惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
小众软件
小众软件
博客园_首页
博客园 - 聂微东
V
V2EX
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - 司徒正美
博客园 - 三生石上(FineUI控件)
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
S
SegmentFault 最新的问题
J
Java Code Geeks
Last Week in AI
Last Week in AI
The Cloudflare Blog
月光博客
月光博客
雷峰网
雷峰网
宝玉的分享
宝玉的分享
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Hugging Face - Blog
Hugging Face - Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
有赞技术团队
有赞技术团队
人人都是产品经理
人人都是产品经理
博客园 - Franky
腾讯CDC
Jina AI
Jina AI
博客园 - 叶小钗
大猫的无限游戏
大猫的无限游戏
阮一峰的网络日志
阮一峰的网络日志
量子位
爱范儿
爱范儿
美团技术团队
T
Tailwind CSS Blog
博客园 - 【当耐特】
D
Docker
IT之家
IT之家
V
Visual Studio Blog
P
Proofpoint News Feed
L
LangChain Blog
Engineering at Meta
Engineering at Meta
C
Check Point Blog
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
云风的 BLOG
云风的 BLOG
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Microsoft Azure Blog
Microsoft Azure Blog
B
Blog RSS Feed
Recorded Future
Recorded Future

Supabase Blog

AI Agents Know About Supabase. They Don't Always Use It Right. Custom OIDC Providers for Supabase Auth 100,000 GitHub stars Supabase docs over SSH Navigating Regional Network Blocks Supabase Joins the Stripe Projects Developer Preview Log Drains: Now available on Pro Supabase Storage: major performance, security, and reliability updates Supabase incident on February 12, 2026 Hydra joins Supabase X / Twitter OAuth 2.0 is now available for Supabase Auth BKND joins Supabase Supabase is now an official Claude connector Supabase PrivateLink is now available Introducing: Postgres Best Practices When to use Read Replicas vs. bigger compute Introducing TRAE SOLO integration with Supabase Supabase Security Retro: 2025 Sync Stripe Data to Your Supabase Database in One Click Building ChatGPT Apps with Supabase Edge Functions and mcp-use Own Your Observability: Supabase Metrics API Introducing iceberg-js: A JavaScript Client for Apache Iceberg Introducing Supabase for Platforms Adding Async Streaming to Postgres Foreign Data Wrappers Build "Sign in with Your App" using Supabase Auth Introducing Seven New Email Templates for Supabase Auth The new Supabase power for Kiro Introducing Supabase ETL Introducing Analytics Buckets Introducing Vector Buckets Snap, Inc. Launches Snap Cloud, Powered by Supabase Triplit joins Supabase Supabase Series E 1000 Y Combinator Founders Choose Supabase gm 👋 web3, welcome aboard to Sign in with Web3 (Solana, Ethereum) Announcing the Supabase Remote MCP Server Enterprise speed, enterprise standards with Bolt Cloud + Supabase PostgREST 13 Lovable Cloud + Supabase: The Default Platform for AI Builders Processing large jobs with Edge Functions, Cron, and Queues Defense in Depth for MCP Servers OrioleDB Patent: now freely available to the Postgres community Supabase Launch Week 15 Hackathon Winner Announcement The Vibe Coder's Guide to Supabase Environments Testing for Vibe Coders: From Zero to Production Confidence The Vibe Coding Master Checklist Vibe Coding: Best Practices for Prompting Supabase Auth: Build vs. Buy Top 10 Launches of Launch Week 15 Supabase Launch Week 15 Hackathon Storage: 10x Larger Uploads, 3x Cheaper Cached Egress, and 2x Egress Quota Persistent Storage and 97% Faster Cold Starts for Edge Functions Algolia Connector for Supabase New Observability Features in Supabase Improved Security Controls and A New Home for Security Introducing Branching 2.0 Stripe-To-Postgres Sync Engine as standalone Library Supabase Analytics Buckets with Iceberg Support Create a Supabase backend using Figma Make Introducing JWT Signing Keys Supabase UI: Platform Kit Build a Personalized AI Assistant with Postgres Announcing Multigres: Vitess for Postgres Building on open table formats Open Data Standards: Postgres, OTel, and Iceberg Simplifying back-end complexity with Supabase Data APIs PostgreSQL Event Triggers without superuser access Top 10 Launches of Launch Week 14 Supabase MCP Server Data API Routes to Nearest Read Replica Declarative Schemas for Simpler Database Management Realtime: Broadcast from Database Keeping Tabs on What's New in Supabase Studio Edge Functions: Deploy from the Dashboard + Deno 2.1 Automatic Embeddings in Postgres Introducing the Supabase UI Library Supabase Auth: Bring Your Own Clerk Postgres Language Server: Initial Release Migrating from Fauna to Supabase Migrating from the MongoDB Data API to Supabase Dedicated Poolers Postgres as a Graph Database: (Ab)using pgRouting AI Hackathon at Y Combinator Calendars in Postgres using Foreign Data Wrappers Supabase Launch Week 13 Hackathon Winners How to Hack the Base! Running Durable Workflows in Postgres using DBOS database.build v2: Bring-your-own-LLM Restore to a New Project Hack the Base! with Supabase Top 10 Launches of Launch Week 13 Supabase Queues High Performance Disk Supabase Cron Supabase CLI v2: Config as Code Supabase Edge Functions: Introducing Background Tasks, Ephemeral Storage, and WebSockets Supabase AI Assistant v2 OrioleDB Public Alpha Executing Dynamic JavaScript Code on Supabase with Edge Functions ClickHouse Partnership, improved Postgres Replication, and Disk Management
Supabase is now HIPAA and SOC2 Type 2 compliant
Inian Parameshwaran · 2023-08-11 · via Supabase Blog

Supabase is now HIPAA and SOC2 Type 2 compliant

While we weren’t planning to do anything official for this announcement, the customer is always right.

Supabase is now officially SOC2 Type 2 and HIPAA compliant.

That’s all you need to know. The rest of this blog post will give you some background and what to expect if you’re planning to go through the same process.

We previously discussed the process the SOC2 Type 1. To recap,

  1. Type 1 certification verifies adherence to the guidelines at a specific point in time.
  2. Type 2 certification verifies compliance over a period of time.

We received our Type 2 certification on May 22nd of this year and we plan to conduct annual Type 2 audits to ensure adherence to SOC2 guidelines.

We used the same auditor for the Type 2 certification and knew mostly what to expect. Some of our internal processes needed to change to make it easier to the evidence for our auditor. Examples of the kind of requests our auditor would ask for:

  • List of all incidents which happened in a given time period. The postmortem for a few incidents from that list that the auditor chooses.
  • List of all access requests in a given time period.
  • List of vulnerabilities and when they were fixed
  • List of Data deletion requests and evidence that a particular request was actioned on within our SLA.

Some of these were readily available in Vanta, our compliance monitoring tool. For others, we had to develop new processes to ensure that this information was all readily available. The Type 2 audit involves gathering a lot more evidence than the Type 1 audit. If we didn’t have proper systems and process in place before the audit, it would have been painful during evidence collection.

Health Insurance Portability and Accountability Act (HIPAA) is a US law that sets national standards for protecting individuals' medical records and personal health information. Companies building applications with sensitive healthcare data must comply with HIPAA to ensure the security and privacy of patients' information.

A couple of definitions before go further. A covered entity refers to healthcare providers, health plans, and health insurance companies. Business associates are entities that perform certain functions with protected health information (PHI) on behalf of a covered entity. Both Business Associates and Covered entities are covered (pun intended) under HIPAA. Supabase is a business associate and our customers handling PHI can either be covered entities or other business associates.

We receive many requests from users who want to build healthcare apps on top of Supabase. Since you can self-host Supabase, we often encourage these users to do so. Starting today, these users have the option to use our hosted platform too with the HIPAA add-on 🎉.

Going from SOC2 to HIPAA#

Going from zero to a SOC2 certification was much harder, than going from SOC2 to HIPAA.

We used the same auditor to streamline the process. Many of the controls required for HIPAA compliance could be mapped to the testing they had already done for SOC2. Additional evidence for encryption, audit logs, business continuity and disaster recovery exercises was unnecessary since the auditor already had access to it. And some of the HIPAA checks such as Facility Access Controls were not applicable to us since we are a remote company.

We also had to sign a Business Associate Agreement (BAA) with all of our vendors who would have access to PHI, such as AWS, and ensure that we follow their terms listed in the agreements. For example, when using AWS to store PHI, we could only use their HIPAA Eligible Services. There were similar requirements from the other vendors we use and to ensure that we were complying with all their requirements.

Similarly when you sign a BAA with us, you have some responsibilities you agree to when using Supabase to store PHI. These are documented in our shared responsibility doc.

We made a significant change to our incident management process for HIPAA. The HIPAA Breach Notification rules have strict requirements for handling breaches. For instance, business associates are required to notify the covered entity within 60 days of a breach. This also required us to appoint a HIPAA Security officer who would be responsible for reviewing any breach for PHI disclosure and communicating it’s impact to the Covered Entity.

The not-so-fun but important stuff included updating a bunch of our policies to cover HIPAA requirements such as enforcing automatic log-offs as part of our workstation security policy. Shopping for a good Technology Errors and Omissions Insurance plan was another boring but important thing we had to finalize in the off-chance that we get hacked despite all our measures. HIPAA fines are no joke, you could rake up to 1.9 million dollars per violation per calendar year depending the severity of the breach!

If you want to start developing healthcare apps on Supabase, reach out to our team here to sign our BAA. We are excited to see what you build!