gdpr
supabaseneonpostgresqlgdpr

GDPR Compliance on Supabase and Neon: Managing PII in Serverless PostgreSQL

How to implement GDPR compliance on Supabase and Neon PostgreSQL. PII management, deletion, masking, and audit trails for serverless database platforms.

RL
Robert Langner
Managing Director, NILS Software GmbH · · 3 min read

Supabase Setup

Installation

In the Supabase Dashboard → SQL Editor:

-- Paste the entire pgcomply.sql content and run
-- Or via psql:
psql "postgresql://postgres:[password]@[host]:5432/postgres" -f pgcomply.sql

Quick Start

SELECT pgcomply.quick_setup();
SELECT * FROM pgcomply.health_check();

Supabase-Specific: RLS Integration

Supabase already encourages RLS. pgcomply enhances this:

-- pgcomply RLS uses the same auth context as Supabase
SELECT pgcomply.enable_rls('profiles', 'user_id');

-- Supabase auth.uid() works in pgcomply policies
CREATE POLICY supabase_isolation ON profiles
  USING (user_id = auth.uid());

Handling Supabase Auth Users

Supabase stores auth data in auth.users. Register it:

SELECT pgcomply.register_pii('auth.users', 'email', 'email', 'id');
SELECT pgcomply.register_pii('auth.users', 'phone', 'phone', 'id');

Neon Setup

Installation

psql "postgresql://[user]:[password]@[endpoint].neon.tech/neondb" -f pgcomply.sql

Branch Testing

# Create a test branch
neon branches create --name compliance-test

# Install and evaluate on the branch
psql "postgresql://...@compliance-test.neon.tech/neondb" -f pgcomply.sql
psql "postgresql://...@compliance-test.neon.tech/neondb" -c "SELECT pgcomply.quick_setup();"

# Review results before applying to main
psql "postgresql://...@compliance-test.neon.tech/neondb" -c "SELECT * FROM pgcomply.health_check();"

Automation Without pg_cron

If pg_cron is not available, use external scheduling:

# GitHub Actions cron
name: Weekly Compliance Check
on:
  schedule:
    - cron: '0 6 * * 1'
jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - run: |
          psql "$DATABASE_URL" -c "SELECT pgcomply.enforce_retention();"
          psql "$DATABASE_URL" -c "SELECT pgcomply.health_check();"
          psql "$DATABASE_URL" -c "SELECT pgcomply.schema_drift();"

Common Pitfalls on Serverless Platforms

Pitfall 1: Supabase Public Schema Access

Supabase exposes the public schema via PostgREST API by default. This means any table in public is potentially accessible via the REST API. pgcomply helps verify:

-- Check what's exposed
SELECT table_name, level, has_rls
FROM pgcomply.classification_map()
WHERE has_rls = false AND level IN ('restricted', 'confidential');
-- Every result here is a potential data exposure via the REST API

Enable RLS on every table that contains PII:

SELECT pgcomply.enable_rls('profiles', 'user_id');
SELECT pgcomply.enable_rls('orders', 'user_id');

Pitfall 2: Neon Branch Cleanup

Neon branches are cheap to create but can contain production PII. After testing:

# Delete test branches that contain real data
neon branches delete compliance-test

Or anonymize before testing:

-- On the branch, before sharing access
SELECT pgcomply.anonymize('users', 'email', 'email', seed_column := 'user_id', dry_run := false);

Pitfall 3: Connection String Security

Both platforms use connection strings with passwords. Never commit these:

# .env.local (git-ignored)
DATABASE_URL=postgresql://user:pass@host:5432/db?sslmode=require

# Verify SSL is required in the connection
# pgcomply.health_check() will flag if SSL is not enforced server-side

Edge Functions and GDPR

If you use Supabase Edge Functions or Neon Serverless Driver, remember that each function invocation creates a new database connection. This affects:

-- Monitor connection usage
SELECT * FROM pgcomply.connection_audit();

-- Ensure statement_timeout is set (Edge Functions should not hold connections)
ALTER ROLE supabase_functions SET statement_timeout = '10s';

Deletion Across Supabase Auth + Application Data

Supabase stores auth data separately. A complete GDPR deletion requires handling both:

-- 1. Delete application PII via pgcomply
SELECT pgcomply.forget('user-uuid-here');

-- 2. Delete Supabase auth record (via admin API)
-- This must be done via the Supabase Management API:
-- DELETE https://your-project.supabase.co/auth/v1/admin/users/{user_id}

pgcomply handles step 1 (your application data). Step 2 requires Supabase's admin API. Document both in your deletion process.

Summary

Supabase and Neon make PostgreSQL easy to deploy, but GDPR compliance remains your responsibility. pgcomply installs in seconds on both platforms, requires no special permissions, and provides the PII management, deletion, masking, and audit capabilities that serverless platforms do not include out of the box.

Frequently Asked Questions

Does pgcomply work on Supabase?
Yes. pgcomply is pure PL/pgSQL and installs via the Supabase SQL Editor. Supabase provides pgcrypto by default. pg_cron is available on Supabase Pro plans. Run the SQL file in the SQL Editor and pgcomply is ready to use.
Does pgcomply work on Neon?
Yes. pgcomply works on Neon PostgreSQL. Connect via psql or any SQL client, run the installation SQL, and all functions are available. Neon supports pgcrypto. For automation, use Neon with external cron (GitHub Actions, Vercel cron) since pg_cron availability varies.
Can I use Neon branching to test compliance changes?
Yes. Create a Neon branch, install pgcomply, run quick_setup(), and evaluate the results before applying to your main branch. This is a safe way to test compliance impact without affecting production.
Share:TwitterLinkedInHacker News

Related Articles

security

PostgreSQL Row-Level Security (RLS): Complete Guide for Multi-Tenant Applications

Implement Row-Level Security in PostgreSQL for multi-tenant isolation. Enable RLS, create policies, and verify with pgcomply.

tutorials

Database Compliance for SaaS Startups: The Minimum Viable Compliance Stack

Minimum viable compliance for SaaS startups on PostgreSQL. GDPR deletion, audit trails, and investor-ready evidence.

gdpr

GDPR Compliance on AWS RDS PostgreSQL: What You Can and Cannot Control

GDPR compliance on AWS RDS PostgreSQL. Shared responsibility model, RDS-specific configuration, and pgcomply integration guide.