Gatez

Appearance

HIPAA-Compliant Deployment Guide

Prerequisites

  • Kubernetes cluster (on-prem or private cloud)
  • cert-manager installed
  • Encrypted storage class for volumes
  • Network policies enabled (Calico or similar CNI)

10-Step HIPAA Configuration

1. Deploy on-prem or private cloud only

yaml
# values.yaml — no external LLM providers
aiGateway:
  env:
    OPENAI_API_KEY: ""      # Disabled
    ANTHROPIC_API_KEY: ""   # Disabled
    OLLAMA_BASE_URL: "http://ollama:11434"  # Local only

2. Enable TLS everywhere

yaml
tls:
  enabled: true
  clusterIssuer: your-internal-ca
  mtls:
    enabled: true

3. Enable PII redaction

yaml
aiGateway:
  env:
    PII_REDACTION_ENABLED: "true"

4. Configure session TTLs

yaml
agentGateway:
  env:
    SESSION_TTL_SECS: "1800"  # 30 min max session

5. Enable HITL for patient-related tools

Use the Operator Portal to set HITL-required tools for clinical tenants.

6. Set tenant isolation

Each department/client must be a separate tenant with independent:

  • API keys
  • Token budgets
  • Tool allowlists
  • Rate limits

7. Configure audit retention

ClickHouse tables are pre-configured with:

  • Request logs: 90-day TTL
  • AI usage logs: 365-day TTL
  • Agent audit logs: 365-day TTL
  • Webhook delivery: 90-day TTL

For HIPAA, audit logs should be retained for 6 years. Override:

sql
ALTER TABLE gateway.agent_audit_log_raw MODIFY TTL toDateTime(timestamp) + INTERVAL 2190 DAY;

8. Encrypt volumes at rest

yaml
# StorageClass with encryption
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: encrypted-gp3
provisioner: ebs.csi.aws.com
parameters:
  encrypted: "true"
  type: gp3

9. Network policies

Restrict ClickHouse, Redis, and etcd to internal traffic only:

yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-external-to-data
spec:
  podSelector:
    matchLabels:
      tier: data  # clickhouse, redis, etcd
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              tier: gateway  # apisix, ai-gw, agent-gw, cp-api

10. Regular backup + DR testing

bash
# Daily backup cron
0 2 * * * /path/to/scripts/backup-etcd.sh /backups/etcd
0 3 * * * /path/to/scripts/backup-clickhouse.sh /backups/clickhouse
0 */1 * * * /path/to/scripts/backup-redis.sh /backups/redis

Test restore procedure quarterly.

BAA Considerations

See baa-template.md for a Business Associate Agreement outline. Key points:

  • Gatez is self-hosted — the customer controls all PHI
  • No data leaves the customer's infrastructure
  • Gatez (the vendor) provides software, not hosting
  • The BAA covers the software license, not data processing

Enterprise API + AI + Agent Gateway

Copyright 2026 Gatez