While we weren’t planning to do anything official for this announcement, the customer is always right.
Supabase is now officially SOC2 Type 2 and HIPAA compliant.
That’s all you need to know. The rest of this blog post will give you some background and what to expect if you’re planning to go through the same process.
SOC2
We previously discussed the process the SOC2 Type 1. To recap,
- Type 1 certification verifies adherence to the guidelines at a specific point in time.
- Type 2 certification verifies compliance over a period of time.
We received our Type 2 certification on May 22nd of this year and we plan to conduct annual Type 2 audits to ensure adherence to SOC2 guidelines.
We used the same auditor for the Type 2 certification and knew mostly what to expect. Some of our internal processes needed to change to make it easier to the evidence for our auditor. Examples of the kind of requests our auditor would ask for:
- List of all incidents which happened in a given time period. The postmortem for a few incidents from that list that the auditor chooses.
- List of all access requests in a given time period.
- List of vulnerabilities and when they were fixed
- List of Data deletion requests and evidence that a particular request was actioned on within our SLA.
Some of these were readily available in Vanta, our compliance monitoring tool. For others, we had to develop new processes to ensure that this information was all readily available. The Type 2 audit involves gathering a lot more evidence than the Type 1 audit. If we didn’t have proper systems and process in place before the audit, it would have been painful during evidence collection.
HIPAA
Health Insurance Portability and Accountability Act (HIPAA) is a US law that sets national standards for protecting individuals' medical records and personal health information. Companies building applications with sensitive healthcare data must comply with HIPAA to ensure the security and privacy of patients' information.
A couple of definitions before go further. A covered entity refers to healthcare providers, health plans, and health insurance companies. Business associates are entities that perform certain functions with protected health information (PHI) on behalf of a covered entity. Both Business Associates and Covered entities are covered (pun intended) under HIPAA. Supabase is a business associate and our customers handling PHI can either be covered entities or other business associates.
We receive many requests from users who want to build healthcare apps on top of Supabase. Since you can self-host Supabase, we often encourage these users to do so. Starting today, these users have the option to use our hosted platform too with the HIPAA add-on 🎉.
Going from SOC2 to HIPAA
Going from zero to a SOC2 certification was much harder, than going from SOC2 to HIPAA.
We used the same auditor to streamline the process. Many of the controls required for HIPAA compliance could be mapped to the testing they had already done for SOC2. Additional evidence for encryption, audit logs, business continuity and disaster recovery exercises was unnecessary since the auditor already had access to it. And some of the HIPAA checks such as Facility Access Controls were not applicable to us since we are a remote company.
We also had to sign a Business Associate Agreement (BAA) with all of our vendors who would have access to PHI, such as AWS, and ensure that we follow their terms listed in the agreements. For example, when using AWS to store PHI, we could only use their HIPAA Eligible Services. There were similar requirements from the other vendors we use and to ensure that we were complying with all their requirements.
Similarly when you sign a BAA with us, you have some responsibilities you agree to when using Supabase to store PHI. These are documented in our shared responsibility doc.
We made a significant change to our incident management process for HIPAA. The HIPAA Breach Notification rules have strict requirements for handling breaches. For instance, business associates are required to notify the covered entity within 60 days of a breach. This also required us to appoint a HIPAA Security officer who would be responsible for reviewing any breach for PHI disclosure and communicating it’s impact to the Covered Entity.
The not-so-fun but important stuff included updating a bunch of our policies to cover HIPAA requirements such as enforcing automatic log-offs as part of our workstation security policy. Shopping for a good Technology Errors and Omissions Insurance plan was another boring but important thing we had to finalize in the off-chance that we get hacked despite all our measures. HIPAA fines are no joke, you could rake up to 1.9 million dollars per violation per calendar year depending the severity of the breach!
Build Healthcare Apps on Supabase
If you want to start developing healthcare apps on Supabase, reach out to our team here to sign our BAA. We are excited to see what you build!