What BackupDrill protects

A backup vendor should tell you exactly where the boundary is before you need it, not after. This page is the single honest answer: what a BackupDrill backup contains, what a restore drill actually proves, and what is not covered at all.

The coverage matrix

LayerBacked upRestore-drilledNotes
Database — public schema (tables, data, indexes, constraints, triggers)YesYesEvery backup; drills restore it into a throwaway Postgres and verify against the manifest.
Database — additional schemas you own (CLI only)If configuredIf configuredHosted projects back up public today. The open-source CLI can dump additional schemas you own via its schemas setting.
Supabase Auth data (auth.users, identities, sessions)NoNoPlatform-managed schema — not in the dump. Supabase's own daily backups and PITR do include it.
Storage files (uploads, avatars, documents)If configuredIf configuredOptional at project setup. When configured: synced every backup, sha256 in the manifest, checksums verified in drills.
Storage re-upload on restoreManualNoRestore downloads files to a local folder; putting them into a new project's Storage is a manual step.
Edge Functions source, Auth/PostgREST config, secretsNoNoNot covered. SimpleBackups covers more of this config layer — compared honestly below.

The Restore-drilled column applies when your plan includes drills — monthly on Solo, weekly on Team and Agency; the Free plan gets one drill on its first backup, then backs up without scheduled drilling.

The Auth row deserves emphasis: your user accounts live in the Supabase-managed auth schema, which BackupDrill does not dump — dumping platform-managed schemas as a non-superuser is restricted, so we scope to schemas you own. Supabase’s built-in backups do include it, which is one reason to treat us as a complement to the platform’s own safety net, not a replacement for it.

Two dimensions, one badge

Protection is two independent dimensions, and your console shows both on every project — for example DB + Storage · weekly drills or DB-only · one-time drill on Free. The goal state is DB + Storage, drilled: everything in your bucket, and proof it comes back.

What is covered: DB-only vs DB + Storage

DB-only means your database schemas reach your bucket but Storage files do not — after a database-only restore, your own tables' file URLs come back while the files behind them are gone. DB + Storage means both land in your bucket together, with a sha256 checksum for every file in the manifest.

Move up: Move up by adding your project's Storage S3 credentials (four fields) in the project settings.

Whether restores are proven: drill cadence

Drills regularly restore your latest snapshot into a throwaway Postgres and verify it, emailing the report either way. Cadence comes from your plan: one drill on your first backup on Free, monthly on Solo, weekly on Team and Agency.

Move up: Move up by upgrading your plan — backups that are never restore-tested are a hope, not a guarantee.

What a passed drill proves — and what it doesn’t

A passed drill means your latest snapshot was downloaded from your bucket, its checksum matched, pg_restore completed into a clean Postgres, your indexes/constraints/triggers came back, the table count matched the manifest, populated tables restored non-empty — and, when the snapshot contains Storage files, a sample of their checksums matched. That is strong evidence the backup is recoverable — not an unconditional guarantee about any future restore, and not a test of Supabase-managed objects, which do not exist in the drill sandbox. The full check list is in the restore-testing guide.

Covering the gaps

  • Auth data:keep Supabase’s built-in backups (or PITR) alongside us — they cover the platform schemas we cannot reach.
  • Storage files: add your Storage S3 credentials — four fields in the project form. Without them, every file URL 404s after a database-only restore.
  • Edge Functions and platform config: keep them in git; for a managed option, SimpleBackups covers more of that layer (and we say so).

Unsure what level your project is at? Open the console — every project shows its protection level next to its health.