Question 1

Is Cursor HIPAA compliant?

Accepted Answer

Cursor itself does not offer a Business Associate Agreement (BAA) and is not HIPAA compliant out of the box. However, BastionGate sits between Cursor and any AI provider, detecting and redacting PHI — patient names, DOBs, MRNs, diagnosis codes — before any request leaves your network. This allows healthcare organizations to deploy Cursor and other AI coding tools while maintaining HIPAA compliance at the network layer.

Question 2

How do I prevent developers from sending patient data to ChatGPT or Claude?

Accepted Answer

BastionGate acts as a transparent HTTPS proxy. Configuring a single endpoint in your AI tool routes all AI traffic through BastionGate's inspection layer, which detects and blocks PHI, PII, and other sensitive data in real time — before it reaches OpenAI, Anthropic, or any other provider. Developers don't change how they work; the protection is invisible to them.

Question 3

How do I make GitHub Copilot or Claude Code HIPAA compliant?

Accepted Answer

Point your AI tools at BastionGate's endpoint instead of the provider's. BastionGate intercepts every request from GitHub Copilot, Claude Code, Cursor, and other IDE AI tools, scans for PHI and sensitive data, and either redacts or blocks the request based on your policy. This provides a proxy-level HIPAA control without modifying developer workflows or requiring SDK integration.

Question 4

What sensitive data does BastionGate detect?

Accepted Answer

BastionGate detects a broad range of sensitive data categories including: PII (names, emails, SSNs, phone numbers, addresses), PHI (patient records, MRNs, diagnosis codes, DOBs), financial data (credit card numbers, bank account numbers, trading data), API keys and credentials (AWS keys, OpenAI keys, GitHub tokens), source code and proprietary algorithms, and custom patterns defined by your security team.

Question 5

Does BastionGate require code changes or SDK integration?

Accepted Answer

No. BastionGate is deployed by pointing your AI tools at a single endpoint — no SDK to install, no agent to deploy, no changes to application code or developer workflows. You update the base URL in your tool's settings (e.g. Cursor, VS Code, Claude Code) and every request is automatically inspected. If a tool speaks HTTP to an AI provider, it is covered.

Question 6

How is BastionGate different from Cloudflare AI Gateway?

Accepted Answer

Cloudflare AI Gateway is primarily an observability and routing tool for AI applications. BastionGate is purpose-built for enterprise security and compliance. Key differences: BastionGate has an OPA-backed policy engine with per-tenant and per-project controls; it intercepts IDE AI tools like Cursor and Claude Code transparently; it is designed for regulated industries (HIPAA, SOC 2, FINRA); and it provides developer-friendly block messages with actionable remediation tips rather than silent failures.

Question 7

How is BastionGate different from Nightfall or Lakera?

Accepted Answer

Nightfall and Lakera both require SDK integration — developers must instrument their code to route requests through these services. BastionGate requires no code changes and works as a transparent HTTPS proxy, covering all AI tools automatically including IDE assistants by changing one base URL setting. BastionGate also provides an OPA-backed policy engine with version-controlled, per-tenant policies, whereas these tools use simpler rule configurations.

Question 8

Does BastionGate work with AWS Bedrock and Azure OpenAI?

Accepted Answer

Yes. BastionGate works with all major AI providers including OpenAI, Anthropic, Google Gemini, Azure OpenAI, AWS Bedrock, Mistral, xAI Grok, Meta Llama, and any OpenAI-compatible endpoint. Enterprise deployments using Azure OpenAI for data residency requirements are fully supported.

Question 9

How does BastionGate help with SEC or FINRA compliance for AI tools?

Accepted Answer

Financial services firms using AI coding assistants risk exposing trading algorithms, client financial data, and proprietary models. BastionGate provides: real-time blocking of financial data patterns, an immutable audit log of every AI request for examination readiness, per-team policy enforcement to separate trading desks from other teams, and full request history for e-discovery and regulatory review.

Question 10

What does a developer see when a request is blocked?

Accepted Answer

Instead of a silent failure or cryptic error, BastionGate returns a developer-friendly JSON response that explains exactly what was detected (e.g. 'API key and email address found in this request'), confirms that nothing was sent to the upstream provider, and includes a remediation tip (e.g. 'Move secrets to environment variables'). This reduces friction and helps developers fix the issue immediately.

SR 11-7 and the Generative AI Governance Gap

SR 11-7 and the Generative AI Governance Gap

Built for regulated financial institutions

The SR 11-7 Gap Most Institutions Miss

What Examiners Are Actually Asking

Technical Controls That Satisfy Model Risk

Implementation Roadmap

Ready to see it in action?