Supabase DSAR · Pilot mapping

Turn your Supabase schema into a request map.

A user may appear in Supabase Auth, application tables, Storage metadata and connected tools. Trace’s proposed pilot converts those relationships into a controlled retrieval plan and a case pack ready for human review.

Schema before search

The user record is a starting point.

Supabase Auth uses the project’s Postgres database, but customer application data is modelled separately. A defensible search follows validated keys and relationships across only the sources in scope.

01 / AUTH

Authentication identity

Record the agreed user ID, email, providers and relevant profile fields without exposing credentials or session tokens in the case pack.

02 / POSTGRES

Application tables

Map foreign keys, denormalised emails, tenant membership and custom identifiers to reviewed read-only queries.

03 / STORAGE

Files and object metadata

Identify buckets and object paths linked to the requester. Treat database metadata and underlying file retrieval as separate evidence steps.

04 / FUNCTIONS

Outbound and derived data

Document functions, webhooks or pipelines that may copy user data into billing, support or analytics systems.

05 / TENANCY

Organisation context

Distinguish a person’s own data from company or third-party records in shared workspaces.

06 / REVIEW

Case-specific decisions

Flag retention, third-party rights, unreadable exports and missing relationships for authorised review.

Proposed retrieval plan

A Supabase DSAR in six controlled steps.

  1. Inventory the project. Confirm projects, environments and connected systems in scope.
  2. Validate identifiers. Start from the agreed Auth user and map related application keys.
  3. Review queries. The customer validates tables, joins, filters and fields before retrieval.
  4. Choose the access path. Use a controlled export, query runner or appropriately restricted database role.
  5. Package with provenance. Keep each record connected to its table, identifier, query and retrieval time.
  6. Hand off for judgement. Assemble the export, gaps, exception notes, draft response and timeline for approval.

Deletion needs a different runbook. Removing an Auth user does not prove that linked rows, files or downstream copies were addressed. Trace does not claim automated deletion.

Official product references: Supabase Auth architecture, Storage schema and database connection methods. Legal reference: Article 15 GDPR.

Least privilege is designed

A service-role key is not a workflow.

A powerful credential may be convenient, but convenience is not the access policy. Early pilots should start with the narrowest method that can produce the agreed evidence.

OPTION / CUSTOMER

Customer-run retrieval

The customer executes validated queries or exports and transfers only the agreed evidence through the accepted channel.

OPTION / SCOPED

Time-limited service access

If direct access is necessary, permissions, network path, secrets handling, logs, revocation and retention must be documented first.

No generic schema assumptions

Supabase pilot questions.

The implementation begins with source mapping because every customer’s tables, policies and downstream systems differ.

Is Supabase a live automated Trace connector?
No one-click connector is claimed. Supabase is currently labelled Pilot mapping: retrieval would be configured for an accepted pilot using customer-approved, least-privilege access or a controlled export.
Is the auth.users row the complete DSAR result?
Usually not. Supabase Auth stores user information in the project’s Postgres database, while product data may live in customer-defined tables and files in Storage. The project schema and identifier relationships determine the real search surface.
Does Row Level Security solve service access?
RLS is part of the application access model, not a complete pilot design. The customer and Trace must still agree the retrieval identity, permissions, query scope, logging and revocation. A customer-run export may be safer for an initial case.
Can Trace execute erasure in Supabase?
Automated erasure is not claimed. Trace may prepare a reviewed, source-by-source action plan. Retention, cascades, backups, related records and the legal basis for action remain customer decisions.

A controlled first request

Map one Supabase request before you build an internal DSAR tool.

Trace will assess schema, access, reviewer capacity and operational fit before an early-access pilot is accepted.