Supabase

DatabaseMedium RiskVerified 2026-03-05

Visit website

Overview

Headquarters🇺🇸 USSan Francisco

US IncorporatedYes

CLOUD Act ExposureYes

InfrastructureAmazon Web Services

Regions (7 in 7 countries)

🇺🇸 US

US East Virginia · Ashburn

🇩🇪 DE

EU Frankfurt · Frankfurt

🇸🇬 SG

AP Singapore · Singapore

🇯🇵 JP

AP Tokyo · Tokyo

🇦🇺 AU

AP Sydney · Sydney

🇬🇧 GB

EU London · London

🇧🇷 BR

SA Sao Paulo · Sao Paulo

Compliance & Data

Certifications

✓ SOC 2✗ ISO 27001✓ GDPR✓ HIPAA✗ PCI DSS

Data Types Handled

Application DataPIILogs

Applicable Laws (9)

California Consumer Privacy Act (CCPA/CPRA)California, United States

Applies to businesses meeting revenue or data volume thresholds that handle California residents' data.

Max fine: USD 7,500 per intentional violationvia 🇺🇸 US

UK GDPRUnited Kingdom

UK has its own adequacy decisions separate from the EU. Transfers from the UK follow UK-specific rules.

Max fine: 4% of global annual turnover or GBP 17.5Mvia 🇬🇧 GB

CLOUD ActUnited States

Any US-incorporated provider or subsidiary may be compelled to disclose data regardless of where it is stored.

Max fine: Contempt of court penaltiesvia 🇺🇸 US

Act on the Protection of Personal InformationJapan

Cross-border transfers require consent or equivalent protection standards recognized by Japan's PPC.

Max fine: JPY 100M for corporate violationsvia 🇯🇵 JP

Personal Data Protection Act (Singapore)Singapore

Cross-border transfers require comparable protection standards in the receiving country.

Max fine: SGD 1M or 10% of annual turnovervia 🇸🇬 SG

General Data Protection RegulationEuropean Economic Area

Cross-border transfers to non-adequate countries require SCCs, BCRs, or other safeguards.

Max fine: 4% of global annual turnover or EUR 20Mvia 🇩🇪 DE

Lei Geral de Protecao de DadosBrazil

International data transfers require adequate protection or specific legal mechanisms.

Max fine: 2% of revenue in Brazil, up to BRL 50M per violationvia 🇧🇷 BR

FISA Section 702United States

US providers may be subject to surveillance orders targeting non-US persons, creating risk for EU data subjects.

Max fine: Contempt of court penaltiesvia 🇺🇸 US

Privacy Act 1988 (Australia)Australia

Organizations must take reasonable steps to ensure overseas recipients handle personal information in accordance with the APPs.

Max fine: AUD 50M or 30% of adjusted turnover (whichever is greater)via 🇦🇺 AU