// Trust & Security Report

    Supabase Inc logo

    Supabase Inc

    Postgres development platform (managed database, Auth, Storage, Edge Functions, Realtime, Vector) plus self-hostable open-source stack

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Supabase is SOC 2 Type 2 compliant.

    Verify on supabase.com
    ISO/IEC 27001:2022
    HELD

    Supabase is ISO 27001 certified.

    Verify on supabase.com
    HIPAA
    HELD

    Supabase is HIPAA compliant. Protected Health Information storage requires a Business Associate Agreement and adherence to their shared responsibility model.

    Verify on supabase.com
    PCI DSS
    HELD

    Listed on the Supabase Trust Center certifications list (SOC 2 Type 2, ISO/IEC 27001:2022, HIPAA, PCI DSS, GDPR). On the security page PCI DSS is attributed to payment processor Stripe ('a certified PCI Service Provider Level 1'), so the certification covers payment handling via Stripe rather than a self-attested Supabase PCI certificate. Scope ambiguous.

    Verify on trust.supabase.io
    GDPR
    HELD

    Listed as 'GDPR' under Certifications on the Trust Center; a Data Processing Addendum is published at supabase.com/legal/dpa and Supabase 'processes such Customer Data on behalf of and under the instructions of the relevant customer, in accordance with their data processing addendum.'

    Verify on trust.supabase.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Customer selects a region (AWS regions across North America, South America, EU, UK, Asia-Pacific) at project creation; data residency is pinned to the chosen region. Self-hosting allows full control of residency.

    Terms of Service state: 'Supabase will not use, nor allow any third-party to use, Customer Data, Customer's AI Input, or any AI Output to train, fine-tune, or otherwise improve any artificial intelligence or machine learning model, without Customer's prior written consent.' For Supabase's own AI features (e.g. the dashboard Assistant), it collects query inputs and generated outputs but the no-training-without-consent prohibition still applies.

    // Security controls

    Encryption at rest

    All customer data encrypted at rest with AES-256

    supabase.com

    Encryption in transit

    Data in transit encrypted via TLS; sensitive items like access tokens encrypted at the application level before storage

    supabase.com

    Penetration testing

    Supabase works with industry experts to conduct regular penetration tests, supplemented by internal security reviews and tools (GitHub, Vanta, Snyk)

    supabase.com

    Bug bounty / vulnerability disclosure

    Vulnerability Disclosure Program on HackerOne (hackerone.com/supabase), launched late 2025. Currently recognition-only with paid bounties planned for 2026; 139 reports resolved from 96 researchers. Scope includes api.supabase.com, database.dev, GitHub repos, and MCP Server.

    hackerone.com

    Trust Center / security review

    Self-serve Trust Center (powered by SecurityPal) with downloadable docs (Information Security Policy, Transfer Impact Assessment, Code of Conduct), controls catalog, subprocessor list, and security-review request flow

    trust.supabase.io

    Row Level Security (RLS)

    Postgres Row Level Security available for fine-grained authorization on every project

    supabase.com

    // Products & data scope

    Supabase Cloud (Free / Pro)Managed Postgres BaaS

    data: Customer-hosted application data (database rows, auth users, storage objects, vector embeddings) on Supabase-managed AWS infrastructure in a customer-chosen region.

    Self-serve tiers for individuals and startups. SOC2/ISO reports and HIPAA BAA gated to Team/Enterprise tiers.

    Supabase Team / EnterpriseManaged Postgres BaaS (compliance-grade)

    data: Same data classes as Cloud, plus access to SOC 2 report and ISO 27001 certificate via dashboard; HIPAA BAA available; custom security reviews and DPA.

    Compliance artifacts (SOC2 report, ISO cert) restricted to Team and Enterprise customers. Required for regulated/PHI workloads.

    Self-hosted Supabase (open source)Self-hostable open-source stack

    data: Customer controls all infrastructure and data residency; Supabase Inc has no access to data.

    Open source from day one (Apache/MIT components). No vendor data processing; compliance becomes the operator's responsibility.

    // What to watch

    • PCI DSS appears on the Trust Center cert list but on the security page is attributed to Stripe (payment processor) rather than a standalone Supabase PCI certificate; scope should be stated as 'payments via Stripe' rather than implying Supabase is PCI certified.
    • SOC2 report and ISO 27001 certificate are gated behind Team/Enterprise dashboard access, not publicly downloadable.
    • HackerOne program is a Vulnerability Disclosure Program (recognition-only as of mid-2026); paid bounties planned for 2026 but not yet confirmed live.

    // At a glance

    Pricing model

    Freemium / usage-based: Free, Pro, Team, and Enterprise tiers; plus free self-hosted open-source option

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Supabase Inc's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.supabase.io

    > Browse all vendor trust reports