Security

Your data security is our priority

Supaview is built with enterprise-grade security from the ground up. We protect your Supabase analytics data with the same rigor we expect for our own.

SOC 2 Roadmap
256-bit Encryption
OAuth & 2FA

Infrastructure & Data Protection

  • Hosted on Vercel with enterprise-grade infrastructure, automatic scaling, and DDoS protection
  • TLS 1.3 encryption for all data in transit and AES-256 for data at rest
  • OAuth 2.0 authentication via Google & GitHub with two-factor authentication (2FA) support
  • Role-based access control and comprehensive audit logging for all access events
  • Regular security audits, automated vulnerability scanning, and dependency monitoring

AI SQL Guardrails

Our AI-powered SQL generation is designed with multiple layers of protection to ensure safe, read-only queries that won't modify or compromise your data.

  • Read-only enforcement — INSERT, UPDATE, DELETE, DROP, and other modifying statements are automatically blocked
  • SQL validation layer — every query is analyzed for dangerous patterns before execution
  • Schema-aware generation — queries are generated only from your actual database schema
  • Execution limits — strict timeouts, row limits, and resource constraints prevent runaway queries
  • User approval required — AI-generated queries are never executed automatically; you always review and approve first

Token Storage & Credentials

Your Supabase access tokens and API credentials are stored with enterprise-grade security measures to prevent unauthorized access.

  • AES-256 encryption for all tokens at rest, with keys managed through Supabase Vault
  • Pgsodium encryptionleveraging Supabase's built-in cryptographic extension with libsodium's verified algorithms
  • Minimal scope access — we request only the permissions needed for analytics and monitoring
  • Instant revocation — revoke access anytime to immediately invalidate stored tokens
  • Your data stays in Supabase — we never copy or store your actual database data; queries run in real-time against your instance

Supabase OAuth Integration

We connect to your Supabase projects using the official Supabase OAuth integration. This provides a secure, standardized way to access your projects without ever handling your database credentials directly.

  • Official Supabase OAuth flow— you authorize Supaview directly through Supabase's secure authentication portal
  • No service role keys — we never ask for or store your service role keys; OAuth provides scoped access tokens instead
  • Scoped permissions — we request only the minimum permissions needed to run analytics queries and read schema metadata
  • Revoke anytime — disconnect Supaview from your Supabase dashboard at any time to immediately revoke all access
  • Transparent authorization— you see exactly which projects you're granting access to before connecting

Report a Vulnerability

We welcome security researchers and appreciate responsible disclosure. If you discover a security vulnerability in Supaview, please report it to us.

security@supaview.co

We aim to respond within 48 hours

Additional Resources