Webinar - May 21Building Regulated Infrastructure: How Lucis Standardized Security for Global Care
Register
Healthcare - HealthTech - Medical Devices
HIPAA - HDS - GDPR - SOC 2

Patient data
never leaves your cloud.

Start free trialBook a healthcare demo
HIPAA ReadyHDS ReadyGDPRSOC 2 Type IIISO 27001IEC 62304

Qovery runs the control plane. Your workloads, your PHI, your databases stay in your VPC - encrypted with your keys, governed by your policies. We sign the BAA and never touch patient data.

HIPAA / HDS SCOPE
out-of-scopein-scope
Qovery Control Planeout-of-scope
  • Metadata-only telemetry
  • No PHI in transit or at rest
  • Deploy events + config state
  • SOC 2 Type II certified
Your HDS-Certified VPCin-scope
  • PHI stays in your VPC
  • Encrypted with your KMS
  • HDS-certified regions only
  • You control all access

Trusted by healthcare teams serving millions of patients

AlanTalkspaceCaptivateIQPreziHyperlineElevoDidaskPowens
Compliance

Built for
regulated teams.

Every compliance requirement mapped to a platform capability. No bolt-on features, no checkbox theatre - architecture that passes the audit by design.

Business Associate Agreement

We sign the BAA. We never see PHI.

Qovery executes a Business Associate Agreement with every healthcare customer. The BAA covers our control plane operations - which by architecture never process, store, or transmit PHI.

Read the HIPAA whitepaper
Legal Document

Business Associate Agreement

Parties

This BAA is entered into between Covered Entity (Customer) and Business Associate (Qovery SAS).

Scope of Services

Business Associate provides container orchestration and deployment management services. BA does not create, receive, maintain, or transmit PHI.

Obligations

BA shall maintain SOC 2 Type II certification. BA shall notify CE within 24 hours of any security incident. BA shall provide audit access upon reasonable request.

Data Handling

All PHI remains within CE infrastructure. BA processes only deployment metadata, configuration state, and resource metrics.

Zero-PHI control plane

We sign the BAA.
We never see your PHI.

Typical SaaS vendor
  • Vendor processes PHI as sub-processor
  • Patient data transits vendor infra
  • Shared tenancy across customers
  • HDS certification burden on vendor
  • BAA covers broad data handling
Qovery - zero PHI
  • Qovery never processes PHI
  • All data stays in your VPC
  • Dedicated clusters, full isolation
  • You choose HDS-certified regions
  • BAA covers metadata-only operations
BYOC - BYOK
Your cloud, your KMS. PHI encrypted with keys you control.
Policy-as-code
HDS region enforcement, data classification, access controls.
Full audit
Every action logged for SOC 2, HIPAA, and HDS evidence.
BAA - DPA ready
We sign the BAA on day one. DPA available for GDPR.
Trusted in production
Alan

Health insurance - HDS + GDPR - $8B valuation

"One platform for every product team - from claims to care pathways - with full EU data residency. Qovery gave us the developer velocity of a startup with the compliance posture of a bank."
Infrastructure Lead, Alan
100+
Services managed
8 min
Deploy time (was 55 min)
0
Compliance incidents
HDS
Certified regions only
HIPAA - NASDAQ: TALKTalkspace

~2M patients

"Ship HIPAA-regulated workloads as fast as a startup."

Insurance - Regulated

550K+ customers

"Zero downtime during our critical cloud migration."

SOC 2 - B2B BillingHyperline

Billing platform

"New engineers push to production on day one."

6 wk
To production on HDS
0
PHI incidents
12M+
Patients served
100%
Audit pass rate

Protect patient data.
Ship the feature.

Start free trialBook a healthcare demo