Is the Supabase free tier HIPAA compliant?

No. HIPAA requires a signed BAA, which Supabase offers only on eligible paid plans. Don't store PHI on the free tier.

Does signing a BAA make my Supabase app HIPAA compliant?

No. A BAA covers the platform. Your app is only compliant if you also configure RLS, access controls, encryption and logging correctly and handle PHI properly throughout your stack.

Is Supabase HIPAA compliant?

Supabase can be used for HIPAA-regulated apps: it offers a HIPAA-compliant tier on its paid plans and will sign a Business Associate Agreement (BAA). But the platform being capable of HIPAA does not make your app compliant — you're still responsible for configuring row-level security, access controls, encryption, audit logging and data handling correctly. HIPAA on Supabase is a shared responsibility.

HIPAA-capable?: Yes — on paid plans with a signed BAA
BAA available?: Yes, on eligible paid tiers
Your responsibility: RLS, access control, encryption, logging, PHI handling
Free tier: Not suitable for PHI — no BAA

What Supabase provides for HIPAA

On eligible paid plans, Supabase will sign a BAA and provides the infrastructure controls HIPAA expects — encryption in transit and at rest, access controls, and the ability to operate in a compliant configuration. This makes Supabase a legitimate backend for healthcare apps that handle protected health information (PHI).

What's still your responsibility

A BAA covers the platform, not your application. You must enable and correctly scope row-level security so PHI is never readable by the wrong user, keep the service-role key server-side, enforce authorization on every endpoint, enable audit logging, and ensure PHI doesn't leak into logs, analytics or the client bundle. Most 'Supabase HIPAA' failures are app-level misconfigurations, not platform gaps.

HIPAA for vibe-coded healthcare apps

If you built a healthcare app with an AI builder, be especially careful: generated apps frequently ship with open RLS and exposed keys — unacceptable for PHI. Before handling any real patient data, verify access control end-to-end and get a security review. A free scan tells you in minutes whether PHI is currently exposed.

Get cleared before you launch.

Join the early-access list. We'll prioritize founders with a deployed app and a launch date on the calendar.

Questions

Is the Supabase free tier HIPAA compliant?: No. HIPAA requires a signed BAA, which Supabase offers only on eligible paid plans. Don't store PHI on the free tier.
Does signing a BAA make my Supabase app HIPAA compliant?: No. A BAA covers the platform. Your app is only compliant if you also configure RLS, access controls, encryption and logging correctly and handle PHI properly throughout your stack.