You own your data, but you grant Supabase a broad license to use, copy, and display it as needed to operate the service.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
While customer data ownership is confirmed, the operational license granted to Supabase is broad in scope and includes worldwide rights to reproduce and distribute customer data, which is the standard mechanism by which Supabase can store, back up, and deliver your data through its infrastructure.
The relocation of Supabase's legal entity from Delaware to Singapore may affect which jurisdiction's courts and laws apply to disputes, potentially impacting your ability to pursue claims in US court…
You retain ownership of all data you upload to Supabase, but the agreement grants Supabase a worldwide, royalty-free license to use and process that data to provide the service. This license is standard for cloud services but means your data may be processed across global infrastructure; review the DPA for data residency and transfer details.
How other platforms handle this
As between Egnyte and Customer, Customer shall own all right, title and interest in and to the Customer Data. Customer hereby grants to Egnyte a limited, non-exclusive, royalty-free, worldwide license to use, copy, store, transmit, display and modify the Customer Data solely to the extent necessary ...
Customer grants Snowflake the right to host, copy, transmit, display, and otherwise use Customer Data and Customer Applications as reasonably necessary to provide the Services in accordance with this Agreement.
To the extent permitted by applicable law, as between you and Mistral AI, you (i) retain all ownership rights in Input and (ii) own all Output. We assign to you all right, title, and interest, if any, in and to Output that we may have. You grant us a worldwide, non-exclusive, non-transferable (excep...
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"As between Customer and Supabase, Customer is and will remain the sole and exclusive owner of all right, title, and interest in and to all Customer Data, including all intellectual property rights therein. Customer hereby grants to Supabase a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Supabase to provide the Services to Customer.— Excerpt from Supabase's Supabase Terms of Service
REGULATORY LANDSCAPE: The customer data ownership clause and associated license engage GDPR Article 28 (processor obligations) and the principle that data controller instructions govern processor actions. The license language 'reproduce, distribute, and otherwise use and display' is operationally necessary for cloud services but should be read alongside the DPA to confirm that processing is limited to service delivery purposes. CCPA compliance depends on whether Supabase's processing is limited to the service provider role. GOVERNANCE EXPOSURE: Low to Medium. The data ownership confirmation is favorable to customers, but the breadth of the operational license and the interaction with the Aggregated Data carve-out means customers should confirm the DPA limits Supabase's processing to service delivery and does not permit secondary uses beyond aggregation. JURISDICTION FLAGS: EU/EEA customers should ensure the DPA includes appropriate Standard Contractual Clauses (SCCs) for international data transfers given Supabase's global infrastructure. Customers subject to data residency requirements (e.g., German Landesdatenschutz, French CNIL guidance) should confirm available regional hosting options. CONTRACT AND VENDOR IMPLICATIONS: The DPA is a critical companion document to this provision and should be reviewed to confirm scope limitations, sub-processor obligations, breach notification timelines, and data return/deletion procedures at contract end. COMPLIANCE CONSIDERATIONS: Data mapping exercises should capture Supabase as a processor and confirm that the processing scope in the DPA aligns with customer privacy notices; confirm sub-processor list and change notification mechanisms; assess data return and deletion procedures upon termination.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
While customer data ownership is confirmed, the operational license granted to Supabase is broad in scope and includes worldwide rights to reproduce and distribute customer data, which is the standard mechanism by which Supabase can store, back up, and deliver your data through its infrastructure.
You retain ownership of all data you upload to Supabase, but the agreement grants Supabase a worldwide, royalty-free license to use and process that data to provide the service. This license is standard for cloud services but means your data may be processed across global infrastructure; review the DPA for data residency and transfer details.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.