Data privacy (HIPAA compliance) with Apollo GraphQL Studio - Supergraph Managed Federation?

My company needs our data handling to comply with HIPAA standards, essentially we cannot have any data stored/touched/passthrough any service between our client and our current Apollo Monolith GraphQL server. We want to use Apollo federation and create one supergraph (splitting our massive schema/resolvers files into several independent services), we like what studio can provide.

Three questions:

1. Does the data field ever get:
   a) Stored anywhere on Apollos servers
   b) Accessed in any way by Apollos servers (for example: data pass through)
2. If yes to either question above, is it possible to have Apollo federation (supergraph) with an Apollo Router hosted ourselves?
   a) Does this exclude Apollo Studio?
3. Any architectural diagrams you could provide to show the different options? Pricing?

Kindly,

Daniel Glassford

If data can not pass through Apollo infrastructure, than it sounds like self-hosting router is the direction you want to head in. You still use the rest of GraphOS (e.g., schema checks) as that does not handle user data, but the actual routing happens in your infrastructure.

This page should have the information you need to understand what data is collected and where it goes. If there’s anything missing, please let us know so we can add it!