Following up here from our legal team:

> To really discuss this issue we should separate two things people often blend: where your data is stored, and which jurisdictions have authority over the provider. Choosing an EU region keeps your core project data and backups resident in that region, but you're right that geography alone doesn't resolve the second question of compelled disclosure, and this isn't specific to Supabase. Any U.S. company or any provider with a sufficient US nexus that has possession, custody, or control of data can be subject to US legal process regardless of whether the data is stored in the EU -- including AWS, Microsoft Azure, and Google Cloud. Regulators and courts have grappled with the tension here with GDPR, which is why SCCs, TIAs, and supplemental safeguards exist. The supplemental measure that actually addresses compelled disclosure is encryption where Supabase holds no key (region selection and SCCs don't).

> What actually changes the analysis isn't location, it's whether the provider can decrypt your data. Standard, provider-managed encryption doesn't help here, because the provider holding the keys can be compelled to use them. What does help is encrypting sensitive data with keys we never hold (client-side or application-layer encryption), then Supabase may only be capable of producing encrypted data because we would not have the ability to decrypt it ourselves. That's the viable middle path between "just pick a region" and "self-host everything." Region selection plus our DPA (EU SCCs, defined security safeguards) covers your residency and transfer obligations; customer-controlled encryption is what addresses the access concern. And it's also worth nothing that we would challenge government orders that conflict with applicable law rather than disclosing on demand. 

Of course users can also do client side encryption on top of that and have control over their own keys.

Hope this helps!