Why Supabase has attracted PwC, McDonald's and Johnson & Johnson (and what does it have to do with the GDPR)

Supabase is, in essence, a database. And that definition, although technically correct, is also the one that most often leads to underestimating what is really happening with this platform.

In October 2025, it reached a valuation of $5 billion. Companies like PwC, McDonald's or Johnson & Johnson use it in production. [1] Every day thousands of new databases are created on their infrastructure. [9] And with more than 99,000 stars on GitHub, it has become one of the most important projects in the open-source ecosystem. [5]

But what is truly relevant is not their growth.
That's why it's happening.

For a medium-sized Spanish company —which is not PwC or McDonald 's—, Supabase represents something unusual: the combination of three characteristics that are rarely found together in a traditional database.

It's open-source, meaning that the code is auditable and portable.
It is self-hosting, allowing data to be kept within the infrastructure itself.
And it offers a level of functionality comparable to that of enterprise solutions that multiply their cost.

Added to this are certifications such as SOC 2 Type II or HIPAA, which explain why it is being adopted in regulated sectors.

This article is not about one more database.
It's about why platforms like Supabase are redefining data infrastructure—and what that means for issues such as the GDPR or data sovereignty in automation.

What is Supabase and what it isn't

Supabase is a Backend-as-a-Service built on PostgreSQL.

In practice, this means that it groups together on a single platform several components that would normally be separated: a complete PostgreSQL database with standard SQL access, a REST API generated automatically from the schema (PostGrest), an authentication and authorization system based on JWT and Row-Level Security, file storage with permission control, serverless functions (Edge Functions in Deno) and real-time subscriptions to database changes. [3]

But understanding what Supabase is also requires understanding what it isn't.

It's not an ERP.
It's not a CRM.
It's not a workflow automation tool.
And it's not a reporting tool either.

Supabase is the data layer on which all these tools operate. It's the place where data lives, is consulted and modified. In the technology stack of a midsize company, it occupies the lowest and most critical level: the operating base on which everything else is built.

That position explains much of its relevance.

PostgreSQL —the technology it supports— is the database most used by developers globally, with 55.6% adoption in 2025 according to the Stack Overflow Developer Survey. [4] Supabase doesn't start from scratch: it inherits more than thirty years of evolution, stability and an ecosystem of extensions difficult to match in the relational world.

Among them stands out Pgvector, which allows vector searches and enables use cases linked to artificial intelligence directly on the database, without the need for additional infrastructure.

Supabase is not intended to replace business applications.
It does something more fundamental: it redefines the layer on which those applications are built.

Why companies like PwC or Johnson & Johnson use an open-source database

The explanation isn't just cost, although cost matters.
It is, above all, the combination of technical control and enterprise guarantees that Supabase offers at a level of access that traditional alternatives cannot match.

The first factor is control over the data.

Supabase can be deployed on the company's own infrastructure—on-premise, in a private environment on AWS, Azure or GCP—under an Apache 2.0 license for its core. [6] This means that the organization decides where the data lives and who has access to it.

In highly regulated sectors, such as pharmaceuticals, this is not a technical detail: it's an operating condition. For a company like Johnson & Johnson, the ability to keep data within its own infrastructure, without relying on third parties for storage, has a value that is difficult to replicate with proprietary solutions without specific contracts.

This point connects directly with the GDPR.

A self-hosted database in European infrastructure makes it possible to meet data residency requirements without the need for additional mechanisms such as contractual clauses or suitability decisions. [7] Data is not transferred outside the EU because it simply doesn't come out. The legal problem is simplified from the technical design.

The second factor is access to enterprise capabilities without the associated traditional cost.

Supabase's Enterprise plan includes certifications and guarantees such as SOC 2 Type II, HIPAA (with BAA), 99.99% SLA, dedicated VPC environments, data residency in the European region, and audit logs. [6] In addition, since the end of 2025 it has been available on the AWS Marketplace, allowing many companies to attribute their cost to existing spending commitments on AWS. [10]

The difference appears in the economic model.

Supabase starts from affordable entry levels — starting at $25 per month in the Pro plan — and scales to customized enterprise plans. In contrast, solutions such as Oracle Database Enterprise Edition or Microsoft SQL Server Enterprise have historically operated with license costs of tens of thousands of euros per year, even before considering infrastructure and support.

It's not just the price that changes.
It is the access point to capabilities that were previously reserved for organizations with very large budgets.

Supabase doesn't eliminate complexity from data infrastructure.
But it does significantly reduce the barrier to entry to build it with enterprise standards.

Performance versus alternatives and what it means in practice

Supabase is commonly compared to Firebase, Google's managed backend. In independent benchmarks, it reports up to 4 times more performance in reading and 3.1 times in writing. [8]

Beyond the number, what is relevant is the type of workload.

Applications with relational logic — operational dashboards, internal tools or reporting systems — work more efficiently on PostgreSQL than on NoSQL databases. Consultations with Joins, aggregations and complex structures are not only more natural in this model, but also faster and more maintainable.

For a medium-sized Spanish company, this has a direct implication.

Most don't need — nor can they justify — an enterprise database from traditional manufacturers. Your data volume and budget don't require it. For this reason, historically, they have operated with directly managed MySQL, SQLite or PostgreSQL, assuming the administrative complexity that this entails.

Supabase changes that balance.

It offers managed PostgreSQL, without the need to operate the database, with functionalities that were previously associated with enterprise environments. A low-cost entry plan covers most cases of internal tool use, while higher plans allow compliance requirements in regulated sectors to be met.

In industries such as healthcare, insurance or banking, where data residency and certifications are critical, this combination — optional self-hosting, SOC 2 Type II, HIPAA and EU residency — makes Supabase a viable alternative where previously there were only high-cost solutions.

Supabase is not the database for all companies.
But it is an especially suitable option for those who need PostgreSQL with modern capabilities—authentication, granular permissions, real time, or automatic APIs—without assuming the cost or rigidity of traditional solutions.

Why is it part of the tool stack for internal tools

When combined with other pieces of the modern stack, Supabase's role is better understood.

An internal tool built with WeWeb as a frontend and Supabase as a database introduces two unusual features in traditional architectures: the frontend is exportable (WeWeb allows you to obtain the complete code in Vue/Nuxt) and the data is in standard PostgreSQL, without dependence on proprietary formats.

This has a direct consequence: there is no vendor lock-in in the data layer.

The company can change the frontend without migrating the database.
You can move the database to another PostgreSQL environment without transformation.
The portability is bidirectional.

If we add to this an automation layer such as n8n in a self-hosted environment, the result is an architecture where all components can run on their own infrastructure, on European territory, without irreversible dependence on external suppliers.

This point is no minor.

Deloitte estimates that 45% of relevant cybersecurity incidents are related to vendors that have access to the systems. [11] Reducing that dependence is not just a technical decision, but a risk strategy.

Supabase isn't just another database.
It is a key piece in an architecture where data control is once again in the hands of the company.

References

[1] Supabase/BBN Times. (2025, October). Supabase Soars to $5B: The Open-Source Giant is Redefining AI Development.
https://www.bbntimes.com/technology/supabase-soars-to-5b-the-open-source-giant-is-redefining-ai-development

— Supabase achieved a valuation of $5,000 million in its Series E (October 2025, co-led by Accel and Peak XV with participation from Figma Ventures). Enterprise customers: PwC, McDonald's, Johnson & Johnson, GitHub Next. More than 4 million developers and 100,000+ customers.

[2] Sacred Research. (2025). Supabase Revenue, Valuation & Funding.
https://sacra.com/c/supabase/

— Estimated ARR of $70M in 2025 (+250% YoY from $30M in 2024). SaaS model:
Free (50K MAUs, 500MB), Pro ($25/month, 100K MAUs, 8GB), Team ($599/month, enterprise compliance). Available on the AWS Marketplace since December 2025.

[3] TechCrunch. (2024, September). Supabase, a Postgres-centric developer platform, raises $80M Series C.
https://techcrunch.com/2024/09/25/supabase-a-postgres-centric-developer-platform-raises-80m-series-c/

— Statement by CEO Paul Copplestone on adoption: ease of use + PostgreSQL as a competitive advantage.

[4] Stack Overflow. (2025). Developer Survey 2025.
https://survey.stackoverflow.co/

— PostgreSQL is the most used database (55.6% adoption). Seventh consecutive year leading.

[5] Supbase. (2026). GitHub Repository.
https://github.com/supabase/supabase

— Over 99,000 stars, 11,800+ forks, 35,000+ commits and 1,700+ contributors. One of the most important repositories in the open-source ecosystem.

[6] Supbase. (2026). Enterprise.
https://supabase.com/enterprise

— Includes: 99.99% SLA, SOC 2 Type II, HIPAA (Enterprise), dedicated VPC, EU data residency, audit logs, 24/7 support. Available on AWS and Google Cloud Marketplace.

[7] Regulation (EU) 2016/679 (GDPR), Articles 44—49.
— Supabase self-hosting (Apache 2.0 license) allows you to keep data in your own infrastructure or in the EU region, avoiding international transfers and simplifying compliance.

[8] Medium/Takafumi Endo. (2025, April). Why Supabase Became the Go-To Open-Source Alternative to Firebase.
https://medium.com/@takafumi.endo/why-supabase-became-the-go-to-open-source-alternative-to-firebase

— Benchmarks indicate up to 4x in reads and 3.1x in writes versus Firebase in relational loads.

[9] Supabase/Programming Helper Tech. (2026). Supabase 2026: The Open Source Firebase Alternative Reaching 99K GitHub Stars and $5B Valuation.
https://www.programming-helper.com/tech/supabase-2026-open-source-firebase-alternative-postgres-backend

— 2,500 new databases created daily. 30% of new registrations come from AI (vibe coding) tools.

[10] Supbase. (2025). AWS Marketplace Announcement.
https://supabase.com/blog/supabase-aws-marketplace

— Available on the AWS Marketplace since December 2025. It allows you to use AWS spending commitments for your purchase.

[11] Deloitte. (2023). Global Future of Cyber Survey.
https://www.deloitte.com/global/en/services/risk-advisory/research/future-of-cyber.html

— 45% of relevant cybersecurity incidents are attributed to third parties with access to systems.