SOC 2 Type 2 compliant
Independently assessed controls for Supabase's hosted platform.
Read Supabase's SOC 2 explanationMatchAudit is designed to help teams preserve sensitive screening evidence, reviewer rationale and decision history. This page explains the infrastructure we use, the controls MatchAudit is responsible for and the boundaries of our providers' certifications.
MatchAudit uses Supabase for core managed authentication, PostgreSQL database, and private evidence-file storage infrastructure. Supabase's hosted platform is SOC 2 Type 2 compliant and ISO/IEC 27001:2022 certified.
Independently assessed controls for Supabase's hosted platform.
Read Supabase's SOC 2 explanationSupabase's information security management system is certified to the international ISO/IEC 27001:2022 standard.
Read Supabase's ISO informationSee also Supabase's official security page.
Supabase is responsible for controls within its hosted platform. MatchAudit remains responsible for how the application is designed and configured, including application access, tenant separation, permissions, data handling and operational security.
MatchAudit uses Supabase Auth helpers across login, signup, reset-password, invite, dashboard and route-handler flows.
Evidence Hub records, files, subjects and audit events are stored with organization identifiers, and the database migrations configure Row Level Security policies tied to organization membership.
Evidence Hub uploads use a private Supabase Storage bucket. Server routes validate the organization context before storing file metadata or creating a signed download URL.
Uploaded Evidence Hub files are hashed with SHA-256 and stored with immutable file metadata such as bucket, path, file name, size, MIME type and uploader.
Evidence-file download routes check Evidence Hub access and organization membership before creating a short-lived signed URL.
Evidence Hub routes create audit-event rows for actions such as file uploads and retention expiry where those workflows are implemented.
Contact MatchAudit if your organisation needs to review infrastructure, data handling, access controls, retention or subprocessor information before using the service.