Data privacy (HIPAA compliance) with Apollo GraphQL Studio - Supergraph Managed Federation?

My company needs our data handling to comply with HIPAA standards, essentially we cannot have any data stored/touched/passthrough any service between our client and our current Apollo Monolith GraphQL server. We want to use Apollo federation and create one supergraph (splitting our massive schema/resolvers files into several independent services), we like what studio can provide.

Three questions:

  1. Does the data field ever get:
    a) Stored anywhere on Apollos servers
    b) Accessed in any way by Apollos servers (for example: data pass through)
  2. If yes to either question above, is it possible to have Apollo federation (supergraph) with an Apollo Router hosted ourselves?
    a) Does this exclude Apollo Studio?
  3. Any architectural diagrams you could provide to show the different options? Pricing?

Kindly,

Daniel Glassford

If data can not pass through Apollo infrastructure, than it sounds like self-hosting router is the direction you want to head in. You still use the rest of GraphOS (e.g., schema checks) as that does not handle user data, but the actual routing happens in your infrastructure.

This page should have the information you need to understand what data is collected and where it goes. If there’s anything missing, please let us know so we can add it!

1 Like

Hi @dylan I’m a little confused by what “self-hosting router” actually implies, and what makes this solution an enterprise feature (as stated in the Apollo docs).

Suppose you have a custom federated gateway built with the @apollo/gateway package, with support for e.g. integrated tracing, subscriptions, multipart requests and a bunch of other customised features.

Under what is now called the Legacy Free plan this could be self-hosted and could also benefit from the use of managed federation (aka managed mode).

But as I understand it the “replacement” plan Serverless(free) doesn’t support customized routers/gateways (there seems to be an upcoming Dedicated plan that promises router customization and scripting, but that’s not yet available and whether it can meet specific customization needs is unknown) so the only option is to stick with the self-hosted architecture.

What I don’t get is at what point does self-hosted become an Enterprise feature?

  • Is it as soon as any “centralised” GraphOS services (such as schema checks) are used?
  • If I don’t want to go Enterprise, but I need a custom router/gateway, can I still use managed federation, or do I have to resort to manual schema composition?

Thanks for your patience on this, I think I have enough concrete info to answer your specific questions:

Is it as soon as any “centralised” GraphOS services (such as schema checks) are used?

Yes, if you are self-hosting your routers and want GraphOS services, you will need an Enterprise plan. There are no plans to open GraphOS features to non-Enterprise-self-hosted routers.

If I don’t want to go Enterprise, but I need a custom router/gateway, can I still use managed federation, or do I have to resort to manual schema composition?

You cannot use Apollo’s managed federation with self-hosted routers unless you have an Enterprise license. You would need to do manual composition or find an alternative method for managed federation.


If you’re able, the more info you’re able to share about your eventual solution, the better! We can feed back everything we learn as suggestions for future improvements. Specifically:

  1. If you need self-hosting, what are the specific reasons (e.g., are there specific customizations that we might prioritize making available via serverless/dedicated)?
  2. If you choose not to go Enterprise, why not? What alternative did you take?
  3. If you do end up on Enterprise, what were your hesitations and how did we solve them?

I’m still pulling some threads in anticipation of future questions, and hoping to have a docs article or blog post explaining the plans and their motivations more clearly soon! Your feedback will definitely shape that work, so thanks!

Thanks @dylan - I will message you directly with some answers to those questions.