Security Whitepaper

1. Security Overview

LabAnimal treats data security as its highest priority. As a laboratory animal compliance management system, the data we handle involves research protocols, animal welfare records, and audit trails. The integrity and confidentiality of this data are critical. This document details our security architecture and practices.

2. Data Encryption

2.1 Transport Encryption

• All data transmissions use TLS 1.3 encryption
• Forced HTTPS with automatic HTTP request redirect
• HSTS (HTTP Strict Transport Security) enabled
• Certificate Transparency logging

2.2 Storage Encryption

• Passwords stored with bcrypt hashing (cost factor 12)
• JWT tokens signed with RS256 (RSA + SHA-256)
• Database connections use SSL
• Sensitive configurations stored in environment variables, not hardcoded

3. Authentication and Authorization

3.1 Authentication

• JWT (JSON Web Token) stateless authentication
• Password strength requirements: 8+ characters, including uppercase, lowercase, and numbers
• Login failure rate limit: 5 attempts/minute
• Registration rate limit: 3 attempts/minute

3.2 Access Control

• Role-Based Access Control (RBAC): Owner / Admin / Member / Viewer
• PostgreSQL Row-Level Security (RLS): enabled on 18 tables
• API-layer labId enforcement: ensureLabId middleware
• Laboratory member permission verification

4. Multi-Tenant Data Isolation

LabAnimal employs a strict multi-tenant isolation architecture:

• Database layer: PostgreSQL RLS policies ensure row-level isolation
• API layer: each request automatically injects labId, preventing cross-tenant access
• Application layer: frontend components filter data by labId
• Audit layer: all operations logged in audit trail with labId

5. Audit Trail

To meet 21 CFR Part 11 compliance requirements, we have implemented a complete audit trail:

• AuditLog model: records all data changes
• SHA-256 hash chain: each audit record includes the hash of the previous record, preventing tampering
• Electronic signatures: supports what-you-see-is-what-you-sign electronic signatures
• Report signing: PDF reports can embed RSA signatures and QR codes

6. Infrastructure Security

6.1 Hosting Environment

• Frontend deployed on Vercel (global CDN, automatic DDoS protection)
• API server deployed on a secure cloud server
• PostgreSQL database uses a dedicated instance

6.2 Network Security

• CORS configuration: multi-domain allowlist
• Request rate limiting
• Input validation (Zod schema)
• SQL injection protection (Prisma ORM parameterized queries)

7. Compliance Standards

LabAnimal was designed with the following compliance standards in mind:

• 21 CFR Part 11: electronic records and electronic signatures
• AVMA Guidelines 2020: euthanasia method validation
• NRC Guide 2011: cage density calculations
• AAALAC: audit preparation features

8. Open-Source Transparency

LabAnimal's core code is open-source under the Apache-2.0 license, which means:

• Anyone can review our security implementation
• Security vulnerabilities can be discovered and reported by the community
• Code auditing and verification are fully transparent
• No hidden backdoors or malicious code