How ARIA protects sensitive veterinary research data
Updated July 2026 — reflects controls currently deployed
Production-ready access controls are live: authentication, per-user row-level security, admin gating, audit logging, AI rate limiting, and email verification on every sign-in. Multi-institution data walls and formal HIPAA BAA remain on the institutional roadmap.
In July 2026, ARIA underwent a two-stage security assessment of the production deployment at vivariumos.com:
All confirmed critical and high findings were remediated, including unauthenticated admin and clinical APIs, protocol IDOR, open row-level security, and public internal endpoints. Email MFA and an admin activity dashboard were added after that review.
Items marked roadmap or partial below (multi-institution walls, role enforcement, HIPAA BAA) were not part of the confirmed finding set — they are planned for multi-site institutional deployment.
| Control | Status |
|---|---|
| Email/password authentication | ✓ Live |
| Per-user data isolation (RLS) | ✓ Live |
| Admin access control | ✓ Live |
| Audit logging | ✓ Live |
| Institution tenancy | ◐ Partial |
| AI rate limiting | ✓ Live |
| Multi-factor authentication | ✓ Live |
| Role-based access (IACUC Admin/Veterinarian/Reviewer/Scientist) | ○ Roadmap |
| Encryption in transit (TLS) | ✓ Infrastructure |
| Encryption at rest | ✓ Infrastructure |
| HIPAA BAA | ○ Roadmap |
We take security seriously. Contact us for institutional security reviews, DPAs, or questions about our controls.
Contact Us