Supabase is now certified to ISO/IEC 27001:2022. The certificate covers our information security management system across the entire platform, including Database, Auth, Storage, Realtime, Edge Functions, and the Data API.
What ISO 27001 is#
ISO/IEC 27001:2022 is the international standard for information security management systems, also known as an ISMS. An ISMS is the collection of policies, processes, and controls a company uses to manage risk to the information it holds. The standard defines what an ISMS has to cover, how it has to be documented, and how it has to be maintained.
Certification comes from an accredited third-party auditor. They review the documentation, test the controls, and decide whether the standard has been met. A certificate is valid for three years, with a surveillance audit every year in between, and the ISMS has to keep running the whole time. Controls have to keep working. If the system drifts, the certificate goes away.
How it relates to SOC 2#
SOC 2 and ISO 27001 cover a lot of the same ground. Both evaluate how a company protects customer data. Both look at access controls, change management, incident response, and business continuity. A large share of the evidence we already had from SOC 2 mapped cleanly to ISO 27001 controls.
Which one you need depends on where you are:
- SOC 2 is a report written by your auditor describing how your controls operated over a period of time. It is widely accepted in North America.
- ISO 27001 is a certificate confirming that your ISMS meets an international standard. It is widely accepted in Europe, Asia, and the public sector.
Some teams need one. Some need both.
What the audit looked like#
Certification happens in two stages. Stage one is a documentation review. The auditor reads your policies, risk assessments, and statement of applicability, then decides whether the ISMS is ready to be tested. Stage two is the audit itself. The auditor interviews staff, samples evidence, and tests whether controls work the way you say they do.
Preparing for an audit is a good procedural exercise:
- Writing and formalizing policies that had previously existed informally
- Documenting risk assessments properly
- Running internal audits
- Selecting an auditor
- Mapping SOC 2 controls to the ISO 27001 Annex A list so we were not collecting the same evidence twice
What it means for you#
If you are on a Team or Enterprise plan, request the ISO 27001 certificate from your dashboard. That is the document your procurement and security teams will ask for.
If a vendor review required ISO 27001 and blocked you from building on Supabase, you are no longer blocked. If a deal has been waiting on this, talk to your account team.
What's next#
ISO 27001 is one piece of a broader security and compliance roadmap. We already support SOC2, of course. We already support HIPAA for teams handling protected health information.
If your team has a specific compliance requirement you need from Supabase, tell us. The work we prioritize is shaped by what developers ask us for.