SaaS Deployment Guide
This guide describes how to deploy the SaaS version of [Ai]levate, including topology, prerequisites, operations, and security responsibilities.
This guide describes how to deploy the SaaS version of [Ai]levate Revenue Recovery, where [Ai]levate manages the Cloud Services Layer, Database Storage Layer, and AI Compute Layer within Azure, while the customer manages the Relay Service Layer that connects their EHR system.
Introduction
The SaaS model is designed for customers who prefer low operational overhead: [Ai]levate provisions and operates all infrastructure components, ensures compliance with HIPAA, and enforces single-tenant isolation, while the customer only needs to provide secure connectivity to their EHR.
General Approach
The SaaS deployment follows a shared responsibility model:
-
[Ai]levate provisions and operates a dedicated Elastic datastore (encrypted-at-rest, tenant-isolated) and a dedicated AI Warehouse (Tenstorrent hardware, running [Ai]levate AI models via vLLM).
-
The Cloud Services Layer is always managed by [Ai]levate, providing orchestration, workflows, authentication, and all user-facing apps.
-
The Relay Service Layer is always hosted by the customer and connects the on-prem EHR datastore to [Ai]levate. The Relay uses outbound-only connectivity (TLS 1.2+, port 443), ensuring no inbound firewall rules are required.
This approach minimizes customer effort while guaranteeing compliance, scalability, and security.
SaaS Topology
flowchart TB
subgraph SaaS["[Ai]levate SaaS"]
S["Cloud Services Layer<br/>(Workflows, Auth, Apps)"]
C["AI Compute Layer<br/>(Dedicated AI Warehouse)"]
D["Database Storage Layer<br/>(Elastic - Encrypted, Tenant-Isolated)"]
S --> C
S --> D
end
The SaaS deployment enforces a minimal-attack-surface model as the Relay initiates all outbound traffic (443/TLS). EHR database never exposed to the Internet. It also minimize the integration effort as no inbound firewall rules required.
Technical Prerequisites
Before starting deployment, the following customer-provided items are required.
Deployment
| Need | Requirement | Notes |
|---|---|---|
| Naming | Platform name to be deployed ( <name>.ailevate.com ) | Customer can freely choose its platform name |
| Hosting | Azure Datacenter to use for the deployment | Default is east-us-2 |
Network & DNS Requirements
| Need | Requirement | Notes |
|---|---|---|
| Connectivity | Outbound HTTPS (TCP 443) connectivity to *.ailevate.com is required for the end-users accessing the application. | No inbound rules required |
| Ailevate Relay | Requirements mentioned in the Relay Service Deployment Guide | Review the guide for more details |
| [Optional] Private Link | VPN or PrivateLink connectivity instead of public TLS endpoints |
Authentication
| Need | Requirement | Notes |
|---|---|---|
| Authentication provider for web console | One of the following authentication methods must be selected: • OIDC/SAML federation (Entra ID). • Email-based Magic Link authentication. |
Administration
| Need | Requirement | Notes |
|---|---|---|
| EHR System Access | Database credentials with READ/WRITE permissions to the EHR claims datastore. Accessible SQL Server datastore (NextGen, Epic, Cerner, etc.). | Access must be validated by the customer before deployment. |
Sizing & Capacity Planning
-
Elastic datastore: Managed by [Ai]levate; no customer action required.
-
AI Warehouse: Dedicated Tenstorrent hardware per customer; managed by [Ai]levate.
-
Scaling: Handled transparently by [Ai]levate.
-
Customer relay: Lightweight VM, scaling only needed if multiple EHR instances are bridged.
Operations
In the SaaS deployment model, operational responsibilities are shared between the customer and [Ai]levate, with each party focusing on their respective domains.
The customer is responsible for maintaining the Relay Service Layer, which includes applying OS patches to the Relay VM, managing outbound firewall rules, securing and rotating SQL credentials, and periodically reviewing logs to ensure healthy connectivity to their EHR.
[Ai]levate manages the Cloud Services Layer, the Database Storage Layer, and the AI Compute Layer. This includes provisioning and scaling the Elastic datastore, operating the dedicated AI Warehouse, enforcing tenant isolation, rotating encryption keys (supporting BYOK through Azure Key Vault), and ensuring HIPAA compliance across the managed infrastructure.
flowchart TB
subgraph Customer["Customer Operations"]
C1["Maintain Relay VM<br/>(OS patches, firewall, DNS)"]
C2["Secure & rotate SQL credentials"]
C3["Monitor Relay logs & outbound traffic"]
end
subgraph Ailevate["[Ai]levate Operations"]
A1["Manage Cloud Services Layer<br/>(apps, workflows, auth)"]
A2["Operate Database Storage Layer<br/>(Elastic, encryption, BYOK)"]
A3["Operate AI Compute Layer<br/>(dedicated Tenstorrent AI Warehouse)"]
A4["Compliance & Governance<br/>(HIPAA, tenant isolation, key rotation)"]
end
Customer -->|Secure EHR integration| Ailevate
Ailevate -->|Managed SaaS platform| Customer
This separation of responsibilities ensures customers retain control over their EHR integration while benefiting from [Ai]levate’s fully managed and compliant SaaS backbone.
Security and Data Privacy
The SaaS deployment of [Ai]levate Revenue Recovery is designed around a “secure by design” model that enforces strict security controls and robust privacy protections at every layer of the platform.
flowchart TB
subgraph Customer["Customer Environment"]
EHR["EHR Datastore"]
Relay["Relay VM (Outbound-only)"]
end
subgraph Ailevate["[Ai]levate SaaS Environment (Azure)"]
Services["Cloud Services Layer (Workflows, Auth, Apps)"]
AI["AI Compute Layer (Dedicated AI Warehouse)"]
DB["Database Storage Layer (Elastic - Encrypted, Tenant-Isolated)"]
end
EHR --> Relay --> Services
Services --> AI
Services --> DB
classDef secure fill:#cce5ff,stroke:#333,stroke-width:1.5px;
classDef private fill:#e6ffe6,stroke:#333,stroke-width:1.5px;
EHR:::private
Relay:::secure
DB:::secure
AI:::secure
Services:::secure
All data is encrypted in transit and at rest using AES-256 encryption, ensuring that sensitive claim information is never exposed in plaintext. Customers may also enable Bring Your Own Key (BYOK) through Azure Key Vault, giving them additional control over encryption keys.
Data privacy is further reinforced by the separation of storage and compute. The Elastic datastore, managed by [Ai]levate, persists all structured data and metadata, while the AI Warehouse performs compute tasks without ever storing customer data. This architectural principle ensures that customer information remains confined to its dedicated storage environment.
Each customer operates in a single-tenant, logically isolated environment within the [Ai]levate SaaS platform, guaranteeing that no cross-tenant access is possible.
Access control is enforced through Role-Based Access Control (RBAC), enabling fine-grained restrictions on who can access data and what operations they can perform. Instead of copying data between systems, [Ai]levate enables secure data sharing where queries and workflows execute without exposing the underlying storage, further reducing the risk of data leakage.
Finally, the entire SaaS environment is built in alignment with HIPAA compliance requirements, ensuring that healthcare organizations can adopt the platform with confidence in its adherence to regulatory obligations.
| Control Area | Implementation in SaaS Model |
|---|---|
| Encryption | AES-256 for all data (at rest & in transit) |
| Key Management | Hierarchical per-document/service/tenant; BYOK via Azure Key Vault |
| Separation of Duties | AI Warehouse never stores data; Elastic datastore holds all persistent data |
| Tenant Isolation | Single-tenant logical isolation within [Ai]levate Azure environment |
| Access Control (RBAC) | Fine-grained role-based access down to org data & features |
| Secure Data Sharing | Queries run without direct exposure of underlying storage |
| Compliance | HIPAA supported across the SaaS environment |
Checklist (Summary)
| Responsibility | Action | Owner |
|---|---|---|
| Relay VM | Deploy Linux VM (2 vCPU, 4–8 GB RAM, 20 GB disk) | 👤 Customer |
| Networking | Allow outbound 443, LAN to SQL 1433 | 👤 Customer |
| EHR Database | Provide READ/WRITE credentials | 👤 Customer |
| Identity | Configure SSO (OIDC/SAML/Entra ID or Magic Link) | 🤝 Joint |
| Platform Infra | Provision Elastic + AI Warehouse | 🏢 Ailevate |
| Compliance | HIPAA, Encryption Everywhere, Isolation | 🏢 Ailevate |
Updated about 1 month ago