders know what standards to hold any Bubble team to.
The Architecture Standards Every Project We Build Must Meet
Every application that leaves our studio meets a defined set of architecture standards. These are not aspirational guidelines — they are pass/fail criteria applied to every data type, workflow, search expression, and API integration before a project is considered ready for production. We are publishing them here so that founders who are evaluating Bubble developers know what standards to hold any team to.
Every Data Type Must Pass These Checks
REQUIRED
: Every app-specific data type has a ‘workspace’ field
REQUIRED
: Every search has ‘workspace = current_workspace’ as first constraint
REQUIRED
: Every creation workflow sets ‘workspace = current_user’s workspace’
// Standard 2: Privacy Rules
REQUIRED
: Every data type has at least one explicit privacy rule
FORBIDDEN
: Any data type with ‘Everyone’ in its final privacy configuration
REQUIRED
: Tenant isolation test passed (two-browser test) before deployment
// Standard 3: Soft Deletes
REQUIRED
: Every data type has ‘is_deleted (yes/no)’ field
REQUIRED
: All searches exclude ‘is_deleted = yes’ records
REQUIRED
: Deleted records are anonymised not hard-deleted
// Standard 4: Static Data
REQUIRED
: All status fields, category fields, role names use Option Sets
FORBIDDEN
: Static enumeration data stored in a data type
Every Search Expression Must Pass These Checks
FORBIDDEN
: :filtered by in any search expression
REQUIRED
: All filtering via search constraints (WHERE clauses)
REQUIRED
: All repeating groups paginated to max 20 items
// Standard 6: Dashboard Performance
REQUIRED
: All dashboard counts are pre-calculated and stored
FORBIDDEN
: Live :count queries on page render for any dashboard metric
REQUIRED
: Denormalised counters updated on every create/delete workflow
// Standard 7: Workflow Architecture
REQUIRED
: Any operation >3 steps uses backend API workflow
REQUIRED
: Every API call has error detection immediately after
REQUIRED
: Every error creates an ErrorLog record
Every Workflow Must Pass These Checks
REQUIRED
: Every sensitive workflow has role check on Step 1 with Only when
FORBIDDEN
: Client-submitted role values trusted without server-side check
REQUIRED
: Stripe webhooks validate signature before any processing
// Standard 9: Billing Security
REQUIRED
: Subscription status updated ONLY by webhook events
FORBIDDEN
: Redirect URL setting subscription status
REQUIRED
: All 6 webhook events handled: checkout, updated, deleted,
payment_failed, payment_succeeded, trial_will_end
// Standard 10: Deployment
REQUIRED
: All changes built in development branch first
FORBIDDEN
: Direct edits to live branch in production
REQUIRED
: Pre-deployment checklist passed before every live deploy
Work With a Bubble Architect
Most developers build Bubble apps. We architect them. Data models designed for scale, multi-tenant security built from day one, Stripe billing that never fails, and workflows engineered for performance. This is what a Bubble Architect delivers.
