🔒

Security

How ARIA protects sensitive veterinary research data

Updated July 2026 — reflects controls currently deployed

Production-ready access controls are live: authentication, per-user row-level security, admin gating, audit logging, AI rate limiting, and email verification on every sign-in. Multi-institution data walls and formal HIPAA BAA remain on the institutional roadmap.

Independent Security Review

In July 2026, ARIA underwent a two-stage security assessment of the production deployment at vivariumos.com:

  • Internal review — code audit and live API probing
  • Fable validation — independent confirmation of findings with repro steps and severity ratings

All confirmed critical and high findings were remediated, including unauthenticated admin and clinical APIs, protocol IDOR, open row-level security, and public internal endpoints. Email MFA and an admin activity dashboard were added after that review.

Items marked roadmap or partial below (multi-institution walls, role enforcement, HIPAA BAA) were not part of the confirmed finding set — they are planned for multi-site institutional deployment.

Current Security Status

ControlStatus
Email/password authentication✓ Live
Per-user data isolation (RLS)✓ Live
Admin access control✓ Live
Audit logging✓ Live
Institution tenancy◐ Partial
AI rate limiting✓ Live
Multi-factor authentication✓ Live
Role-based access (IACUC Admin/Veterinarian/Reviewer/Scientist)○ Roadmap
Encryption in transit (TLS)✓ Infrastructure
Encryption at rest✓ Infrastructure
HIPAA BAA○ Roadmap
🔐

Access Control

  • ✓ Sign-in required for all app pages and APIs
  • ✓ Users can only access their own protocols and sessions
  • ✓ Admin dashboard restricted to designated admins
  • ✓ Email verification code on every sign-in
  • ✓ Optional authenticator app (Settings → Security → Advanced)
  • ○ Per-institution data walls (in progress)
📋

Audit & Compliance

  • ✓ Mutation audit trail (who, what, when)
  • ✓ Admin activity dashboard with user-aware protocols and sessions
  • ✓ IACUC protocol versioning
  • ○ Exportable compliance reports (roadmap)
🤖

AI Data Handling

  • ✓ Google Gemini paid tier (no free-tier training exposure)
  • ✓ Per-user AI rate limits (Upstash Redis)
  • ○ Formal DPA documentation per institution (on request)
👔

For IT Security Reviews

  • Architecture: Next.js on Vercel, Supabase Postgres + Auth
  • Internal + Fable security review (July 2026) — confirmed findings remediated
  • Contact us for questionnaire responses and DPA/BAA discussion

Security Questions?

We take security seriously. Contact us for institutional security reviews, DPAs, or questions about our controls.

Contact Us