HIPAA Compliance and Full Isolation from Plasmic Servers

Hi everyone,
apologies for asking again.
We’re looking to make our application HIPAA compliant, and we’re considering using Plasmic due to its ability to streamline our tech stack.
However, I noticed that even when deploying Plasmic to our own codebase, our application will still communicate with Plasmic’s servers through its headless API.
Is there a way to fully isolate our app so that it doesn’t need to interact with Plasmic servers? Any guidance would be appreciated!

Hi @Zaj , you can set up your site with static builds. A few things to check:

Make sure you are using static rendering instead of server-side rendering or client side rendering.

Make sure you have preview mode disabled.

Make sure you have disabled incremental static revalidation, by removing the revalidate parameter.

Once these are set, then the only communication with plasmic servers will be for image optimization, which you can opt out of, and for analytics. Analytics does not collect IP’s or set cookies, but if you need this disabled as well, this is something we can accommodate on our Scale plans. Feel free to let me know if you decide to go down that route, and our team can set this for you.

I should also mention that another option you have is to use codegen instead of the headless api, since codegen has no tracking enabled, but going down that path will require you to perform much more manual management of files and synchronization.

Dear Yang,

Thank you for your detailed explanation on the different approaches to using Plasmic. To confirm my understanding, the first part of your original response pertains to using Plasmic via the Headless API, correct?

I’ve spent a lot of time reading about Codegen today. Coming from a data science background, I initially found the “warning, advanced” label a bit intimidating. However, I’ve gone through the following steps which seemed fairly straightforward :smile: :

  1. Created a new project in Plasmic Studio.
  2. Published the project and connected it to a new GitHub repo.
  • For the setup, I chose Next.js as the framework, TypeScript as the language, and selected Codegen mode with default actions set to commit changes.
  1. Pushed the project to GitHub.
  2. To complete the cycle, I also deployed the Github repo code using Vercel -Even though we plan to use AWS Amplify for HIPPA purposes.

Here is an link of the Vercel app showcasing the result.

My questions are as follows:

  1. Am I using Codegen as intended? Given how simple the above steps were, I’m wondering if I might be missing something given that Codegen is considered advanced.

  2. Connection to Plasmic Server (During User Interactions): If my steps are correct, does this mean that I have full control of the code, and that my app doesn’t need to communicate with Plasmic servers for anything including things like authentication and API calls?

  3. Integrating with an Existing Codebase: If my steps above are correct, my next interest is in figuring out how to apply this process to an existing codebase, particularly a NextJS SaaS boilerplate, to accelerate development for upcoming projects. Any guidance on this would be much appreciated.

Looking forward to your insights.

Best regards,

Hi Yang. I’d appreciate your response. Thanks.

Hi! Yes, those are the basic steps to getting started with codegen. If that works for you, then great! We use it heavily ourselves. However there are just some things to be aware of going forward

  • there will generally be more manual upkeep and maintenance required, such as if components are changed around - for every component, a file is emitted that you now own and are expected to manually edit, and will not be automatically managed by plasmic, since this is where your developer specific code/logic is supposed to go. Beyond the initial steps, the built-in GitHub push won’t scale and you’ll need to drop to using the plasmic CLI to run plasmic sync.

  • if you use any of the built-in components, your responsible for installing them into your code base yourself and providing the needed styles etc or they won’t render/work correctly

Both headless and cogen approaches can integrate into existing code bases. For instance, the quick start for next js runs through the steps of how to add this to an existing code base.

And now I see that you are actually interested in using the authentication and data integration features - these all go through plasmic servers at the moment, though we are working on an open source release that supports on premise deployments! For now you can use your own code components for data fetching: Custom templates for pages and sections | Learn Plasmic

Please let me know if that helps!