BBAA Atlas

Is Supabase HIPAA compliant?

Developer platform · vendor site ↗

BAA on select plansPHI with conditionsSOC 2 Type II
Will Supabase sign a HIPAA BAA?
Sometimes — Supabase signs a HIPAA BAA only on specific plans or add-ons.
Supabase signs a BAA and has itself signed BAAs with the sub-processors (e.g. AWS) that touch ePHI. HIPAA workloads require a paid plan (Team or Enterprise) with the HIPAA add-on enabled per project, configured as a High Compliance project; HIPAA is not supported on Free/Pro or self-hosted Supabase.
PHI eligibility
PHI may be stored on Supabase's hosted platform only after a signed BAA with the HIPAA add-on enabled and required controls in place (PITR, SSL enforcement, network restrictions). Self-hosted Supabase is not covered.
SOC 2
SOC 2 Type II
Trust center
supabase.com
Sub-processors
Notes
BAA-signing is first-party confirmed in Supabase's HIPAA docs; the Team-plan minimum is stated in Supabase's own GitHub discussion. Confirm current plan/add-on requirements before relying on a specific tier.
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with Supabase before storing PHI.

Get notified when this changes

We track Supabase's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with Supabase

Sometimes — Supabase signs a HIPAA BAA only on specific plans or add-ons.

Request routeSelf-serve — enable it in your account
  1. 1
    Get on a qualifying plan
    Supabase signs a BAA and has itself signed BAAs with the sub-processors (e.g. AWS) that touch ePHI. HIPAA workloads require a paid plan (Team or Enterprise) with the HIPAA add-on enabled per project, configured as a High Compliance project; HIPAA is not supported on Free/Pro or self-hosted Supabase.
  2. 2
    Request the Business Associate Agreement
    Supabase lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account.
  3. 3
    Confirm what PHI is allowed before you store any
    PHI may be stored on Supabase's hosted platform only after a signed BAA with the HIPAA add-on enabled and required controls in place (PITR, SSL enforcement, network restrictions). Self-hosted Supabase is not covered. Match your configuration to this scope before putting protected health information into Supabase.
Before you sign — watch for
  • No BAA on the free / consumer tier — you must be on a qualifying paid plan first.
  • May carry a minimum contract / annual spend commitment — budget for it before you start.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Supabase before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does Supabase sign a HIPAA Business Associate Agreement (BAA)?
Sometimes — Supabase signs a HIPAA BAA only on specific plans or add-ons. Supabase signs a BAA and has itself signed BAAs with the sub-processors (e.g. AWS) that touch ePHI. HIPAA workloads require a paid plan (Team or Enterprise) with the HIPAA add-on enabled per project, configured as a High Compliance project; HIPAA is not supported on Free/Pro or self-hosted Supabase.
Is Supabase HIPAA compliant?
Supabase can be HIPAA-compliant only on the specific plans or add-ons where it will sign a Business Associate Agreement (BAA). PHI may be stored on Supabase's hosted platform only after a signed BAA with the HIPAA add-on enabled and required controls in place (PITR, SSL enforcement, network restrictions). Self-hosted Supabase is not covered.
Can you store PHI (protected health information) in Supabase?
PHI may be stored on Supabase's hosted platform only after a signed BAA with the HIPAA add-on enabled and required controls in place (PITR, SSL enforcement, network restrictions). Self-hosted Supabase is not covered.
Is Supabase SOC 2 certified?
Supabase reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from Supabase?
Supabase lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account. Confirm current terms directly with Supabase before storing PHI.
What plan do I need to sign a BAA with Supabase?
Supabase signs a BAA and has itself signed BAAs with the sub-processors (e.g. AWS) that touch ePHI. HIPAA workloads require a paid plan (Team or Enterprise) with the HIPAA add-on enabled per project, configured as a High Compliance project; HIPAA is not supported on Free/Pro or self-hosted Supabase.

Sources

HIPAA Compliance and Supabase | Supabase Docs
https://supabase.com/docs/guides/security/hipaa-compliance
Supports: Supabase has signed a BAA with its ePHI sub-processors; SOC 2 controls; self-hosted excludeddated: undated
HIPAA Projects | Supabase Docs
https://supabase.com/docs/guides/platform/hipaa-projects
Supports: Signed BAA + HIPAA add-on required; High Compliance project configurationdated: undated
HIPAA Compliance add-on with Pro-Plan? · Supabase Discussion #35594
https://github.com/orgs/supabase/discussions/35594
Supports: BAA signing requires at least the Team plandated: undated
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Supabase before processing protected health information.

Check another vendor

GitHubBAA on select plansActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plansAircallSigns a BAAAirtableBAA on select plans

See all HIPAA compliant cloud infrastructure & hosting
Browse all 105 vendors by category →