Security at Supabase

Supabase is trusted by thousands of developers for building and deploying secure applications.

Supabase security


Supabase is SOC2 Type 1 compliant. Enterprise customers can request a copy of our SOC2 here.

Data Encryption

All customer data is encrypted at REST with AES-256 and in transit via TLS.

Sensitive information like access tokens and keys are encrypted at the application level before they are stored in the database.

Github security integration

We have partnered with GitHub to scan for Supabase service role API keys. If any Supabase API keys are pushed to GitHub, they are automatically revoked.

Role-based access control

Members of organizations in Supabase can be granted access to specific resources.


All customer databases are backed up every day.

Enterprise customers have access to Point in Time Recovery which enables restoring the database to any point in time.

Payment processing

Supabase uses Stripe to process payments and does not store personal credit card information for any of our customers.

Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.

Vulnerability Management

Supabase works with industry experts to conduct regular penetration tests.

In addition to internal security reviews, we use various tools to scan our code for vulnerabilities including GitHub, Vanta, and Snyk.

Request for our SOC2 documents

As a database company, being SOC2 compliant is important when handling sensitive customer data. Access more of Supabase’s security information by requesting for our latest SOC2 documents below.