Security
Threat Model
What bubbl.cx protects you from — and what it doesn't.
Most privacy services make vague promises. We'd rather be specific. Here's exactly what we defend against, where we have limitations, and what falls outside our scope.
What we protect against
✓
ISP and network surveillance
Your ISP sees an encrypted connection to our server. They cannot see what you do inside your bubble. All VM traffic exits through an encrypted VPN tunnel in a separate jurisdiction.
✓
Browser fingerprinting and tracking
Each bubble is a fresh Windows install. No cookies, no history, no fingerprint carry-over between sessions. Pop it and every trace is destroyed.
✓
Data persistence after deletion
When you pop a bubble, the VM is destroyed, the disk is wiped, VPN keys are deleted, and the database row is removed. On NVMe storage with TRIM, the freed blocks are electrically zeroed by the drive controller. There is nothing left to recover.
✓
Cross-tenant attacks
VMs are network-isolated at the hypervisor level. Your bubble cannot communicate with any other customer's bubble. A malicious neighbor cannot scan, probe, or detect your machine.
✓
IP exposure
Websites and services you access from your bubble see the VPN exit node's IP — never your real IP, and never the server's IP. If the VPN tunnel drops, traffic is blocked entirely. There is no fallback leak.
✓
Identity linkage
Signup requires no email, no name, no phone number. You pay with cryptocurrency. We store a random account number and a password hash. That's it.
What we minimize but cannot eliminate
⚠
Hypervisor-level access
We operate the server your VM runs on. This means we technically have the ability to inspect VM memory or disk. We don't, and our business depends on not doing so — but we cannot cryptographically prove this. This is an inherent limitation of all VM-based hosting. If your threat model includes a malicious hosting provider, use dedicated hardware you control.
⚠
Shared exit IP reputation
All bubbles share VPN exit nodes. If another customer abuses the service, the exit IP could be flagged by certain websites. We monitor for abuse and maintain multiple exit nodes to mitigate this.
⚠
Metadata timing analysis
An adversary watching both your home connection and the VPN exit could theoretically correlate traffic by timing. This is a limitation of all VPN-based systems.
What we do not protect against
✗
State-level adversaries with physical access
If a government seizes the running server, memory contents could theoretically be dumped. Disk encryption protects data at rest when powered off, but not a live system. However, if a bubble has been popped before seizure, there is nothing to recover — the VM, disk blocks, and keys no longer exist.
✗
Your own operational security
If you log into personal accounts, post identifying information, or reuse credentials from your bubble, those actions can be linked back to you regardless of our infrastructure.
✗
Compromise of your local machine
If your personal computer is compromised with malware or a keylogger, an attacker can see everything you do in the browser-based desktop session. We protect the VM, not the device you view it from.
The honest version: Bubbl is for people who want a disposable, VPN-routed desktop without spending hours configuring VMs, WireGuard, and firewall rules themselves. It is not a replacement for Tails on air-gapped hardware. We've minimized what we store, what we can see, and what survives deletion — but the trust relationship between you and your VM host is real, and we won't pretend otherwise.
What we store
✓
Account: random 16-digit number + bcrypt password hash + active plan + expiry date. No email, no name, no IP logs.
✓
Bubbles: VM identifier + internal IP + plan tier + creation date. Deleted permanently when you pop.
✓
Payments: handled entirely by the payment processor. We receive a "paid" webhook. We do not see or store payment details.
✓
Logs: none. No access logs, no connection logs, no activity logs. Server runs memory-only swap.
View our warrant canary →