Skip to content
Gallery
Componly Security References
Share
Explore
Componly Security References

icon picker
Supabase

Supabase comes down to its core services: database, authentication, file storage, and auto-generated APIs.

Certificates:
SOC 2 : Supabase is SOC2 Type 1 compliant
Data Encryption :
All customer data is encrypted at REST with AES-256 and in transit via TLS.
Sensitive information like access tokens and keys are encrypted at the application level before they are stored in the database.
Github security integration : They have to scan for Supabase service role API keys. If any Supabase API keys are pushed to GitHub, they are automatically revoked.
Role-based access control : Members of organizations in Supabase can be granted access to specific resources.
Backups :
All customer databases are backed up every day.
Enterprise customers have access to Point in Time Recovery which enables restoring the database to any point in time.
Payment processing :
Supabase uses to process payments and does not store personal credit card information for any of our customers.
Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.
Vulnerability Management :
Supabase works with industry experts to conduct regular penetration tests.
In addition to internal security reviews, they use various tools to scan our code for vulnerabilities including , , and
.

Infrastructure security :
Production data backups conducted : The company performs periodic backups for production data. Data is backed up to a different location than the production system.
Intrusion detection system utilized : The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.
Database replication utilized : The company's databases are replicated to a secondary data center in real-time. Alerts are configured to notify administrators if replication fails.
Production database access restricted : The company restricts privileged access to databases to authorized users with a business need.
Remote access MFA enforced : The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.
Access revoked upon termination : The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.
Production network access restricted : The company restricts privileged access to the production network to authorized users with a business need.
Unique production database authentication enforced : The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.
Remote access encrypted enforced : The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.
Encryption key access restricted : The company restricts privileged access to encryption keys to authorized users with a business need.
Production data segmented : The company prohibits confidential or sensitive customer data, by policy, from being used or stored in non-production systems/environments.
Infrastructure performance monitored : An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.
Production application access restricted : The company restricts privileged access to the application to authorized users with a business need.
Log management utilized : The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.
Unique network system authentication enforced : The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.
Organizational security :
Anti-malware technology utilized : The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.
MDM system utilized : The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.
Password policy enforced : The company requires passwords for in-scope system components to be configured according to the company's policy.
Confidentiality Agreement acknowledged by contractors : The company requires contractors to sign a confidentiality agreement at the time of engagement.
Confidentiality Agreement acknowledged by employees : The company requires employees to sign a confidentiality agreement during onboarding.
Asset disposal procedures utilized : The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

Product security :
Penetration testing performed : The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.
Data encryption utilized : The company's datastores housing sensitive customer data are encrypted at rest.
Data transmission encrypted : The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.
System activity logged : The company captures system activity, including user activity, in transaction logs.
Vulnerability and system monitoring procedures established : The company's formal policies outline the requirements for the following functions related to IT / Engineering: vulnerability management, system monitoring.

Internal security procedures :
Continuity and disaster recovery plans tested : The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.
Backup processes established : The company's data backup policy documents requirements for backup and recovery of customer data.
Production deployment access restricted : The company restricts access to migrate changes to production to authorized personnel.
Vendor management program established : The company has a vendor management program in place. Components of this program include: critical third-party vendor inventory, vendor's security and privacy requirements, and review of critical third-party vendors at least annually.
Incident response policies established : The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.
Change management procedures enforced : The company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.
Configuration management system established : The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.
Management roles and responsibilities defined : The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.
Security policies established and reviewed : The company's information security policies and procedures are documented and reviewed at least annually.
Roles and responsibilities specified : Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.
Data center access reviewed : The company reviews access to the data centers at least annually.
Physical access processes established : The company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners.
Incident management procedures followed : The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.
Development lifecycle established : The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.
Continuity and Disaster Recovery plans established : The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.