> ## Documentation Index
> Fetch the complete documentation index at: https://docs.uselayerup.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Deployment Options

> Choose how Layerup AI Agents are hosted and operated: on-premises in your own data center, in your private cloud account, or in Layerup's dedicated HIPAA-compliant cloud. All three are legally permissible under HIPAA.

# Deployment Options — on-premises, private cloud, or Layerup-hosted cloud.

Layerup AI Agents can be deployed in three distinct hosting models. The right choice depends on your organization's IT capacity, data sovereignty requirements, regulatory posture, and — critically — how quickly you want to go live. All three models satisfy HIPAA requirements when the appropriate contractual and technical controls are in place.

| dimension                  | On-Premises             | Your Private Cloud                         | Layerup's Cloud                      |
| -------------------------- | ----------------------- | ------------------------------------------ | ------------------------------------ |
| **Infrastructure owner**   | You (your data center)  | You (your AWS / Azure account)             | Layerup                              |
| **Who provisions servers** | Your IT team            | Your cloud team                            | Layerup                              |
| **Data residency**         | Fully on-site           | Your cloud VPC / VNet                      | Layerup's dedicated isolated cluster |
| **AI compute (GPUs)**      | Your hardware           | Your cloud instances                       | Layerup-managed                      |
| **Time to go live**        | Longest                 | Moderate                                   | Fastest                              |
| **HIPAA instrument**       | BAA required            | BAA required                               | BAA required                         |
| **IT burden on your team** | Highest                 | High                                       | Lowest                               |
| **Recommended for**        | Strict on-site mandates | Existing cloud maturity + data sovereignty | Fastest path to production           |

***

## Option 1 — On-premises deployment

In an on-premises deployment, the Layerup agent container runs entirely within your own physical data center. No cloud provider is involved. Your infrastructure team provisions the servers, networking, storage, and GPU compute required to run the agent and its LLM inference layer.

<CardGroup cols={2}>
  <Card title="Data stays on-site" icon="building">
    All application data, inference calls, and audit logs remain within your physical facility. Nothing leaves your network perimeter — not to Layerup, not to a cloud provider.
  </Card>

  <Card title="Full infrastructure control" icon="sliders">
    Your team configures every layer: compute, networking, identity, encryption,
    and logging. You are not dependent on any third-party cloud service being
    available.
  </Card>

  <Card title="AI compute requirement" icon="microchip">
    LLM inference requires GPU hardware. Many on-premises environments are
    optimized for standard database and application workloads, not
    high-performance AI compute. Provisioning the right GPU infrastructure is
    typically the longest lead-time item in an on-premises deployment.
  </Card>

  <Card title="Timeline reality" icon="clock">
    Hardware procurement, rack installation, network configuration, security audits, and internal IT approvals all run sequentially. This is the slowest path to production.
  </Card>
</CardGroup>

**When to choose on-premises:** Your organization has a hard regulatory or policy mandate that prohibits any data from being processed in a cloud environment. This is rare in 2026 — most regulated industries, including healthcare, have accepted cloud-based processing under appropriate contractual safeguards — but it remains a valid choice for organizations with strict air-gap requirements.

<Warning>
  On-premises deployments require your team to own the full operational
  lifecycle: OS patching, container image updates, GPU driver management, and
  availability SLAs. Layerup provides the agent software and deployment
  guidance, but your infrastructure team is the operator. Factor this into your
  resourcing plan.
</Warning>

***

## Option 2 — Your private cloud (customer-hosted VPC)

In this model, the Layerup agent runs entirely within your own cloud account — your AWS VPC or your Azure VNet. Your organization owns and manages the cloud infrastructure; Layerup delivers the agent container image through the cloud marketplace into your private registry, and the agent runs exclusively inside your network boundary.

This is the model described in full detail throughout the remainder of this documentation. See [Native VPC Deployment Paradigm](/agents/deployment/paradigm) for the complete architectural specification.

<CardGroup cols={2}>
  <Card title="Sovereign tenancy" icon="shield-halved">
    All compute, storage, inference calls, and audit logs live inside your own cloud account. Your IAM, your encryption keys, your CloudWatch or Azure Monitor — the agent operates entirely within the controls you already own.
  </Card>

  <Card title="Zero-egress data residency" icon="lock">
    Application data never leaves your cloud boundary. LLM inference is routed
    through Amazon Bedrock or Azure OpenAI within your cloud tenant — not through
    any Layerup-controlled endpoint.
  </Card>

  <Card title="IT provisioning required" icon="server">
    Your cloud team must provision the execution environment (Bedrock AgentCore,
    ECS Fargate, AKS, or Azure Container Apps), configure VPC networking, IAM
    roles, and any required GPU-capable instance types. This takes real
    coordination with your internal platform team.
  </Card>

  <Card title="Timeline reality" icon="clock">
    Go-live depends on your cloud team's availability, internal security review processes, and the maturity of your existing cloud-native infrastructure. Healthcare organizations with slower IT approval cycles typically take longer.
  </Card>
</CardGroup>

**When to choose your private cloud:** Your organization has existing AWS or Azure infrastructure, a capable cloud platform team, and a data sovereignty requirement that data must reside within your own cloud account — but you do not need full on-premises operation.

***

## Option 3 — Layerup's cloud (Layerup-hosted dedicated cluster)

In this model, Layerup provisions and operates a fully isolated, single-tenant cluster in Layerup's own HIPAA-compliant AWS environment — dedicated exclusively to your organization. Your data does not share compute, storage, networking, or any infrastructure with other Layerup customers. You access the agent through a secure, authenticated API endpoint; Layerup owns the infrastructure footprint.

<CardGroup cols={2}>
  <Card title="Fastest path to production" icon="rocket">
    Because Layerup controls the infrastructure, provisioning is not blocked by your IT team's backlog. There is no hardware procurement, no internal firewall request queue, no GPU provisioning delay. This is the fastest path to production.
  </Card>

  <Card title="Single-tenant isolation" icon="diagram-cells">
    Your dedicated cluster is physically and logically isolated from every other
    customer. Separate VPC, separate compute, separate storage buckets, separate
    encryption keys. Your PHI does not mix with any other customer's data at any
    layer.
  </Card>

  <Card title="HIPAA-compliant by default" icon="file-medical">
    Layerup's cloud environment is HIPAA-compliant. We sign a Business Associate
    Agreement (BAA) with your organization, legally binding us to HIPAA's Security
    and Privacy Rules — encryption at rest and in transit, audit logging, breach
    notification within 60 days, and minimum necessary access. Your obligation is
    the BAA; the infrastructure compliance is Layerup's responsibility.
  </Card>

  <Card title="Lowest IT burden" icon="gauge-high">
    Your IT team is not responsible for provisioning, patching, scaling, or maintaining any infrastructure. Layerup handles all updates, monitoring, and incident response. Your team integrates with the agent via a stable API, not an infrastructure deployment.
  </Card>
</CardGroup>

**When to choose Layerup's cloud:** Your primary goal is the fastest possible go-live, and your data sovereignty requirement is satisfied by a dedicated single-tenant cluster with a BAA in place. This is the recommended choice for most healthcare customers who want a SaaS-like experience without the AI infrastructure burden.

***

## Business Associate Agreement (BAA)

A BAA is required before any Layerup AI Agent deployment can process Protected Health Information. This applies to all three deployment options — including Option 2, where the agent runs entirely within your own AWS account.

### What a BAA is

A Business Associate Agreement is a legally binding contract under HIPAA § 164.504(e) between a Covered Entity (your organization, as a health insurer) and a Business Associate (Layerup, as a service provider that handles PHI on your behalf). The BAA is not optional — HIPAA requires it any time PHI is disclosed to a service provider, regardless of where that service provider's infrastructure is located.

### What the BAA commits Layerup to

| obligation                | specifics                                                                                                                                       |
| ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| **Encryption**            | PHI encrypted at rest (AES-256) and in transit (TLS 1.3) at all times                                                                           |
| **Access controls**       | PHI accessible only to Layerup personnel with a documented need — and only during the deployment engagement; no persistent access in production |
| **Audit logging**         | All access to PHI logged and retained for a minimum of 6 years                                                                                  |
| **Breach notification**   | Written notification to your organization within **60 days** of discovery of a breach involving your PHI                                        |
| **Minimum necessary use** | PHI used only to perform the contracted agent services — never for model training, product improvement, or any purpose outside the SOW          |
| **Subcontractor BAAs**    | Layerup executes BAAs with all subcontractors (including AWS) who may have access to PHI in connection with your deployment                     |
| **Return or destruction** | Upon contract termination, all PHI in Layerup's possession is returned to you or securely destroyed within 30 days                              |

### What the BAA commits your organization to

* Providing only the minimum necessary PHI required for the agent to perform its underwriting function
* Notifying Layerup promptly if you become aware of a breach or potential breach involving data processed by the agent
* Ensuring your team uses the agent only in accordance with the permitted purposes in the BAA and SOW

***

## Choosing the right option — decision guide

```mermaid theme={null}
flowchart TD
  A[Start: What is your primary constraint?] --> B{Hard requirement: data must\nnever leave our data center}
  B -->|Yes| C[Option 1: On-Premises\nYour hardware, your network,\nfull air-gap]
  B -->|No| D{Do you require data to\nreside in your own cloud account\ne.g. AWS / Azure?}
  D -->|Yes| E[Option 2: Your Private Cloud\nYour VPC, your IAM,\nyour cloud marketplace]
  D -->|No| F{Is fastest go-live your\nprimary objective?}
  F -->|Yes| G[Option 3: Layerup's Cloud\nDedicated single-tenant cluster,\nBAA, fastest deployment]
  F -->|No, we want IT control| E

  classDef opt fill:#f4f4f2,stroke:#111,color:#111;
  classDef q fill:#fafafa,stroke:#111,color:#111;
  class C,E,G opt;
  class A,B,D,F q;
```

*Fig. D0.1 — Deployment option decision tree. All three paths are HIPAA-permissible when a BAA is in place.*

***

## Comparative go-live timeline

| milestone                              | On-Premises | Your Private Cloud | Layerup's Cloud |
| -------------------------------------- | ----------- | ------------------ | --------------- |
| Hardware / account provisioning        | Longest     | Moderate           | Already done    |
| Security review and firewall approvals | Longest     | Moderate           | Layerup handles |
| GPU / AI compute provisioning          | Longest     | Moderate           | Already done    |
| BAA execution                          | Required    | Required           | Required        |
| Agent deployment and configuration     | Moderate    | Moderate           | Fastest         |
| Integration and UAT                    | Moderate    | Moderate           | Moderate        |
| **Overall path to go live**            | **Slowest** | **Moderate**       | **Fastest**     |

<Note>
  Healthcare IT deployments in a customer's private cloud environment frequently
  take longer than expected due to internal IT backlogs, security review cycles,
  and the challenge of provisioning GPU infrastructure that most healthcare
  organizations do not have in their existing cloud footprint. Layerup's cloud
  option bypasses the entire provisioning phase by eliminating the dependency on
  your IT department.
</Note>
