Deployment Options — on-premises, private cloud, or Layerup-hosted cloud.
Layerup AI Agents can be deployed in three distinct hosting models. The right choice depends on your organisation’s IT capacity, data sovereignty requirements, regulatory posture, and — critically — how quickly you want to go live. All three models satisfy HIPAA requirements when the appropriate contractual and technical controls are in place.| dimension | On-Premises | Your Private Cloud | Layerup’s Cloud |
|---|---|---|---|
| Infrastructure owner | You (your data centre) | You (your AWS / Azure account) | Layerup |
| Who provisions servers | Your IT team | Your cloud team | Layerup |
| Data residency | Fully on-site | Your cloud VPC / VNet | Layerup’s dedicated isolated cluster |
| AI compute (GPUs) | Your hardware | Your cloud instances | Layerup-managed |
| Time to go live | Longest | Moderate | Fastest |
| HIPAA instrument | BAA required | BAA required | BAA required |
| IT burden on your team | Highest | High | Lowest |
| Recommended for | Strict on-site mandates | Existing cloud maturity + data sovereignty | Fastest path to production |
Option 1 — On-premises deployment
In an on-premises deployment, the Layerup agent container runs entirely within your own physical data centre. No cloud provider is involved. Your infrastructure team provisions the servers, networking, storage, and GPU compute required to run the agent and its LLM inference layer.Data stays on-site
All application data, inference calls, and audit logs remain within your physical facility. Nothing leaves your network perimeter — not to Layerup, not to a cloud provider.
Full infrastructure control
Your team configures every layer: compute, networking, identity, encryption,
and logging. You are not dependent on any third-party cloud service being
available.
AI compute requirement
LLM inference requires GPU hardware. Many on-premises environments are
optimised for standard database and application workloads, not
high-performance AI compute. Provisioning the right GPU infrastructure is
typically the longest lead-time item in an on-premises deployment.
Timeline reality
Hardware procurement, rack installation, network configuration, security audits, and internal IT approvals all run sequentially. This is the slowest path to production.
Option 2 — Your private cloud (customer-hosted VPC)
In this model, the Layerup agent runs entirely within your own cloud account — your AWS VPC or your Azure VNet. Your organisation owns and manages the cloud infrastructure; Layerup delivers the agent container image through the cloud marketplace into your private registry, and the agent runs exclusively inside your network boundary. This is the model described in full detail throughout the remainder of this documentation. See Native VPC Deployment Paradigm for the complete architectural specification.Sovereign tenancy
All compute, storage, inference calls, and audit logs live inside your own cloud account. Your IAM, your encryption keys, your CloudWatch or Azure Monitor — the agent operates entirely within the controls you already own.
Zero-egress data residency
Application data never leaves your cloud boundary. LLM inference is routed
through Amazon Bedrock or Azure OpenAI within your cloud tenant — not through
any Layerup-controlled endpoint.
IT provisioning required
Your cloud team must provision the execution environment (Bedrock AgentCore,
ECS Fargate, AKS, or Azure Container Apps), configure VPC networking, IAM
roles, and any required GPU-capable instance types. This takes real
coordination with your internal platform team.
Timeline reality
Go-live depends on your cloud team’s availability, internal security review processes, and the maturity of your existing cloud-native infrastructure. Healthcare organisations with slower IT approval cycles typically take longer.
Option 3 — Layerup’s cloud (Layerup-hosted dedicated cluster)
In this model, Layerup provisions and operates a fully isolated, single-tenant cluster in Layerup’s own HIPAA-compliant AWS environment — dedicated exclusively to your organisation. Your data does not share compute, storage, networking, or any infrastructure with other Layerup customers. You access the agent through a secure, authenticated API endpoint; Layerup owns the infrastructure footprint.Fastest path to production
Because Layerup controls the infrastructure, provisioning is not blocked by your IT team’s backlog. There is no hardware procurement, no internal firewall request queue, no GPU provisioning delay. This is the fastest path to production.
Single-tenant isolation
Your dedicated cluster is physically and logically isolated from every other
customer. Separate VPC, separate compute, separate storage buckets, separate
encryption keys. Your PHI does not mix with any other customer’s data at any
layer.
HIPAA-compliant by default
Layerup’s cloud environment is HIPAA-compliant. We sign a Business Associate
Agreement (BAA) with your organisation, legally binding us to HIPAA’s Security
and Privacy Rules — encryption at rest and in transit, audit logging, breach
notification within 60 days, and minimum necessary access. Your obligation is
the BAA; the infrastructure compliance is Layerup’s responsibility.
Lowest IT burden
Your IT team is not responsible for provisioning, patching, scaling, or maintaining any infrastructure. Layerup handles all updates, monitoring, and incident response. Your team integrates with the agent via a stable API, not an infrastructure deployment.
Business Associate Agreement (BAA)
A BAA is required before any Layerup AI Agent deployment can process Protected Health Information. This applies to all three deployment options — including Option 2, where the agent runs entirely within your own AWS account.What a BAA is
A Business Associate Agreement is a legally binding contract under HIPAA § 164.504(e) between a Covered Entity (your organisation, as a health insurer) and a Business Associate (Layerup, as a service provider that handles PHI on your behalf). The BAA is not optional — HIPAA requires it any time PHI is disclosed to a service provider, regardless of where that service provider’s infrastructure is located.What the BAA commits Layerup to
| obligation | specifics |
|---|---|
| Encryption | PHI encrypted at rest (AES-256) and in transit (TLS 1.3) at all times |
| Access controls | PHI accessible only to Layerup personnel with a documented need — and only during the deployment engagement; no persistent access in production |
| Audit logging | All access to PHI logged and retained for a minimum of 6 years |
| Breach notification | Written notification to your organisation within 60 days of discovery of a breach involving your PHI |
| Minimum necessary use | PHI used only to perform the contracted agent services — never for model training, product improvement, or any purpose outside the SOW |
| Subcontractor BAAs | Layerup executes BAAs with all subcontractors (including AWS) who may have access to PHI in connection with your deployment |
| Return or destruction | Upon contract termination, all PHI in Layerup’s possession is returned to you or securely destroyed within 30 days |
What the BAA commits your organisation to
- Providing only the minimum necessary PHI required for the agent to perform its underwriting function
- Notifying Layerup promptly if you become aware of a breach or potential breach involving data processed by the agent
- Ensuring your team uses the agent only in accordance with the permitted purposes in the BAA and SOW
Why the BAA is required even for Option 2
In Option 2, the agent container runs in your AWS account. However, Layerup is involved in the deployment engagement — our implementation engineers assist with configuration, troubleshooting, and AOP development. During this engagement, Layerup personnel may have access to systems that process PHI. The BAA governs this access and provides the legal framework for that involvement. After go-live, Layerup’s access is revoked entirely — but the BAA remains in place as a standing instrument for ongoing support interactions.Execution timeline
| BAA type | typical timeline |
|---|---|
| Layerup standard BAA (Layerup’s template) | 5–10 business days from delivery to countersignature |
| Customer-form BAA (your organisation’s template) | Dependent on your legal team’s review cycle — Layerup will review and respond within 10 business days of receipt |
Who signs
Layerup’s BAA is executed by Layerup’s VP of Legal and countersigned by your organisation’s designated BAA signatory (typically a Privacy Officer, Legal Counsel, or VP-level signatory with authority to bind your organisation to HIPAA business associate obligations).BAA execution can begin in parallel with the technical deployment scoping — you do not need to wait for the technical engagement to start before initiating the BAA. Contact your Layerup account team to receive the standard BAA template.
Choosing the right option — decision guide
Fig. D0.1 — Deployment option decision tree. All three paths are HIPAA-permissible when a BAA is in place.Comparative go-live timeline
| milestone | On-Premises | Your Private Cloud | Layerup’s Cloud |
|---|---|---|---|
| Hardware / account provisioning | Longest | Moderate | Already done |
| Security review and firewall approvals | Longest | Moderate | Layerup handles |
| GPU / AI compute provisioning | Longest | Moderate | Already done |
| BAA execution | Required | Required | Required |
| Agent deployment and configuration | Moderate | Moderate | Fastest |
| Integration and UAT | Moderate | Moderate | Moderate |
| Overall path to go live | Slowest | Moderate | Fastest |
Healthcare IT deployments in a customer’s private cloud environment frequently
take longer than expected due to internal IT backlogs, security review cycles,
and the challenge of provisioning GPU infrastructure that most healthcare
organisations do not have in their existing cloud footprint. Layerup’s cloud
option bypasses the entire provisioning phase by eliminating the dependency on
your IT department.