HDS – Health Data Hosting
In France, any health data must be hosted by an HDS-certified provider (Health Data Hosting). This certification, granted following a stringent audit process, attests that we comply with the most stringent standards for the protection of medical data.
Our HDS certification covers the following scope:
Provision of a cloud infrastructure enabling the hosting of Nexpublica applications, including:
– the provision and operational maintenance of the hardware infrastructure of the information system used for the processing of health data;
– the provision and operational maintenance of physical sites used to host the hardware infrastructure of the information system used for the processing of health data;
– the provision and operational maintenance of the virtual infrastructure of the health information system;
– the provision and operational maintenance of the application hosting platform of the information system used for the processing of health data;
– the administration and operation of the information system containing health data;
– off-site backup of health data.
Our commitment covers several key dimensions:
Logical security: our systems rely on granular access control, systematic encryption, and robust backup procedures.
Regulatory compliance: we comply with the frameworks and guidelines established by the French National Agency for the Safety of Health Information Systems (ANS) and the French Data Protection Authority (CNIL).
HDS certification is renewed periodically, which involves thorough external audits covering all our technical and organizational processes.
For our customers, this guarantees that health data—among the most sensitive categories of data—are processed and hosted in a compliant, secure, and officially recognized environment. It also demonstrates our commitment to placing trust and the protection of individuals at the core of our mission.
| Legal Name of the entity | Role within the hosting service | HDS certified (yes / no / exempt) | SecNumCloud 3.2 qualified | Hosting activity in which the entity is involved | Access to Health Data (HD) from a third country outside the EEA by the host or one of its subcontractors (HDS EXI29) | Host or subcontractor subject to a risk of access to Health Data (HDS EXI30) |
|---|---|---|---|---|---|---|
| NEXPUBLICA France | Host | Certification in progress | No | Certification in progress for HDS activities 1 to 6 | No access to data from a third country outside the EEA | No |
| Thales Cloud Securise (S3NS) Key subcontractor for encryption / GCP |
Host subcontractor S3NS is the subcontractor responsible for data encryption and acts as the holder of the encryption keys. GCP provides the hosting of the encrypted data. |
Yes | No | HDS activities 3 to 6 | Yes, encrypted data to the United States of America No transfer of unencrypted data outside France |
EU adequacy decision |