An admin tool that
passes the compliance review.
If you handle PHI or PHI-adjacent data, your admin tool has to satisfy auditors. Suparbase encrypts credentials at rest, proxies every request server-side, and audits every write. The bones of a compliant operations stack.
What auditors typically ask about
Credentials at rest
AES-256-GCM encryption; key from your own environment variable; never written to a log or returned over the wire. Self-host means the key lives on your infrastructure.
Audit trails per row
Every write captures who, when, what (table, primary key, verb), and the before/after snapshot when available. Queryable for compliance reports.
Row-Level Security verification
Built-in simulator runs SELECT/INSERT/UPDATE/DELETE inside a rolled-back transaction with simulated JWT claims. Proves the isolation works.
Read-only by default
SQL playground and AI chat are read-only by default; writes require an explicit toggle or a confirmed proposal. Friction by design.
Role-based access
Service-role operations are explicit, named, and audit-logged. Anon and authenticated paths obey RLS.
Dedicated deployments
Team plans include single-tenant deployment with custom data retention and a DPA. Your data, your retention policy.
What this is and isn't
Suparbase doesn't come with a HIPAA certification. The certification is a property of how you operate the system, not the system itself. The features above are the technical foundation auditors look for: encryption, audit trails, role isolation, replayable evidence. You bring the operational policies (access reviews, BAAs, training) on top.
For teams with a strict compliance posture, the recommended shape is: self-host Suparbase inside your VPC, use a service-role Supabase key, keep the audit log in a Postgres instance you back up nightly, and run the RLS debugger quarterly against your tenants.
Talk to us about your compliance posture.
We'll help you map the features to your auditor's checklist.