Skip to main content

Overview

Hébergement de Données de Santé (HDS) is a French certification for hosting health data. It is mandatory for any organization hosting health data of French patients or operating healthcare services in France. Qovery provides HDS-ready infrastructure for healthcare organizations operating in France.
HDS Certification: HDS (Health Data Hosting) is a French legal requirement under Article L.1111-8 of the Public Health Code. It ensures appropriate security measures for hosting personal health data.

What is HDS?

HDS certification ensures that hosting providers meet strict requirements for:

Data Security

Technical and organizational measures to protect health data

Confidentiality

Ensuring only authorized persons access health data

Integrity

Preventing unauthorized modification of health data
https://mintcdn.com/qovery/bC94RbU5OE288_w9/images/logos/cloud-providers/scaleway-icon.svg?fit=max&auto=format&n=bC94RbU5OE288_w9&q=85&s=9e27c1725260aba1a6fbfcaa78b63370

Availability

Ensuring health data is accessible when needed

HDS Certification Process

HDS certification is delivered by COFRAC-accredited bodies and covers six activities:
1

Activity 1: Physical Infrastructure

Provision and maintenance of physical hosting infrastructure
2

Activity 2: Virtual Infrastructure

Provision and maintenance of virtual infrastructure platform
3

Activity 3: Application Platform

Provision and maintenance of application execution platform
4

Activity 4: Virtual Infrastructure Administration

Administration and operation of information system
5

Activity 5: Application Platform Administration

Administration and maintenance of application platform
6

Activity 6: Data Backup

Backup management and restoration of health data

Qovery HDS-Ready Features

Infrastructure Requirements

  • Physical Security
  • Network Security
  • Data Protection
Data Center Requirements:
  • SOC 2 certified facilities
  • ISO 27001 certified operations
  • 24/7 physical security
  • Access control and surveillance
  • Environmental controls
Qovery Partner Data Centers:
  • AWS (Paris region: eu-west-3)
  • GCP (Paris region: europe-west9)
  • Azure (France Central: francecentral)
  • Scaleway (Paris: fr-par) - 100% French

Access Control

User Authentication:
  • Multi-factor authentication (MFA) required
  • SSO/SAML 2.0 support
  • Strong password policies
  • Session timeout enforcement
Service Authentication:
  • API tokens with expiration
  • Certificate-based authentication
  • Service accounts with limited permissions
Role-Based Access Control (RBAC):
  • Predefined roles (Owner, Admin, Developer, Viewer)
  • Custom roles with granular permissions
  • Resource-level access control
  • Least privilege principle
Access Reviews:
  • Regular access audits
  • Automatic access expiration
  • Immediate revocation on termination
Comprehensive Audit Trail:
  • All user actions logged
  • Authentication events
  • Resource access and modifications
  • Configuration changes
Log Security:
  • Immutable logs (tamper-proof)
  • Long-term retention (configurable)
  • Export to SIEM systems
  • Real-time monitoring

Backup and Disaster Recovery

  • Automated Backups
  • Disaster Recovery
  • Restore Procedures
Database Backups:
  • Daily automated backups
  • Configurable schedule (hourly to weekly)
  • Point-in-time recovery (PITR)
  • Retention: 7 to 35 days (configurable)
Backup Features:
  • Encrypted backups (AES-256)
  • Incremental backups
  • Multi-region replication available
  • Backup verification and testing

French Data Residency

Scaleway (100% French Provider)

Recommended for HDS: Scaleway is a French cloud provider with 100% of infrastructure in France, making it ideal for strict data residency requirements.
Scaleway Benefits:
  • All data centers in France (Paris region)
  • French company subject to French law
  • No data transfer outside France
  • GDPR compliant by default
  • Competitive pricing
Scaleway Regions:
  • fr-par: Paris, France (3 availability zones)
Deploy on Scaleway →

Other French Regions

  • AWS
  • GCP
  • Azure
eu-west-3 (Paris):
  • 3 Availability Zones
  • Full range of AWS services
  • Data residency in France
  • BAA available for healthcare

Organizational Requirements

Policies and Procedures

1

Security Policy

Documented information security policy covering health data protection
2

Access Management

Procedures for user provisioning, access reviews, and termination
3

Incident Response

Documented incident response plan for security incidents
4

Business Continuity

Business continuity and disaster recovery plans
5

Data Protection

Procedures for data classification, handling, and disposal
6

Third-Party Management

Vendor management and sub-processor assessment procedures

Staff Training

Required Training Topics:
  • Data protection and privacy
  • Security awareness
  • Incident response procedures
  • Access control policies
  • Backup and recovery procedures
Qovery Support:
  • Security best practices documentation
  • Training materials and webinars
  • Technical support
  • Customer success resources

Technical Security Measures

Network Security

Firewall and Access Control:
  • Web Application Firewall (WAF)
  • DDoS protection
  • IP allowlisting/denylisting
  • Rate limiting
  • Geographic restrictions
Network Segmentation:
  • VPC isolation
  • Private subnets for applications
  • Public subnets for load balancers only
  • Network policies in Kubernetes
Security Monitoring:
  • Real-time threat detection
  • Anomaly detection
  • Intrusion detection systems (IDS)
  • Log aggregation and analysis
Alerting:
  • Security event notifications
  • Suspicious activity alerts
  • Failed authentication attempts
  • Configuration changes
Scanning and Patching:
  • Regular vulnerability scanning
  • Automated security updates
  • Container image scanning
  • Dependency vulnerability checks
Remediation:
  • Priority-based patching
  • Testing before deployment
  • Rollback procedures
  • Documentation of fixes

Application Security

Best Practices:
  • Secure coding guidelines
  • Input validation and sanitization
  • Output encoding
  • SQL injection prevention
  • XSS protection
  • CSRF tokens
  • Secure session management
Qovery Features:
  • Container image scanning
  • Secret management
  • Environment variable encryption
  • Secure defaults
  • Security headers

Compliance Documentation

Required Documentation for HDS

Security Policy

Comprehensive information security policy

Risk Assessment

Regular risk assessments and mitigation plans

Procedures

Documented operational procedures

Audit Reports

Internal and external audit reports

Incident Logs

Security incident documentation

Training Records

Staff training completion records

Qovery-Provided Documentation

Available upon request (NDA may be required):
  • Infrastructure architecture diagrams
  • Security controls documentation
  • SOC 2 Type II reports
  • Penetration test results
  • Business continuity plans
  • Data processing agreements (DPA)

Sub-Processors and Partners

Qovery Sub-Processors

HDS requires transparency about all sub-processors handling health data.
Infrastructure Providers:
  • AWS (if using AWS regions)
  • Google Cloud (if using GCP regions)
  • Microsoft Azure (if using Azure regions)
  • Scaleway (if using Scaleway regions)
Supporting Services:
  • Authentication providers (if using SSO)
  • Monitoring services (for observability)
  • Backup storage providers
Sub-Processor Management:
  • Contractual obligations flow down
  • Regular security assessments
  • Notification of changes
  • Right to object to new sub-processors

Customer Responsibilities

Shared Responsibility: While Qovery provides HDS-ready infrastructure, customers must implement additional controls for full HDS compliance.
1

Obtain HDS Certification

Work with COFRAC-accredited certification body for your HDS certification
2

Data Classification

Identify and classify health data in your applications
3

Application Security

Implement secure coding practices and vulnerability management
4

Access Controls

Configure appropriate RBAC and access policies
5

Training Program

Train staff on data protection and security requirements
6

Documentation

Maintain required policies, procedures, and records
7

Audits

Conduct regular internal audits and engage certification body

Getting Started with HDS

1

Contact Qovery

Reach out to discuss HDS requirements: [email protected]
2

Select French Region

Choose Scaleway (fr-par) or other French regions
3

Enable Security Controls

  • MFA enforcement
  • Encryption at rest and in transit
  • Audit logging
  • Backup configuration
4

Document Compliance

Create required policies and procedures
5

Engage Certification Body

Work with COFRAC-accredited body for HDS certification

Professional Services

Qovery offers professional services to help with HDS compliance:

Compliance Consulting

Expert guidance on HDS requirements and implementation

Architecture Review

Review and optimize your infrastructure for HDS

Security Assessment

Evaluate current security posture against HDS requirements

Training

Custom training for your team on HDS and security

Next Steps

Security Overview

Review Qovery’s security architecture
https://mintcdn.com/qovery/bC94RbU5OE288_w9/images/logos/cloud-providers/scaleway-icon.svg?fit=max&auto=format&n=bC94RbU5OE288_w9&q=85&s=9e27c1725260aba1a6fbfcaa78b63370

Scaleway Deployment

Deploy on 100% French infrastructure

GDPR Compliance

Learn about GDPR compliance features

Resources

Disclaimer: This documentation provides information about Qovery features that support HDS compliance. Customers seeking HDS certification must work with a COFRAC-accredited certification body and implement appropriate organizational and technical measures. Consult with legal and compliance experts for your specific situation.