Ask HN: Would you recommend self-hosted Supabase for a large healthcare project?
I am the father of a 2-year-old, extremely premature son with a complicated medical condition. We visit more than 15 doctors and I decided, as a volunteer, to create a project next year that should help all parents and doctors to effectively exchange information, medical reports, records and visualization of various growth or health information, etc. I have already received a promise of cooperation and confirmation of the contribution of this project from a number of leading doctors from various hospitals.
I am an architect, developer and server administrator, team leader with more than 20 years of experience and dozens of large projects from analysis, through frontend/backend, to database, network and hardware.
I am considering whether to use the PostgreSQL database directly for the project and program all my own backend, or to use self-hosted Supabase with row-level security, which would eliminate approx. 70-80% backend for GraphQL/REST API. The time saved on backend programming could be spent on other useful functions for end users - integrating AI into some processes, etc.
The entire solution will be run on our own powerful servers (AMD EPYC 9554, Intel Optane NVME drives, 768GB DDR5 RAM)
Does anyone have any current experience (not more than 6 months old) on the basis of which you would recommend or not recommend Supabase for such a project? I've read a couple of negative experiences from 2023, but I wonder if it has improved over the last year. If you answer, please provide specific experience and why YES/NO.
Thank you very much for any advice. You didn't say if you'll have a front end. Supabase works best with single page apps. However a lot of the frameworks are moving towards server side react, so the need for having a rest API is going away. So I would actually say use nextjs and get an AI such as bolt to generate an MVP. If you are running AI such as LLM's you need GPU's. LLM's are constrained by memory bandwidth not CPU and GPUS have a ton of memory bandwidth. Postgres is always a sold choice and RLS is defence in depth anyway. Hey there, supabase ceo here. I did a cmd+f for "HIPAA" and didn't find it anywhere in your description. I don't mind whether you use supabase or not, but please make sure that you take care of patient data. Everything you do should be HIPAA compliant. The number 1 feature of your project should be security. Supabase is just Postgres + tools - it will be as secure as you decide to make it. Hi @kiwicopple, thank you for your reply. The project will be implemented in the EU and of course we will be subject to GDPR regulations and laws related to medical documentation. If the project is successful, we would like to provide the source code free of charge to responsible people in other countries, but that is far in the future. My post was more about whether the actual power-users of Supabase consider the current state and version of Supabase production-ready even for high-load deployments. If e.g. GraphQL performance is not a problem, etc. If we decide to use Supabase, it is definitely only with strict RLS and our own backend outside Supabase for critical API endpoints. It will be a completely self-hosted solution on your own physical servers, no cloud, no edge-functions, etc. Let me stop you at "effectively exchange information, medical reports". Have you considered the regulatory blockades here? Of course. I am already in contact with relevant people from the state administration who will help with regulatory issues. We are only at the beginning, so we do not yet know for sure which features will be problematic from a regulatory perspective. For some things, parental consent will be enough, for others more will be needed. But I believe that with competent professionals we will achieve a good result.