How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

AICPA SOC 2 Compliance: A Guide for UK Tech Startups

You're probably in one of two situations.

Either procurement for a larger customer has just asked for your SOC 2 report and your team is wondering whether this is a legal requirement, a security badge, or just another painful questionnaire with a different label. Or you already know you need it, but your stack doesn't look like the audit examples people keep writing about. You run Supabase or Firebase, push mobile releases weekly, rely on managed services, and don't have the patience for advice that assumes a traditional data centre and a slow quarterly change window.

That's where AICPA SOC 2 gets confusing for UK startups. The framework is US-defined, but your buyers are often in London, Manchester, or Edinburgh, and they read your controls through a UK risk lens. They care about access, privacy, incident handling, and supplier oversight. They also want evidence that matches how your product runs, not how a policy template says it runs.

Why Every UK Startup Suddenly Needs a SOC 2 Report

The familiar pattern goes like this. A startup spends months building product, finally gets a serious enterprise conversation, clears the technical review, and then stalls in vendor onboarding because the customer asks one short question: do you have a SOC 2 report?

That question lands hard because it usually arrives late in the sales cycle, when legal and procurement are already involved and everyone wants to move fast. For a founder or CTO, it can feel unfair. You've built a good product, use reputable cloud providers, and haven't had a major incident. But enterprise buyers aren't assessing good intentions. They're assessing whether you can prove control over the systems that handle their data.

Why buyers ask for it

SOC 2 was introduced by the AICPA in 2011 as part of the System and Organization Controls suite, and it's formally defined as a report on controls relevant to security, availability, processing integrity, confidentiality, or privacy. Those five Trust Services Criteria are still the foundation of SOC 2 reporting, which is why it has become such a common assurance request for service companies selling into larger organisations (AICPA SOC 2 background).

For UK startups, the important nuance is that buyers don't read a SOC 2 report in a vacuum. They map it to local expectations around privacy, operational resilience, and third-party risk.

A useful summary in Capgo's SOC 2 insights captures why this matters for software teams shipping quickly. A report isn't just paperwork. It's a way to show that your controls exist, are documented, and can stand up to scrutiny when a prospect asks awkward questions about auth, logging, or incident response.

The UK context changes the conversation

A frequently missed point is that SOC 2 is a US framework, while UK buyers still evaluate suppliers through local assurance expectations, including ICO-aligned privacy duties and FCA-style third-party risk processes. That context isn't theoretical. The UK's ICO reported 2,817 personal-data breach reports in 2023, which helps explain why procurement and security teams look closely at vendor evidence (UK buyer context for SOC 2).

Practical rule: When a UK prospect asks for SOC 2, they're rarely asking for a logo. They're asking whether your operating discipline is mature enough to trust with their data.

That's also why startups that treat compliance as a sales blocker often make the process harder on themselves. The better framing is operational trust. If your access controls are weak, your logs are scattered, and no one can show who approved a production change, the audit pain is a symptom of a real engineering gap.

If your customer base is UK-heavy, privacy evidence often needs to line up with the same questions you'd expect in a GDPR compliance automation workflow. Not because SOC 2 replaces UK GDPR. It doesn't. But because customers will compare the two in practice.

Decoding the Five SOC 2 Trust Services Criteria

A lot of confusion starts with the assumption that SOC 2 is one fixed standard with one fixed checklist. It isn't. AICPA SOC 2 is a framework built around five Trust Services Criteria, and your audit scope depends on which of those criteria apply to your service and customer commitments.

Here's the visual version first.

An infographic titled Decoding the Five SOC 2 Trust Services Criteria listing Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Security is the foundation

SOC 2 was introduced by the AICPA in 2011 as a report on controls relevant to security, availability, processing integrity, confidentiality, or privacy. In practice, auditors test whether technical controls such as access restriction, vulnerability management, logging and monitoring, and incident response are not only designed but operating effectively (AICPA SOC 2 criteria overview).

Security is the mandatory criterion. Every SOC 2 report includes it.

For a CTO, this means the baseline audit conversation is usually about questions like these:

Who can access production
How access is approved and removed
What gets logged and retained
How vulnerabilities are identified and remediated
How incidents are detected, escalated, and reviewed
How third-party suppliers are assessed and monitored

If your team thinks of SOC 2 as “a security certificate”, you'll miss the point. Auditors are not checking whether you bought the right tools. They're checking whether your controls are repeatable, documented, and evidenced.

The four optional criteria

The other four criteria are included based on what your service does and what you promise customers.

Availability

Availability matters when customers depend on your system being accessible and resilient. This isn't just uptime marketing. It's the set of controls around recovery planning, monitoring, capacity, and operational response.

A startup with a critical workflow product, an API used by customers' production systems, or contractual service commitments will often need this in scope.

Processing Integrity

This criterion is about whether the system processes data accurately, completely, timely, and with proper authorisation. It matters when customers rely on your output to make decisions or trigger business actions.

If your product transforms, syncs, scores, reconciles, or routes customer data, this criterion may be more relevant than many teams first assume.

Confidentiality

Confidentiality focuses on protecting sensitive information according to your commitments. That could include customer files, proprietary datasets, internal documentation, or contractual restricted information.

Teams often assume confidentiality is automatically covered by “security”. It isn't. If you tell customers certain data classes are protected in specific ways, this criterion may need to be explicit.

Privacy

Privacy is the most UK-sensitive criterion because it deals with personal information handling. If you collect or process personal data directly, auditors will look at how you govern collection, use, retention, disclosure, and disposal.

If your product handles user profiles, analytics identifiers, support data, or uploaded content tied to individuals, Privacy stops being a legal team issue and becomes an engineering evidence problem.

What auditors actually want to see

For most startup environments, evidence falls into a few recurring buckets:

| Evidence area | What it usually includes | |---|---| | Access | SSO or auth settings, role definitions, joiner and leaver records, review approvals | | Operations | Monitoring outputs, alerts, incident records, remediation tracking | | Change | Pull requests, reviews, deployment approvals, rollback records | | Data handling | Retention decisions, deletion procedures, disclosures, policy alignment | | Vendors | Supplier inventory, risk reviews, contracts, service dependencies |

One trade-off matters here. A narrow scope is easier to complete, but too narrow a scope can disappoint enterprise buyers if it doesn't cover what they care about. A broad scope sounds stronger, but it creates more evidence work and more places for controls to drift.

The right choice isn't the one with the most criteria. It's the one that matches your product, your commitments, and the questions customers already ask.

Choosing Your Report Type I vs Type II

This decision shapes both your timeline and the commercial value of the exercise.

A Type I report looks at whether your controls are suitably designed at a specific point in time. A Type II report goes further and tests whether those controls operated effectively over a review period. If you want the simplest mental model, Type I is a snapshot and Type II is an operating record.

The strategic difference

A Type I can help when you need an answer for procurement quickly and you're still building control discipline. It shows that the framework exists. It does not show that the framework held up over time.

A Type II carries more weight because customers can see that control operation was tested across the review period. That's why mature buyers, especially larger enterprises, often push for it even if they'll briefly tolerate a Type I during onboarding.

SOC 2 Type I vs Type II Report Comparison

| Attribute | Type I Report | Type II Report | |---|---|---| | What it evaluates | Control design at a single point in time | Control design and operating effectiveness over a review period | | Best for | Early-stage readiness, first enterprise asks, initial vendor onboarding | Stronger customer assurance, regulated buyers, mature sales motions | | Speed to obtain | Faster | Slower because controls must operate consistently before testing | | Evidence burden | Lower | Higher because evidence must show repeated operation | | Customer confidence | Useful, but limited | Stronger and usually more persuasive | | Typical startup use | A first step when timing matters more than depth | The target state when sales and procurement scrutiny increase |

What works and what doesn't

A Type I works when you're transparent about what it is. It can unblock conversations if the customer mainly wants proof that the programme exists and is moving in the right direction.

It doesn't work when leadership treats it as “close enough” forever. If your target customers are banks, insurers, health platforms, or enterprise software teams with formal vendor reviews, they usually want evidence that controls operated.

A Type I can get you into the conversation. A Type II is what usually keeps you there.

There's also an internal trade-off. Going straight to Type II forces discipline earlier. That can be painful, but it often prevents the common pattern where a company documents controls for a Type I, relaxes, and then discovers six months later that no one kept the evidence trail.

If your engineering team is already reasonably organised, going directly to Type II is often cleaner than doing the same work twice. If your controls are still informal and you need a near-term sales artefact, Type I can be the practical bridge.

Navigating the SOC 2 Audit Lifecycle and Timeline

A UK startup usually feels the audit pressure long before the auditor appears. Sales has promised a security review to a London enterprise prospect. Engineering is shipping fast on Supabase or Firebase. Someone has a policy pack in Notion, but the critical evidence is scattered across GitHub, Jira, Google Workspace, and cloud consoles.

That is the actual SOC 2 lifecycle.

A five-phase infographic outlining the SOC 2 audit lifecycle from readiness assessment to final report delivery.

The audit is a sequence of operating stages. The pressure point is rarely control design alone. It is whether the company can show, with clean evidence, that controls worked the way the policy says they worked. For UK teams, there is an extra translation layer. The report follows AICPA criteria, but buyers, auditors, and security reviewers often expect the supporting evidence to make sense in a UK GDPR and Cyber Essentials aware environment.

Phase one and two

Readiness assessment

Readiness sets the boundary and exposes the weak spots before formal testing starts. During this phase, teams decide what is in scope, which vendors matter, where customer data moves, and which controls already exist in practice.

For a startup, the same issues show up repeatedly:

Scope confusion because production is only part of the story. Staging, support tooling, analytics platforms, MDM, and contractor access often matter too.
Evidence gaps because access reviews, code approvals, and incident decisions happened, but only in Slack threads or ad hoc messages.
Policy mismatch because a template says one thing while Firebase rules, Supabase roles, or CI settings say another.
Vendor blind spots because managed services carry a large share of the control burden, yet nobody has listed them properly or reviewed their SOC reports and security terms.

A good readiness review saves time later because remediation is still under your control. Once fieldwork starts, every missing approval record or undocumented exception becomes a delay.

Remediation and preparation

This phase is where theory meets the stack you operate.

Teams usually need to tighten identity controls, formalise joiner mover leaver steps, clean up privileged access, define change approval rules, document incident handling, and create a repeatable place to store evidence. For cloud heavy startups, that often means pulling logs from identity providers, deployment pipelines, ticketing systems, and infrastructure platforms into one reviewable trail.

Automation matters here. If evidence collection depends on someone remembering to export screenshots at month end, the control is fragile. If security scanners, cloud configuration checks, and ticket workflows produce timestamped records as part of normal delivery, the control is far easier to defend during audit.

Phase three to five

Audit planning and scoping

Once an auditor is engaged, scope decisions become expensive to change.

This is where UK startups using mobile and backend platforms need to be precise. A mobile app may authenticate through Firebase, store files elsewhere, sync data into support tools, and send events to analytics vendors outside the core production stack. If those paths affect the services covered by the report, they need to be reflected in the system description and evidence plan.

Auditors also need clarity on complementary controls. With Supabase or Firebase, part of the control environment sits with the provider and part sits with your team. Your job is to show where the provider's responsibility ends and where your configuration, monitoring, and user access controls begin.

Fieldwork and testing

Fieldwork is where auditors sample real operation. They inspect tickets, approvals, logs, access reviews, onboarding records, incident artefacts, vulnerability remediation, and change history. Then they compare that evidence against the control wording.

This is the stage that exposes weak process design in agile teams. If the policy says all production changes are approved, but hotfixes went live from a senior engineer's local workflow, the exception is visible. If the company says privileged access is reviewed quarterly, but the actual reviewer cannot explain why five dormant admin accounts still exist, the control is not working well enough.

For modern development teams, continuous validation makes a practical difference. Automated scanners cannot replace judgement, but they do reduce the gap between "secure most of the time" and "provably operating as designed." That matters in Type II periods, where a single clean screenshot is useless and auditors want to see consistent behaviour over time.

Report delivery and review

After testing, the auditor drafts the report, confirms factual points, and records any exceptions. Clean report delivery usually reflects disciplined preparation, not luck.

If the process felt chaotic, the problem is often simple. The company performed some controls, but did not preserve evidence in a way an external reviewer could test without rebuilding the timeline from chat messages and memory.

A realistic project view

CTOs should manage the lifecycle in three layers:

Control design
Define the control, the owner, the system involved, and the risk it addresses.
Control operation
Make the control part of normal engineering and business workflow so it happens consistently.
Control proof
Keep evidence in systems that preserve timestamps, approvals, and history without manual reconstruction.

The fastest SOC 2 projects I see are not the ones with perfect documentation on day one. They are the ones where the stack already produces usable records through identity platforms, version control, CI pipelines, ticketing systems, MDM, and cloud logs. For a UK startup selling into larger buyers, that is the practical difference between "we are working on SOC 2" and a report that survives procurement scrutiny.

Key Controls for Modern Supabase and Firebase Stacks

Generic SOC 2 guidance often assumes you run everything yourself. UK startups rarely do. They use managed databases, hosted auth, object storage, mobile backends, edge functions, analytics SDKs, and CI pipelines that touch several vendors before a feature reaches production.

That doesn't make AICPA SOC 2 harder in principle. It changes where the actual control points sit.

An illustration showing SOC 2 control requirements connecting cloud platforms like Supabase and Firebase with security infrastructure.

Access and identity controls

For UK organisations, the Privacy criterion explicitly requires controls over personal data collection, use, retention, and disclosure, while the Security criterion expects strong authentication and role-based access. UK audit teams often align this evidence with UK GDPR accountability, so engineers reduce audit friction by centralising identity logs and keeping timestamped access-review artefacts (UK privacy and access evidence for SOC 2).

In practical terms:

Supabase teams should treat Row Level Security as an auditable control, not only a database feature. Auditors won't understand every policy rule, but they will care that access logic is intentional, reviewed, and tested.
Firebase teams need Security Rules that reflect least privilege, with review discipline around rule changes and evidence showing who approved them.
Mobile teams should map user roles, admin roles, support roles, and service accounts clearly enough that access reviews aren't guesswork.

If you can't answer “who can read this record class and why” without opening several consoles, your control design is still too loose.

Secrets, functions, and frontend exposure

Serverless-heavy teams often protect the backend reasonably well but leak risk through surrounding edges.

The usual weak spots include:

API keys in client bundles where teams assume “public” means harmless
Overpowered service credentials in CI workflows
Unprotected RPCs or callable functions that trust the client too much
Environment variable sprawl across local development, preview builds, and mobile release pipelines
Admin tooling with weak separation between support tasks and production privilege

These don't just create security exposure. They also create audit trouble because the intended control narrative breaks down. A policy may claim role-based access while a broad service key bypasses the whole model.

Change and logging in agile teams

SOC 2 evidence often collapses around change management, especially when teams deploy often.

For modern stacks, the strongest pattern is usually boring and effective:

| Control area | What good looks like in practice | |---|---| | Code changes | Pull requests, reviewer approval, linked tickets, deployment records | | Database changes | Migration history, approval trail, rollback plan | | Auth changes | Logged config updates, owner approval, review cadence | | Mobile releases | Release notes, build provenance, secret handling discipline | | Incident handling | Alert trail, decisions captured, post-incident actions tracked |

Don't build a second compliance workflow if your engineering workflow can produce the same evidence with clearer ownership.

That point matters even more in UK-facing environments. Privacy questions often surface through support operations, analytics setup, retention settings, and third-party SDK choices. If those controls sit outside engineering visibility, the audit gets harder and the product gets riskier.

Your Practical SOC 2 Readiness and Remediation Plan

A UK startup usually feels the pressure for SOC 2 before it feels ready for it. A prospect asks for a report during procurement, the team is shipping weekly, and nobody wants compliance work to slow down releases or turn into a parallel bureaucracy. The practical answer is to break readiness into workstreams that map to how the company already operates, then tighten the gaps that would fail audit or create real risk.

That approach matters even more for teams running Supabase, Firebase, mobile apps, and managed cloud services. The formal criteria come from the AICPA. The evidence has to make sense in a UK buyer conversation, where security due diligence often blends SOC 2 expectations with privacy, vendor oversight, and operational maturity.

Screenshot from https://audityour.app

A simple readiness checklist

Start by checking whether your documented controls, technical reality, and day-to-day operating habits tell the same story. If they do not, fix that first.

Documentation

Policies only help if they match the environment you run.

Check for:

Access policy alignment with real identity providers, admin roles, approval paths, and break-glass access
Incident procedures that reflect the tools your engineers and support staff use during a production issue
Change management language that matches pull requests, migrations, hotfixes, release approvals, and rollback practice
Vendor records that identify critical providers and show how security, privacy, and risk are reviewed

Template packs often describe a larger, slower company. Auditors spot that fast.

Technical controls

Readiness becomes measurable at this point. Modern stacks also drift fastest in this environment.

Prioritise:

Identity centralisation so admin access, sign-ins, and privileged actions can be reviewed in one place
Least-privilege enforcement across Supabase, Firebase, cloud consoles, repositories, CI, and support tooling
Secret hygiene in mobile apps, frontend bundles, pipelines, local development, and preview environments
Logging and alerting that support investigations, not just dashboards nobody reads
Change evidence from version control through deployment and production release

Organisational processes

SOC 2 still tests whether people follow the control design.

Make sure you can show:

Joiner and leaver handling with timely provisioning and removal
Role changes reviewed when responsibilities shift
Named control ownership for systems, vendors, and recurring reviews
Issue remediation tracked to closure with dates, owners, and evidence of the fix

Why continuous validation beats the quarterly scramble

A startup that checks controls once a quarter usually spends audit season reconstructing what happened. Git history exists, but approvals are inconsistent. Logs exist, but nobody verified retention. Permissions were cleaned up once, then drift came back through support access, test projects, or a rushed production change.

Continuous validation is a better fit for agile teams because the environment changes constantly. New mobile builds go out. Database rules change. Firebase configuration shifts. A Supabase service key gets added for a quick fix and stays longer than intended. If nobody is checking those conditions between formal reviews, the control may exist on paper and fail in practice.

That is why automated security scanners matter for SOC 2 readiness in modern stacks. They shorten the time between a misconfiguration appearing and someone seeing it. They also produce cleaner evidence than a last-minute manual review. For teams dealing with software supply chain risk as part of their security programme, maintaining a current inventory helps too. This guide to what an SBOM is is a useful reference point.

A remediation plan that survives startup pace

Use an order that reduces both audit risk and engineering friction.

Scope the environment
Include production systems, staging that handles live data, mobile backends, analytics tooling, support platforms, CI pipelines, and any vendor with customer data or privileged access.
Fix evidence gaps that hide real control weakness
Access reviews, central log retention, approval records, and onboarding or offboarding gaps usually deserve attention before policy polish.
Test the control statement against implementation
If the policy says least privilege, verify it in RLS rules, Firebase Rules, IAM roles, function permissions, admin consoles, and CI secrets.
Automate repeatable checks
Manual review breaks down quickly in environments that ship often. Automated validation is usually the only realistic way to catch drift across cloud config, auth settings, storage exposure, and dependency risk.
Run internal spot checks before fieldwork
Sample user access, recent deployments, incident records, and vendor reviews. That catches weak evidence while it is still cheap to correct.

The target is operational credibility. By the time the auditor arrives, the control set should look like a normal part of engineering and operations, not a temporary project assembled for the report.

Choosing an Auditor and Maintaining Continuous Compliance

The wrong auditor can turn a reasonable project into months of spreadsheet theatre. The right one understands cloud-native architecture, startup resourcing, and the difference between a real control and a policy phrase copied from a larger company.

That choice matters more than many founders realise. An auditor doesn't design your controls for you, but their interpretation style heavily affects how painful fieldwork becomes.

What to ask before you sign

Use the first call to test whether the firm understands how your stack works.

Ask questions like:

Have you audited teams using Supabase, Firebase, or serverless-heavy architectures
How do you handle evidence from GitHub, CI systems, identity providers, and cloud logs
Are you comfortable with startups that ship frequently and use managed services extensively
What does your request process look like during fieldwork
How do you distinguish a genuine control gap from a documentation gap

The best auditors usually ask sharp scoping questions early. They want to know where customer data flows, which systems are in scope, who has production access, how vendors are used, and whether the company's narrative matches its implementation.

Good auditors reduce ambiguity. Bad auditors create extra work because they never understood the environment in the first place.

What sustainable compliance looks like

The report is not the programme. Once you've completed one cycle, you need a maintenance rhythm that fits the way your company builds.

That usually includes:

| Ongoing activity | Why it matters | |---|---| | Periodic access reviews | Keeps privileges aligned as people and roles change | | Config and rule reviews | Catches drift in auth, permissions, and data exposure | | Change sampling | Verifies that approvals and testing still happen under delivery pressure | | Incident and alert review | Confirms response procedures still work in practice | | Vendor reassessment | Maintains visibility into outsourced risk |

For many UK startups, SOC 2 also becomes part of a broader trust stack. If you're building an information security management system over time, it helps to understand how that work relates to ISMS standards and ISO 27001.

The practical goal is simple. Build a compliance programme your engineers don't hate, your auditor can evaluate, and your customers can trust. If AICPA SOC 2 becomes a once-a-year panic event, the system isn't mature yet. If it becomes a byproduct of how you already run access, change, logging, and response, you're in the right place.

If you're building on Supabase, Firebase, or shipping mobile apps and want a faster way to spot the misconfigurations that can derail both security reviews and SOC 2 readiness, AuditYour.App helps teams scan for exposed RLS rules, unprotected RPCs, leaked keys, and hardcoded secrets without slowing delivery. It's a practical way to keep modern stacks continuously reviewable instead of scrambling before every audit.