Back to blog
SupabaseHR TechRLS

Supabase and HR software: configuration mistakes that expose payslips

Published on 2026-04-166 min readFlorian

Why Supabase deserves a special look in HR

Supabase helps small product teams ship fast. In HR or payroll software, that speed does not remove the need for very strict separation.

For more — see our payroll software security review.

The risk is not Supabase itself. The risk comes from incomplete RLS policies, document buckets that are too open, or access logic enforced in the frontend instead of in the data layer.

The most common mistakes

RLS exists but is incomplete

A policy is present, so the team assumes it is safe. In practice, it may authenticate a user but forget the organization boundary, manager scope, or employee-to-company relationship.

Document buckets are too permissive

Payslips, contracts, and supporting documents are sometimes less protected in storage than in the app.

Access logic lives in the frontend

The UI hides the right screens, but if the real protection is not enforced by the database or backend, the data can still be retrieved elsewhere.

What HR teams should review

  • which RLS policies protect critical tables;
  • how roles are scoped per company and user;
  • who can list, read, or download documents;
  • whether a manager can see more than their real scope;
  • how payroll exports are delivered and protected.

    • Our view

    For HR SaaS, the real question is not "did we enable RLS?" but "does our separation still hold when someone steps outside the happy path?"

    For HR & Payroll vendors

    CleanIssue specializes in security reviews for HR, payroll, and recruiting software. If you're building an HRIS, payroll tool, or ATS and want an external review of your exposure before a client audit or security questionnaire, see our offer for HR & Payroll vendors.

    Go further

    Explore the HR Tech page

    The CleanIssue overview for HR, payroll, and recruiting software.

    See the External Review

    The fastest format to clarify the real exposure of an HR product.

    Related articles

    Three adjacent analyses to keep exploring the same attack surface.

    RLSSupabase

    RLS mistakes: the 2026 guide for Supabase, PostgreSQL, and multi-tenant access control

    The most expensive RLS mistakes in Supabase and PostgreSQL: incomplete policies, overpowered roles, fragile JWT assumptions, exposed service_role keys, and false confidence.

    2026-04-11 · 8 min read
    HR TechSupabase

    Supabase HRIS: the data-separation checklist

    What to review in an HRIS built on Supabase: RLS policies, organization scope, document storage, and role logic.

    2026-04-16 · 6 min read
    HR TechRLS

    Employee portal and RLS: what really breaks separation

    Even with RLS enabled, an employee portal can still expose too much if the business rules behind it stay incomplete.

    2026-04-16 · 5 min read

    Sources

    Written by Florian
    Reviewed on 2026-04-16

    Editorial analysis based on official vendor, project, and regulator documentation.

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Supabase Audit

    Review exposed RLS policies, Storage, RPC, and Edge Functions from an attacker viewpoint.

    Full Audit

    Document all priority flaws and get a real remediation plan.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit