A properly configured and secured Arvados deployment should comply with HIPAA Security and Privacy standards §164.312 Technical safeguards. Along with proper Administrative and Physical safeguards, Arvados may be used as a component in building systems that are compliant with HIPAA, GxP, and other regulatory regimes.

Access Control

i. Unique user identification.

Arvados is a multi-user system. Each user accessing protected data is given a separate account. Every access (API call) to the system must provide a valid access token that identifies the user.

ii. Emergency access procedure.

All data uploaded to Arvados is private by default. However, in an emergency, system administrators can access protected data in accordance with organizational processes and procedures.

iii. Automatic logoff.

Arvados can be configured so that idle user sessions automatically log off, and that all access tokens automatically expire.

iv. Encryption and decryption.

Arvados achieves encryption at rest by being deployed on top of whole disk encryption and/or utilizing encrypted cloud buckets.

Audit Controls

Each access to the system is recorded in a log, with an associated request id. A “logs” table records changes to the system, and collection versioning provides a history of changes to a given data set.

Data Integrity

Use of immutable, hash-based identifiers for data sets enables the receiver to verify that the data requested is the data returned. Collection versioning provides a history of changes to a given data set.

Authentication

Arvados integrates with various enterprise authentication mechanisms, including LDAP and OpenID Connect, to verify the identity of a user.

Transmission Security

Arvados uses industry standard TLS to encrypt all data in transit. Use of immutable, hash-based identifiers for data sets enables the receiver to verify that the data was not modified in transit.