Overview
The AI Gateway is designed for teams building with sensitive data. Compliance controls are enforced at the infrastructure layer, not in application code, so your team can ship AI features without building a custom compliance stack.
If you’re building a full application, consider Aptible’s core platform for secure app and database hosting. Security and compliance guardrails are baked in and fully managed, so you can run your entire stack in a HIPAA-compliant environment without configuring it yourself. Learn more about the Aptible platform. Compliance Controls Summary
| Control | Aptible AI Gateway |
|---|
| BAA coverage | One BAA covers all models and providers |
| Audit logging | Automatic. Every request and response is logged. |
| Log retention & export | Log drain support for long-term storage |
| Encryption | Enforced in transit and at rest |
| No PHI model training | Enforced at infrastructure layer |
| Key management | Scoped to environments and applications |
| Model access controls | Restrict models per environment |
HIPAA & BAA Coverage
Aptible’s BAA covers all models and capabilities accessed through the AI Gateway. A provider BAA from OpenAI or Anthropic covers the provider’s liability, but it doesn’t give you audit logging, access controls, or de-identification. Those are still your responsibility unless you route through a managed layer like Aptible.
To get a BAA with Aptible, contact Aptible Support.
Unlike Aptible’s core platform (app and database hosting), which requires a dedicated stack for HIPAA workloads, LLM Keys in a shared stack environment are also covered under the BAA. You don’t need a dedicated stack to send PHI through the AI Gateway.
Audit Logging
Every LLM request and response is automatically logged with no configuration required. Logs include full request and response payloads, token usage, model, cost, and timestamp. Logs are available in the Aptible dashboard for 7 days and can be drained to external systems for long-term retention.
This gives you the visibility needed to answer security questionnaires, support incident investigations, and demonstrate PHI handling during audits.
See Audit Logging for details on viewing logs and configuring log drains.
Encryption
All data is encrypted in transit (TLS) and at rest. This applies to all LLM requests, responses, and stored logs.
No PHI Training
LLM providers accessed through the AI Gateway are contractually prohibited from retaining or using your data, including PHI, for model training. This is enforced at the infrastructure layer, not just by relying on provider policy.
Key Management & Access Controls
API keys are scoped to environments, giving you control over which applications and teams can call which models. Model access policies let you restrict which models are available within each environment, so you can prevent unauthorized use of specific providers or model versions.
See Model Access Policies for details.
