Database backup strategy is defined

ab-002178 · pre-launch.monitoring.db-backup

Severity: criticalactive

Why it matters

A database without automated backups means a single corruption event, accidental deletion, or infrastructure failure permanently destroys every user record with no recovery path. NIST SP 800-53 CP-9 (System Backup) and ISO 27001:2022 A.8.13 mandate backup procedures as baseline controls. Supabase's free plan provides no automated backups — a fact that many vibe-coded projects never discover until after data loss. The absence of backups is not a theoretical risk: accidental table drops, failed migrations, and ransomware attacks all produce irreversible data loss without a tested restore procedure.

Severity rationale

Critical because a single database corruption or accidental deletion with no backup means permanent, unrecoverable loss of all user data, violating NIST CP-9 and ISO 27001:2022 A.8.13.

Remediation

Establish an automated backup schedule and verify it by performing a test restore before launch.

-- Supabase: automated daily backups on Pro plan
-- Verify at: Supabase Dashboard > Settings > Database > Backups

For Supabase free plan users, schedule supabase db dump -f backup-$(date +%Y%m%d).sql via a daily cron job or GitHub Actions workflow, storing dumps in a separate geographic region (S3, Backblaze B2). For Neon, PlanetScale, or AWS RDS, confirm your plan tier includes point-in-time recovery. A backup you have never restored is an untested backup — restore to a staging environment at least once before launch to confirm the procedure works.

Detection

ID: db-backup
Severity: critical
What to look for: Count all database backup configurations and references. Enumerate whether automated backups are configured for the production database. Check for database backup configuration. For Supabase, look for backup settings references or documentation. For Prisma/PostgreSQL, look for backup scripts, cron job configurations, or backup service references (pg_dump scripts, AWS RDS automated backup config, Planetscale/Neon backup docs). Check for backup-related environment variables or scripts in package.json. Check README for backup procedures.
Pass criteria: A database backup strategy is documented or configured: platform-managed backups (Supabase paid plan, Neon, PlanetScale, AWS RDS), a backup script that runs on a schedule, or explicit documentation of backup procedures. For Supabase specifically: pass only if there is evidence of the Pro plan (e.g., project settings referencing Pro, billing configuration), a scheduled backup script (e.g., pg_dump cron or GitHub Actions workflow calling supabase db dump), or documented backup procedures. Supabase's free plan has no automated backups — relying on the free plan without supplemental backup procedures is a FAIL. At least 1 automated backup schedule must be configured with backups retained for at least 7 days.
Fail criteria: No evidence of any backup strategy for a project that has a database dependency.
Skip (N/A) when: Skip if no database dependency is detected. Signal: no database-related dependencies (prisma, drizzle, typeorm, sequelize, mongoose, pg, mysql2, @supabase/supabase-js, firebase-admin, etc.) in package.json.
Cross-reference: For rollback plan, see rollback-plan.
Detail on fail: "Database detected but no backup strategy found — a corrupted or accidentally deleted database would be unrecoverable"
Remediation: Without backups, a single database corruption event, accidental deletion, or infrastructure failure permanently destroys your users' data:
```
-- Supabase: backups are automatic on Pro plan
-- Verify in Supabase Dashboard > Settings > Database > Backups
```
1. Supabase: Automated daily backups are available on the Pro plan ($25/month). On the free plan, use the Supabase CLI to export: supabase db dump -f backup.sql. Schedule this with a cron job or GitHub Actions.
2. Neon/PlanetScale/CockroachDB: These services include automated backups — verify your plan level includes point-in-time recovery.
3. Self-managed PostgreSQL: Use pg_dump on a cron schedule. Store backups in a different geographic region (S3, Backblaze B2).
4. Firebase/Firestore: Use the export API to schedule regular exports to Google Cloud Storage.
5. Test your backup by restoring to a staging environment at least once before launch. A backup you've never restored is an untested backup.

External references

nist:rev5 · CP-9 — System Backup
iso-27001:2022 · A.8.13 — Information backup
iso-25010:2011 · reliability.recoverability

Taxons

data-integrity operational-readiness

History

2026-04-18·v1.0.0·Initial import from pre-launch·automated

Why it matters

Remediation

Establish an automated backup schedule and verify it by performing a test restore before launch.

-- Supabase: automated daily backups on Pro plan
-- Verify at: Supabase Dashboard > Settings > Database > Backups

Detection

ID: db-backup
Severity: critical
What to look for: Count all database backup configurations and references. Enumerate whether automated backups are configured for the production database. Check for database backup configuration. For Supabase, look for backup settings references or documentation. For Prisma/PostgreSQL, look for backup scripts, cron job configurations, or backup service references (pg_dump scripts, AWS RDS automated backup config, Planetscale/Neon backup docs). Check for backup-related environment variables or scripts in package.json. Check README for backup procedures.
Pass criteria: A database backup strategy is documented or configured: platform-managed backups (Supabase paid plan, Neon, PlanetScale, AWS RDS), a backup script that runs on a schedule, or explicit documentation of backup procedures. For Supabase specifically: pass only if there is evidence of the Pro plan (e.g., project settings referencing Pro, billing configuration), a scheduled backup script (e.g., pg_dump cron or GitHub Actions workflow calling supabase db dump), or documented backup procedures. Supabase's free plan has no automated backups — relying on the free plan without supplemental backup procedures is a FAIL. At least 1 automated backup schedule must be configured with backups retained for at least 7 days.
Fail criteria: No evidence of any backup strategy for a project that has a database dependency.
Skip (N/A) when: Skip if no database dependency is detected. Signal: no database-related dependencies (prisma, drizzle, typeorm, sequelize, mongoose, pg, mysql2, @supabase/supabase-js, firebase-admin, etc.) in package.json.
Cross-reference: For rollback plan, see rollback-plan.
Detail on fail: "Database detected but no backup strategy found — a corrupted or accidentally deleted database would be unrecoverable"
Remediation: Without backups, a single database corruption event, accidental deletion, or infrastructure failure permanently destroys your users' data:
```
-- Supabase: backups are automatic on Pro plan
-- Verify in Supabase Dashboard > Settings > Database > Backups
```
1. Supabase: Automated daily backups are available on the Pro plan ($25/month). On the free plan, use the Supabase CLI to export: supabase db dump -f backup.sql. Schedule this with a cron job or GitHub Actions.
2. Neon/PlanetScale/CockroachDB: These services include automated backups — verify your plan level includes point-in-time recovery.
3. Self-managed PostgreSQL: Use pg_dump on a cron schedule. Store backups in a different geographic region (S3, Backblaze B2).
4. Firebase/Firestore: Use the export API to schedule regular exports to Google Cloud Storage.
5. Test your backup by restoring to a staging environment at least once before launch. A backup you've never restored is an untested backup.