仅欧洲替代方案 Supabase.
Supabase is the open-source Firebase alternative: hosted Postgres + Auth + Storage + Edge Functions + Realtime with a polished developer experience. Supabase Inc. is a Delaware US corporation; the EU regions (Frankfurt, Ireland, London, Paris) run on AWS infrastructure under both Supabase and AWS US-jurisdictional control. The good news: Supabase is open-source. You can self-host the entire stack on EU infrastructure with full feature parity — that is the sovereign alternative we deploy for clients.
"欧盟区域"不等于主权。四个问题决定一切。
数据驻留告诉你数据在哪里。主权告诉你哪个法律体系可以强制访问。四个答案都必须成立——否则该技术栈就不主权。
数据物理存储在哪里?
不是"在云中"——而是哪个数据中心、在哪个国家、受哪个司法管辖区管辖。
您的数据路径中还有谁?
每一个接触数据的供应商:CDN、邮件中继、错误追踪、分析管道。
哪些法律可以强制披露?
美国总部的供应商受 FISA 702 和 CLOUD Act 管辖——即使数据存放在法兰克福。
谁实际持有加密密钥?
如果云供应商同时持有数据和密钥,无论 DPA 如何,他们都能读取数据。
在司法管辖权和密钥托管上失败。
欧盟数据、美国母公司、默认路径中的美国次级处理者、供应商管理的密钥。
四项全部通过。
托管在欧盟、由欧盟总部基础设施提供。默认路径中零美国次级处理者。客户持有或欧盟 KMS 密钥。在您的第 28 条 DPA 中按名称列出。
为什么团队正在退出 Supabase
Supabase exits we have run come from one consistent trigger: a B2B SaaS that picked Supabase for its DX, grew to enterprise customers, and discovered that "Supabase Frankfurt on AWS Ireland" is two layers of US-jurisdictional processors that fail Schrems II analysis. The Supabase team itself has publicly discussed the data sovereignty constraints on their blog. Self-hosting Supabase on EU infrastructure preserves the full DX (the same supabase-js client works) while moving to full EU jurisdiction.
Supabase 服务及其仅欧盟等效方案
迁移不是"换一个盒子"。下面的映射是我们为离开以下平台的客户运行的 Supabase 基于 Schrems II — 完全欧盟司法管辖权,数据路径中没有美国母公司。
| Supabase 服务 | 仅欧盟替代方案 | 工程说明 |
|---|---|---|
| Postgres (managed) | Self-hosted Supabase on Hetzner, OVH Managed PostgreSQL with Supabase services on top, Aiven | Self-hosted Supabase deploys via Docker Compose; the managed-by-Binadit version on Hetzner is the cleanest sovereign equivalent. |
| Auth (GoTrue) | Self-hosted GoTrue (it's open-source), Keycloak, Authentik (DE) | GoTrue is part of the open Supabase stack; self-hosting preserves the JWT-based auth with social logins, magic links, MFA. |
| Storage (S3-compatible) | Self-hosted Supabase Storage with MinIO backend, OVH Object Storage as direct alternative | Supabase Storage is a service layer over S3-compatible storage; works with any EU S3 backend. |
| Edge Functions (Deno) | Self-hosted Deno runtime on EU compute, Scaleway Serverless Functions, EdgeDB on EU infra | Edge Functions are Deno runtimes; the self-hosted equivalent runs on any EU container platform. |
| Realtime (Postgres CDC) | Self-hosted Supabase Realtime on EU compute, native Postgres LISTEN/NOTIFY, Hasura on EU | Realtime is open-source; self-hosting preserves the WebSocket-based pub/sub. |
| Vector embeddings (pgvector) | Self-hosted Postgres + pgvector on EU compute, Qdrant (DE-headquartered) self-hosted or cloud | For dedicated vector workloads, Qdrant Cloud EU is a sovereign-by-default alternative. |
| Studio (admin UI) | Self-hosted Supabase Studio (it's open-source), pgAdmin self-hosted | Studio is part of the self-hosted distribution. |
| Database backups | pg_dump scheduled to EU object storage, WAL-G to S3-compatible EU storage, Borgbase EU | WAL-G with EU object storage backend is the production-grade pattern. |
| API (PostgREST) | Self-hosted PostgREST on EU compute, Hasura, custom API layer | PostgREST is open-source; self-hosting preserves the REST API generation. |
| CLI / Migrations | Standard supabase-cli works with self-hosted instances, sqitch, Atlas | The Supabase CLI supports `--db-url` to point at self-hosted instances. |
我们如何迁移离开 Supabase
典型的中端市场迁移分三个阶段进行。以下数字假设一个 6-10 人的工程团队和中等复杂的应用程序技术栈。
Self-hosted Supabase deployment
Deploy self-hosted Supabase stack on Hetzner (Docker Compose or Kubernetes). Configure auth providers, storage backend, Edge Functions runtime. Set up monitoring and backups.
Database + auth migration
Postgres dump+restore to self-hosted instance. User accounts migrated via auth provider data export. Storage buckets mirrored. Edge Functions redeployed.
Application cutover
Application config updated to point at self-hosted Supabase URL. Same supabase-js client, same RLS policies, same auth flows. Cutover with a verification window.
Self-hosted Supabase on a single Hetzner CCX23 (€25/month) replaces Supabase Pro at $25/month-per-project plus per-project usage. For multi-project workloads, savings compound: a typical Supabase team plan ($599/month) becomes €40-100/month in raw infrastructure plus the managed-partner fee if you don't want to operate it yourself. Plus full EU jurisdiction.
常见问题
Is Supabase's EU region (Frankfurt, Ireland) sufficient for GDPR?
Residency yes, sovereignty no. Supabase Inc. is US-headquartered, and the Frankfurt/Ireland regions run on AWS — also US-jurisdictional. For Schrems II analyses, both layers are exposed.
Does self-hosted Supabase have full feature parity?
Yes for the core stack: Postgres, Auth (GoTrue), Storage, Edge Functions, Realtime, Studio, PostgREST. The supabase-js client works identically. The features that aren't in self-hosted: paid-tier features like team management UI and integrated logging dashboards (you build those with Loki + Grafana on EU infra).
How operationally complex is self-hosted Supabase?
For single-environment production, a single CCX23 Hetzner VM with Docker Compose is sufficient and operationally manageable for an experienced engineering team. For multi-environment or HA setups, Kubernetes with Helm chart is the production pattern; we operate this for clients.
Does the supabase-js client need code changes?
Just one: the URL points at your self-hosted instance instead of `*.supabase.co`. RLS policies, auth flows, storage URLs, realtime subscriptions — all unchanged.
What about managed Supabase EU equivalents?
There are emerging EU-headquartered offerings (Supascale, Supafast — both early-stage), but the production-ready answer is self-hosted Supabase managed by an EU partner. We deploy and operate this exact pattern.
How long does a Supabase exit take?
For a single-environment project (one Postgres, basic auth, a few buckets): 1–2 weeks elapsed. For multi-environment or large-data setups: 3–6 weeks. The migration is mechanically clean because everything is open-source upstream.