SATRE and the Aridhia DRE

A SATRE Compliant Trusted Research Environment

In a market as diverse as TRE provision, which spans open source and commercial products, self-maintained and managed services, a shared standard matters. This page covers what SATRE is, why it was developed, and how the Aridhia DRE measures up against it.

What is SATRE?

Standard Architecture for a Trusted Research Environment (SATRE) was developed by DARE UK to provide an open specification that all Trusted Research Environment (TRE) providers could evaluate themselves against.

Why is it important?

Before SATRE, there was no common standard against which TRE providers could be assessed. A data custodian evaluating platforms had no consistent framework for comparing security claims, governance approaches, or operational capabilities across providers - whether commercial or open source, managed or self-maintained.

That matters because the consequences of getting it wrong are significant. Sensitive health data, personal records, and proprietary research datasets all depend on the environments that hold them being genuinely trustworthy and not just compliant on paper.

SATRE addresses this by providing an open specification that any Trusted Research Environment provider can evaluate themselves against. It covers not just the technical infrastructure but the full range of capabilities required to run a TRE responsibly such as information governance, data management, and the supporting services that determine whether a platform is sustainable and usable in practice, not just secure in principle.

The 4 Pillars of SATRE

Information Governance

The Information Governance pillar sets out what a TRE operator must do to keep information risk within acceptable bounds. Because no two TREs operate in identical contexts because the data they hold, the research they support, and the regulatory environments they operate within all differ, the specification acknowledges that governance requirements will vary. They may be driven by national legislation, sector-specific regulation, or the contractual requirements of individual data owners and institutional partners

Full Specification

Computing Technology

Computing technology requirements in a TRE are determined by several intersecting factors. Governance obligations set the baseline for security controls. Researcher expertise and the type of work being conducted shape what tooling and environments the platform must support because the requirements of a data scientist and a clinician rarely overlap. And the compute capacity a TRE needs to provide scales with both the volume of data it holds and the complexity of the research methods being applied to it.

Full Specification

Data Management

Data Management in SATRE addresses the full lifecycle of data within a TRE from classification and ingress through to output disclosure and long-term archiving. Operators must demonstrate that data enters and leaves the environment only through governed, approved processes, that access is granted on a least-privilege basis with individual user accounts and multi-factor authentication enforced throughout, and that outputs are subject to documented disclosure control before leaving the secure boundary.

The pillar also covers metadata provision and discoverability, the ability to configure security controls appropriate to the sensitivity of individual projects, and the retention of archived data in accessible, standards-compliant formats.

Full Specification

Supporting Capabilities

Supporting Capabilities covers the operational layer beneath a TRE's technical infrastructure, the organisational capabilities a provider must demonstrate to run a sustainable, professionally managed environment. Requirements range from business continuity and project management through to financial transparency, IT service management, and public engagement. Legal capability is also addressed, with providers expected to maintain access to advice on data protection, contract management, and the handling of data sharing agreements.

The pillar's scope reflects a core principle of the SATRE specification: that the trustworthiness of a TRE depends not just on what the platform does, but on how the organisation behind it operates.

Full Specification

Podcast Episode: Standard Architecture for Trusted Research Environments (SATRE)

In the second episode of Trusted Research Conversations, we're joined by two of the people closest to the development of SATRE - Tim Machin from UCL and Dr Christian Cole from the University of Dundee to discuss how the specification came to exist, what it has achieved, and where it needs to go next.

Listen Now

Aridhia and SATRE

Aridhia was the first commercial TRE provider to score itself publicly against the SATRE specification. We have done so every year since the standard was introduced, reviewing our score against each pillar, updating it to reflect platform improvements, and publishing the results in full. The reasons we do this are detailed below.

Transparency

Transparency builds trust, and trust is fundamental when handling sensitive research data. Publishing our SATRE assessment openly is one of the most direct ways we can demonstrate that the Aridhia DRE meets the governance, security, and operational standards that data custodians, ethics committees, and research institutions require. Not through assertion, but through evidence.

We also believe that transparency at the provider level raises standards across the sector. If TRE providers are willing to share their assessments publicly, data custodians gain a consistent basis for comparison and evaluation. Procurement teams have something concrete to scrutinise. And the broader research community benefits from a clearer picture of what good TRE provision actually looks like in practice.

By contributing our scores to that public record, we hope to encourage other operators both commercial and academic, to do the same.

Self-improvement

Many of the capabilities outlined in SATRE have been core to the Aridhia DRE from the beginning, shaped by real-world requirements from research hospitals, global consortia, and pharmaceutical organisations working with highly sensitive health data. In that sense, the specification reflects much of what we have learned over more than fifteen years of building and operating secure research environments.

But the value of a standard like SATRE is not simply in confirming what a provider already does well. It surfaces gaps, where requirements have evolved, where the expectations of data custodians and researchers have moved ahead of existing practice, or where the specification identifies controls that had not previously been formalised. Each annual assessment gives us a structured opportunity to identify those gaps and address them.

It also keeps us honest. Self-assessment against a published standard, with the results made public, creates accountability that internal review alone cannot. Our score improves because the platform improves, and the platform improves because the score is published.

Our SATRE Scores

The scores below represent Aridhia's 2026 assessment of the DRE against the full SATRE specification. We have conducted this assessment annually since the specification was introduced, updating our scores to reflect platform improvements, changes to the standard, and the evolving requirements of the research environments we support.

SATRE assessments are self-reported. We believe that self-assessment against a public standard with the methodology transparent and the results published, is more useful and more honest than a binary compliance claim. It shows where we score well, where gaps remain, and what we have done between assessments to address them.

Computing Technology and Information Security

Computing Technology and Information Security sets out the technical standards a TRE must meet across three broad areas: infrastructure: covering deployment, configuration, and maintenance; compute: covering the processing capacity available to researchers; and software: covering tooling availability, accessibility, and the programmatic security measures that prevent data from being misused or removed from the environment without authorisation

Scoring:

We have increased our score in this section in 2026 by one point, and are now scoring the DRE at 120 out of 122.

Previously users had a somewhat restricted and audited ability to cut and paste data from a workspace, this has been improved by introducing a new video streaming technology for all in built containerised apps and collabora online software. This allows for ‘copy in’ but prevents ‘copy out’ to the desktop.

120 / 122

Information Governance

Information Governance in SATRE is defined largely in organisational rather than technical terms. The section addresses what a TRE provider must do, not just what the platform must do. it covers regulatory compliance obligations, training provision, and the policies and procedures that underpin platform auditing and risk management.

Scoring:

We added one additional point to our Information Governance score this year as we have now automated our quality management tasks, this brings our score to 79 out of 80. In addition we continue to annually certify the DRE against a number of recognised international standards including ISO27001 and HITRUST. We have continued to develop our Tenant Analytics, providing users with more insight than ever before into how the platform is being used, and we are constantly updating and developing our training materials to ensure they are as user friendly as possible.

79 / 80

Data Management

Of the four SATRE pillars, Data Management is among the most wide-ranging. Requirements span from specific access control policies, individual user accounts are mandatory, through to broader platform expectations around metadata discovery. The section also covers user authentication, secure and legally compliant data transfer, and the governance and technical controls a TRE must demonstrate around data access

Scoring:

We have increased out score by 5 points in this area to 59 out of 62. There are a few notable developments that have resulted in this increase. We integrated SACRO libraries natively within the DRE accessible from R and python. We have also integrated the SACRO webapp as an optional app for users, allowing data files to be risk assessed, reviewed and commented on before airlock export. Additionally, a new read-only ‘reviewer’ role has been added to workspaces, allowing independent reviewers from outside of a project to inspect and approve outputs before egress.

59 / 62

Supporting Services

Supporting Services is the most operationally focused of the four SATRE pillars, addressing the professional and organisational capabilities a TRE provider must have in place alongside its technical infrastructure. Requirements cover project management, business continuity, ongoing operational support for software and infrastructure, and legal expertise covering data protection and contractual obligations

Scoring:

There is no update to our Supporting Services score for 2026, we continue to provide our customers with dedicated project management support, and a full-time service desk. We remain committed to providing our customers with a transparent of their costs and strive to provide our services as efficiently and cost effectively as possible.

30 / 30

Resources

Paper Assessing the Aridhia DRE against the SATRE specification for 2026

This paper scores the Aridhia DRE against the four sections of the SATRE specification for 2026.

Article SATRE 2026: Information Governance

The Aridhia DRE scores 79 out of 80 for SATRE 2026 Information Governance — up from 78 in 2025. Ross Stiven covers what the section requires and what changed.

Article SATRE 2026: Computing Technology and Information Security

The Aridhia DRE scores 120 out of 122 for SATRE 2026 Computing Technology and Information Security — up from 119 in 2025. Ross Stiven covers what changed.

Article SATRE 2026: Supporting Services

Aridhia DRE scores 30/30 for SATRE 2026 Supporting Services — a full score held from 2025, covering project management, service desk, and business continuity.

Article SATRE 2026: Data Management

Aridhia DRE scores 59/62 for SATRE 2026 Data Management — up 5 points from 2025, driven by native SACRO integration and a new independent reviewer role.

Article SATRE: How the Aridhia DRE Goes Beyond the Specification

How the Aridhia DRE goes beyond SATRE: FAIR metadata catalogue, configurable DAR workflows, Cohort Builder, pre-installed tooling, and federated analytics.