A database without automated backups means a single corruption event, accidental deletion, or infrastructure failure permanently destroys every user record with no recovery path. NIST SP 800-53 CP-9 (System Backup) and ISO 27001:2022 A.8.13 mandate backup procedures as baseline controls. Supabase's free plan provides no automated backups — a fact that many vibe-coded projects never discover until after data loss. The absence of backups is not a theoretical risk: accidental table drops, failed migrations, and ransomware attacks all produce irreversible data loss without a tested restore procedure.
Critical because a single database corruption or accidental deletion with no backup means permanent, unrecoverable loss of all user data, violating NIST CP-9 and ISO 27001:2022 A.8.13.
Establish an automated backup schedule and verify it by performing a test restore before launch.
-- Supabase: automated daily backups on Pro plan
-- Verify at: Supabase Dashboard > Settings > Database > Backups
For Supabase free plan users, schedule supabase db dump -f backup-$(date +%Y%m%d).sql via a daily cron job or GitHub Actions workflow, storing dumps in a separate geographic region (S3, Backblaze B2). For Neon, PlanetScale, or AWS RDS, confirm your plan tier includes point-in-time recovery. A backup you have never restored is an untested backup — restore to a staging environment at least once before launch to confirm the procedure works.
ID: pre-launch.monitoring.db-backup
Severity: critical
What to look for: Count all database backup configurations and references. Enumerate whether automated backups are configured for the production database. Check for database backup configuration. For Supabase, look for backup settings references or documentation. For Prisma/PostgreSQL, look for backup scripts, cron job configurations, or backup service references (pg_dump scripts, AWS RDS automated backup config, Planetscale/Neon backup docs). Check for backup-related environment variables or scripts in package.json. Check README for backup procedures.
Pass criteria: A database backup strategy is documented or configured: platform-managed backups (Supabase paid plan, Neon, PlanetScale, AWS RDS), a backup script that runs on a schedule, or explicit documentation of backup procedures. For Supabase specifically: pass only if there is evidence of the Pro plan (e.g., project settings referencing Pro, billing configuration), a scheduled backup script (e.g., pg_dump cron or GitHub Actions workflow calling supabase db dump), or documented backup procedures. Supabase's free plan has no automated backups — relying on the free plan without supplemental backup procedures is a FAIL. At least 1 automated backup schedule must be configured with backups retained for at least 7 days.
Fail criteria: No evidence of any backup strategy for a project that has a database dependency.
Skip (N/A) when: Skip if no database dependency is detected. Signal: no database-related dependencies (prisma, drizzle, typeorm, sequelize, mongoose, pg, mysql2, @supabase/supabase-js, firebase-admin, etc.) in package.json.
Cross-reference: For rollback plan, see rollback-plan.
Detail on fail: "Database detected but no backup strategy found — a corrupted or accidentally deleted database would be unrecoverable"
Remediation: Without backups, a single database corruption event, accidental deletion, or infrastructure failure permanently destroys your users' data:
-- Supabase: backups are automatic on Pro plan
-- Verify in Supabase Dashboard > Settings > Database > Backups
supabase db dump -f backup.sql. Schedule this with a cron job or GitHub Actions.pg_dump on a cron schedule. Store backups in a different geographic region (S3, Backblaze B2).