Supabase is now ISO 27001 certified

Supabase is now certified to ISO/IEC 27001:2022. The certificate covers our information security management system across the entire platform, including Database, Auth, Storage, Realtime, Edge Functions, and the Data API.

ISO/IEC 27001:2022 is the international standard for information security management systems, also known as an ISMS. An ISMS is the collection of policies, processes, and controls a company uses to manage risk to the information it holds. The standard defines what an ISMS has to cover, how it has to be documented, and how it has to be maintained.

Certification comes from an accredited third-party auditor. They review the documentation, test the controls, and decide whether the standard has been met. A certificate is valid for three years, with a surveillance audit every year in between, and the ISMS has to keep running the whole time. Controls have to keep working. If the system drifts, the certificate goes away.

SOC 2 and ISO 27001 cover a lot of the same ground. Both evaluate how a company protects customer data. Both look at access controls, change management, incident response, and business continuity. A large share of the evidence we already had from SOC 2 mapped cleanly to ISO 27001 controls.

Supabase is now ISO 27001 certified

Related reading

Supabase Security Retro: 2025

Introducing Supabase for Platforms

Supabase Storage: major performance, security, and reliability updates

Introducing JWT Signing Keys

Supabase incident on February 12, 2026

Improved Security Controls and A New Home for Security