// Trust & Security Report
Supabase Inc
Postgres development platform (managed database, Auth, Storage, Edge Functions, Realtime, Vector) plus self-hostable open-source stack
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on supabase.com“Supabase is HIPAA compliant. Protected Health Information storage requires a Business Associate Agreement and adherence to their shared responsibility model.”
Verify on trust.supabase.io“Listed on the Supabase Trust Center certifications list (SOC 2 Type 2, ISO/IEC 27001:2022, HIPAA, PCI DSS, GDPR). On the security page PCI DSS is attributed to payment processor Stripe ('a certified PCI Service Provider Level 1'), so the certification covers payment handling via Stripe rather than a self-attested Supabase PCI certificate. Scope ambiguous.”
Verify on trust.supabase.io“Listed as 'GDPR' under Certifications on the Trust Center; a Data Processing Addendum is published at supabase.com/legal/dpa and Supabase 'processes such Customer Data on behalf of and under the instructions of the relevant customer, in accordance with their data processing addendum.'”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Customer selects a region (AWS regions across North America, South America, EU, UK, Asia-Pacific) at project creation; data residency is pinned to the chosen region. Self-hosting allows full control of residency.
Terms of Service state: 'Supabase will not use, nor allow any third-party to use, Customer Data, Customer's AI Input, or any AI Output to train, fine-tune, or otherwise improve any artificial intelligence or machine learning model, without Customer's prior written consent.' For Supabase's own AI features (e.g. the dashboard Assistant), it collects query inputs and generated outputs but the no-training-without-consent prohibition still applies.
// Security controls
Encryption in transit
Data in transit encrypted via TLS; sensitive items like access tokens encrypted at the application level before storage
supabase.comPenetration testing
Supabase works with industry experts to conduct regular penetration tests, supplemented by internal security reviews and tools (GitHub, Vanta, Snyk)
supabase.comBug bounty / vulnerability disclosure
Vulnerability Disclosure Program on HackerOne (hackerone.com/supabase), launched late 2025. Currently recognition-only with paid bounties planned for 2026; 139 reports resolved from 96 researchers. Scope includes api.supabase.com, database.dev, GitHub repos, and MCP Server.
hackerone.comTrust Center / security review
Self-serve Trust Center (powered by SecurityPal) with downloadable docs (Information Security Policy, Transfer Impact Assessment, Code of Conduct), controls catalog, subprocessor list, and security-review request flow
trust.supabase.ioRow Level Security (RLS)
Postgres Row Level Security available for fine-grained authorization on every project
supabase.com// Products & data scope
data: Customer-hosted application data (database rows, auth users, storage objects, vector embeddings) on Supabase-managed AWS infrastructure in a customer-chosen region.
Self-serve tiers for individuals and startups. SOC2/ISO reports and HIPAA BAA gated to Team/Enterprise tiers.
data: Same data classes as Cloud, plus access to SOC 2 report and ISO 27001 certificate via dashboard; HIPAA BAA available; custom security reviews and DPA.
Compliance artifacts (SOC2 report, ISO cert) restricted to Team and Enterprise customers. Required for regulated/PHI workloads.
data: Customer controls all infrastructure and data residency; Supabase Inc has no access to data.
Open source from day one (Apache/MIT components). No vendor data processing; compliance becomes the operator's responsibility.
// What to watch
- PCI DSS appears on the Trust Center cert list but on the security page is attributed to Stripe (payment processor) rather than a standalone Supabase PCI certificate; scope should be stated as 'payments via Stripe' rather than implying Supabase is PCI certified.
- SOC2 report and ISO 27001 certificate are gated behind Team/Enterprise dashboard access, not publicly downloadable.
- HackerOne program is a Vulnerability Disclosure Program (recognition-only as of mid-2026); paid bounties planned for 2026 but not yet confirmed live.
// At a glance
Pricing model
Freemium / usage-based: Free, Pro, Team, and Enterprise tiers; plus free self-hosted open-source option
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Supabase Inc's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.supabase.io