Security at Supabase

SOC 2#

Supabase is SOC2 Type 2 compliant. This is an important security policy when handling sensitive customer data.

Enterprise and Teams customers can access our SOC2 report on the dashboard.

HIPAA#

Supabase is HIPAA compliant. You can store Protected Health Information (PHI) on our hosted platform once you enter into a Business Associate Agreement (BAA) with us and fulfill your HIPAA obligations under our shared responsibility model.

Enterprise and Teams customers can request to sign our BAA on the dashboard.

Data Encryption#

All customer data is encrypted at rest with AES-256 and in transit via TLS.

Sensitive information like access tokens and keys are encrypted at the application level before they are stored in the database.

Role-based access control#

Members of organizations in Supabase can be granted access to specific resources.

Backups#

All paid customer databases are backed up every day.

Point in Time Recovery allows restoring the database to any point in time. Customers from the Pro plan have access to this feature as an add-on.

Payment processing#

Supabase uses Stripe to process payments and does not store personal credit card information for any of our customers.

Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.

Vulnerability Management#

Supabase works with industry experts to conduct regular penetration tests.

In addition to internal security reviews, we use various tools to scan our code for vulnerabilities including GitHub, Vanta, and Snyk.