Terms & Conditions

Last updated: March 2, 2026

1. Acceptance of Terms

By accessing and using Supascan (the "Service"), you accept and agree to be bound by the terms and provision of this agreement. If you do not agree to abide by the applicable terms, please do not use this service.

2. Description of Service & Ephemeral Credentials

Supascan provides automated security auditing tools specifically designed for Supabase projects. The service connects to your database instance via the connection string you provide and analyzes Postgres system catalogs only — including but not limited to: Row Level Security policies (pg_policy), user roles (pg_roles), functions (pg_proc), extensions (pg_extension), storage bucket visibility (storage.buckets), and schema permissions.

Supascan runs the following categories of checks: RLS enforcement, role permission analysis, schema exposure, SECURITY DEFINER function risks, network extension exposure (pg_net, http), pg_cron scheduler exposure, Vault schema accessibility, public storage buckets, anonymous function executability, and view-level RLS bypass risks.

Ephemeral Credentials & Zero-Data Guarantee:Database connection credentials provided for the scan are held in memory (RAM) only for the duration of the scan and are NEVER permanently stored in our database. To enforce this structurally, Supascan sets a statement_timeout and idle_in_transaction_session_timeout of 3 seconds on the connection, and closes it immediately after the scan completes. We do not query, read, or export your application's user data from standard application tables.

3. Proof of Authorization (Consent Ledger)

Because Supascan interacts directly with database infrastructure, you must have explicit legal permission to scan the target database. By submitting a connection string, you warrant that you are the owner, or have the legal right and authorization from the owner, to scan the target database.

To prove authorization and prevent abuse, every scan event is recorded in our immutable internal Consent Ledger (scan_consent_log) before any connection to your database is opened. This record includes: your User ID (if authenticated), the Target Project Reference, your IP address, your browser User-Agent string, and a UTC timestamp. This record is write-only for end users and cannot be modified or deleted by you or by us, serving as a legal audit trail.

4. Acceptable Use and Rate Limiting

To protect our platform and your database from unintended load, we enforce strict rate limits:

Authenticated users: maximum 5 scans per hour per account.
Unauthenticated visitors: maximum 2 scans per hour per IP address.

You agree not to use automated scripts to rapidly trigger scans or attempt to circumvent rate limiting. Attempting to bypass these limits, or using the Service to scan unauthorized third-party databases, will result in immediate account termination and potential IP bans.

5. Security Score & Findings

Supascan generates a security score from 0–100 using a severity-weighted deduction model:

CRITICAL finding: −40 points
HIGH finding: −20 points
MEDIUM finding: −8 points
LOW finding: −2 points

Scores map to grades: A (≥90), B (≥75), C (≥60), D (≥40), F (<40). Remediation SQL included in reports is generic best-practice SQL targeting system catalogs — it is not derived from your application data. Remediation SQL is available to Agency tier subscribers only.

6. Disclaimer of Warranty and Liability

The Service is provided on an "AS IS" and "AS AVAILABLE" basis. While Supascan relies on best practices to identify common misconfigurations and security issues:

We do not guarantee that our scans will catch 100% of vulnerabilities or misconfigurations.
We are not responsible for any security breaches, data loss, or damages that occur to your application or database.
You remain solely responsible for validating and securing your own Supabase project.

In no event shall Supascan be liable for any direct, indirect, incidental, special, or consequential damages resulting from the use or the inability to use the Service.

7. Subscriptions and Payments

Certain features of Supascan are offered on a paid basis under the "Agency Plan", including unlimited projects, full remediation SQL access, full scan history (up to 100 entries per project), and PDF report generation. Payments are securely processed via our merchant of record, Lemon Squeezy. By subscribing, you agree to their terms of sale. Subscriptions are billed monthly and automatically renew unless cancelled. You may cancel your subscription at any time through the customer portal. There are no prorated refunds for partial months.

8. Account Termination

We reserve the right to suspend or terminate your account and refuse any and all current or future use of the Service for any reason at any time, including but not limited to abuse, unauthorized scanning, rate limit circumvention, or payment failure.

9. Changes to Terms

We reserve the right to modify these terms at any time. Your continued use of the Service following any such modification constitutes your acceptance of the new Terms & Conditions.