Platform
Backend: a Supabase foundation for serious AI software delivery
Authentication, a real Postgres database, file storage and row-level security arrive with your app — not as a separate project you have to wire up.
The Ciao backend is Supabase-powered: authentication, a Postgres database, file storage, row-level security and APIs generated alongside your application. Unlike spreadsheet-backed app builders, Ciao gives every project a real relational database with access rules enforced at the database itself — standard infrastructure your engineers can inspect and query, and that you own along with the rest of the code.
Published 2026-07-03 · Last updated 2026-07-03
Real apps need a real data layer
Every serious application is a database wearing a user interface. The data layer is also where app builders usually cut corners: spreadsheets as storage, sign-in bolted on, permissions as a hope. It works in the demo — and then a second team, real customers or an auditor shows up.
Ciao gives every application a Supabase-powered backend: authentication, a Postgres database, file storage, row-level security and APIs — generated alongside the application and evolving with it. It is the infrastructure engineers would choose deliberately, arriving without the setup. And because it arrives with the application, the data model and the interface never drift apart — one describes the other.
How the backend comes together
The backend is generated with the application and grows through the same loop.
1. Describe the data in plain language
"Customers have subscriptions; invoices belong to customers" becomes a relational schema in Postgres, with proper types and relationships.
2. Authentication is wired in
Sign-in, sessions and user management exist from the start, because auth is the foundation every access rule builds on.
3. Row-level security enforces who sees what
Access rules live in the database itself: a user's queries can only touch the rows policy allows, even if a bug slips into application code.
4. Storage handles the files
Uploads, documents and images get a home with the same access rules applied — not a public bucket someone meant to lock down later.
5. APIs expose the data
Generated endpoints let your application — and your integrations — work with the data in a controlled, consistent way.
6. The schema evolves under governance
Changes arrive as migrations on branches, through review and QA gates, so the data layer grows up with the product instead of fighting it.
Why it matters
Row-level security is the detail worth pausing on. Application-level permission checks fail open: one forgotten condition and data leaks. Row-level security fails closed — the database refuses what policy does not allow. Ciao's Security layer then probes those boundaries against the live application, so "the permissions work" is tested, not assumed.
And because it is Supabase and Postgres — standard, widely used infrastructure — nothing about your data layer is proprietary. Engineers can query it directly, and if you export the application, the schema and data model go with you. 100% ownership includes the backend.
The backend is also where AI-assisted development most needs discipline, because data outlives features. Screens get rebuilt; schemas accumulate. Generating the data layer through governed migrations — reviewed, tested, recorded — means the database five hundred changes from now is still a schema someone can read, not an archaeology site with a login page.
Who uses it
A real data layer changes what each role can rely on.
- Non-engineers — They get a correct data layer — real schema, enforced permissions — without needing to know what one is.
- Engineers — Standard Postgres they can inspect and query, with no proprietary storage engine waiting to surprise them at export.
- Agencies — Every client build stands on the same reliable foundation instead of whatever the week's project improvised.
- Regulated teams — Enforced access rules, probed boundaries and an audit trail — the data-layer story compliance actually asks about.
Security and governance notes
- ✓ Row-level security enforces access at the database, not just in the UI.
- ✓ Access-control probes from Ciao Security exercise those rules against the live app.
- ✓ Schema changes ship as migrations through branches, review and QA gates.
- ✓ Role-based access control governs who can change the data layer.
- ✓ File storage inherits the same access rules as the data it belongs to.
- ✓ Customer code is not used to train models; inference runs under zero-retention model contracts.
- ✓ The schema is standard Postgres — exportable with your application at any time.
What every Ciao backend includes
Everything in this table ships with every project — none of it is an upgrade.
| Capability | What you get |
|---|---|
| Authentication | Sign-in, sessions and user management wired into the app from the start |
| Postgres database | A real relational schema generated from plain-language descriptions |
| File storage | Uploads and documents with the same access rules applied |
| Row-level security | Access enforced by the database itself, probed against the live app |
| APIs | Generated endpoints for your application and its integrations |
Frequently asked questions
Is the backend locked to Ciao?
No. It is Supabase-powered, standard Postgres, and exporting your application includes the schema and data model. There is no proprietary storage engine between you and your data.
What is row-level security in practice?
Policies that live in the database and decide, per row, what each user can read or write. If application code has a bug, the database still refuses queries the policy does not allow — permissions fail closed instead of open.
Can our engineers work with the database directly?
Yes — it is standard Postgres, so they can inspect and query it with the tools they already use. Schema changes still flow through governed migrations, so direct access does not become undocumented change.
Can we bring existing data into a Ciao app?
Yes — describe the shape of what you have and the schema is built to receive it, with imports handled as part of the build. For larger or more sensitive migrations, talk it through with the team first.
How does the backend interact with security testing?
Access-control probes attempt cross-boundary reads and writes against the live application — the row-level security policies are exercised, not just reviewed. The results feed the safe-to-publish dashboard.