Security at Supabase

Supabase is trusted by thousands of developers for building and deploying secure applications.

Supabase security


Supabase is SOC2 Type 2 compliant. Enterprise and Teams customers can request a copy of our SOC2 report here.


Supabase is HIPAA compliant. Enterprise and Teams customers can request to sign our BAA here.

Data Encryption

All customer data is encrypted at REST with AES-256 and in transit via TLS.

Sensitive information like access tokens and keys are encrypted at the application level before they are stored in the database.

Github security integration

We have partnered with GitHub to scan for Supabase service role API keys. If any Supabase API keys are pushed to GitHub, they are automatically revoked.

Role-based access control

Members of organizations in Supabase can be granted access to specific resources.


All customer databases are backed up every day.

Point in Time Recovery allows restoring the database to any point in time. Customers from the Pro plan have access to this feature as an add-on.

Payment processing

Supabase uses Stripe to process payments and does not store personal credit card information for any of our customers.

Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.

Vulnerability Management

Supabase works with industry experts to conduct regular penetration tests.

In addition to internal security reviews, we use various tools to scan our code for vulnerabilities including GitHub, Vanta, and Snyk.

Documents Center

As a database company, being SOC2 compliant is important when handling sensitive customer data. Access Supabase’s security policies by requesting for our latest SOC2 report.

You can build healthcare apps on our hosted platform once you enter into a Business Associate Agreement (BAA) with us and fulfill your HIPAA obligations under our shared responsibility model.