Quick verdict
Pick the EU region (Frankfurt), accept the DPA/SCC, enable row-level security, and define log retention plus deletion routines. These are the same steps we use at KontoCSV.
GDPR must-haves in Supabase
Logging & retention
GDPR requires purpose limitation and minimal retention. Set short lifetimes for logs containing personal data and avoid logging payloads unnecessarily.
- Trim auth and edge function logs to the shortest operational window.
- Mask personal data in logs where possible.
- Use structured logs for auditability without leaking full payloads.
Deletion concepts
Plan how users and admins can trigger deletions and how backups are handled. Define retention for storage objects, database rows, and backups in line with your policy.
- Expose deletion endpoints that respect authentication and authorization.
- Document backup retention; consider PITR limits for sensitive tables.
- Automate data expiry for stale records (e.g., job runs, temp files).
Practical checklist
Region & legal
EU region selected, DPA/SCC accepted, subprocessors reviewed.
Security
RLS on all tables, least-privilege keys, JWT lifetime set.
Logs
Minimal retention, PII masked, alerts on anomalies.
Deletion
User-triggered deletion paths plus backup retention documented.
FAQ
Does Supabase use U.S. infrastructure?
No, if you pick the EU region. Auth, storage, and realtime stay in Frankfurt when selected. Only choose EU regions for personal data.
What about backups?
Point-in-time recovery keeps backups for the configured window. Document the retention and ensure it aligns with your deletion promises.
Where can I find the DPA?
In the Supabase dashboard under settings > legal. Accept it before onboarding users. It includes Standard Contractual Clauses.