Hosting health data is not something you can improvise. These are highly sensitive records, governed by strict legal and technical requirements.
In France, this responsibility has a name: the HDS certification (Hébergement de Données de Santé, or Health Data Hosting). It ensures that technical service providers meet the highest standards of security, traceability, and regulatory compliance.
In this article, we’ll walk you through what HDS certification is, who it applies to, why it matters, and how Scalingo has made the commitment to cover every regulatory scope defined by law, offering a reliable, sovereign, and fully compliant solution for healthcare organizations.
HDS is a mandatory French certification that governs how personal health data can be legally hosted and managed.
Introduced by the French Agence du Numérique en Santé (ANS), it applies to all technical providers including cloud platforms, hosting companies, and managed service providers who store or process this type of sensitive data. (We’ll define exactly what qualifies as health data in a moment.)
The HDS framework ensures that providers like Scalingo adhere to the highest levels of security and confidentiality, on par with standards seen in critical sectors like banking or national defense.
We won’t dive into every step of the HDS certification process here since it could fill an article of its own. But here’s what you need to know: obtaining HDS certification means meeting exceptionally high standards, particularly in areas such as:
And no, it doesn’t happen overnight.
Getting certified takes months of preparation, including audits by an independent organization accredited by the COFRAC, extensive documentation, detailed process updates, and most importantly, company-wide involvement that extends far beyond the security or infrastructure teams.
Here’s a visual summary of the key points:
As you can see, it’s not just a box to tick or a certificate to showcase on your website. It’s a deep, structural commitment that reshapes how hosting, maintenance, and even client relationships are approached in a field as sensitive as healthcare.
Health data is among the most sensitive information that exists. It directly concerns a person’s physical and mental well-being, and can sometimes reveal delicate social or family situations.
Now imagine the risks if that information were to circulate in a digital system without adequate protection.
If health data falls into the wrong hands, the consequences can be severe:
Privacy breaches – exposure of medical conditions, psychological issues, confidential treatments, or personal health history
Discrimination – in employment, insurance, or even housing
Blackmail or extortion – some ransomware attacks specifically target hospitals and clinics, exploiting the value of sensitive data to demand payment
It’s precisely to reduce these risks that the HDS (Health Data Hosting) certification was created.
The reference definition of “health data” comes from the GDPR (General Data Protection Regulation) and the French Data Protection Authority (CNIL):
“Health data is any personal information related to the physical or mental health of an individual, past, present, or future. This includes, for example, diagnoses, test results, prescriptions, or even indirect data such as heart rate measured by a connected device, if it can be used to infer a person’s state of health.”
Examples of information commonly considered health data include:
Now that we’ve defined what qualifies as health data, another key question comes up: who is allowed to host it, and under what conditions?
This is exactly where HDS certification becomes relevant, especially when it comes to its different scopes.
A common misconception is that all HDS certifications are the same. In practice, an HDS certification refers to a set of clearly defined scopes, not a universal stamp of approval. It is a modular system that reflects the specific role a provider plays in handling health data.
👉 In simple terms, HDS certification can cover up to six distinct activities. Some companies are certified for just one, others for several. Very few cover all of them.
Here are the six official HDS hosting scopes:
1. Physical facility hosting
This scope ensures that the buildings housing the servers (such as data centers) comply with strict standards. These include controlled access, fire safety systems, backup power supply, and other physical safeguards.
2. Physical infrastructure hosting
This covers the actual hardware — servers, storage arrays, network equipment. The goal is to ensure that these components are installed, maintained, and monitored under optimal security and operational conditions.
3. Application platform hosting
This involves everything that allows applications to run properly. It includes operating systems, databases, middleware, and other foundational software layers.
4. Virtual infrastructure hosting
This scope covers virtual environments such as virtual machines or containers. They must be properly isolated, secured, and continuously monitored, just like the rest of the infrastructure.
5. Managed services for information systems
This refers to the daily operations that keep an information system stable, secure, and compliant. It includes monitoring, patch management, incident handling, and operational maintenance.
6. Offsite health data backup
The final scope, but by no means the least important, concerns backups. These must be stored at a separate location with the same level of security and traceability as the primary data.
These six scopes are defined by the Agence du Numérique en Santé (ANS) and outlined in the official HDS Certification Framework.
So what about Scalingo? We made the deliberate and ambitious choice to obtain certification across all six HDS scopes. This means our PaaS platform is fully compliant, from physical infrastructure to software operations and data backup.
This level of coverage is still rare in the French cloud ecosystem, and it allows us to support our healthcare clients with a turnkey solution. No need to manage multiple vendors or navigate regulatory complexity alone.
Beyond the certification itself, it reflects a deeper commitment and philosophy we believe in.
At Scalingo, this commitment is reflected in a company-wide effort. From InfoSec and engineering to support and product teams, everyone is involved. And that’s what makes the certification meaningful. It’s not just a document, it’s something that lives in our everyday practices.
👉 Learn more about Scalingo hosting for the health sector
Still have questions? Here are the answers to the most common concerns our users have about HDS hosting and what it involves.
Yes, but under some conditions.
In theory, AWS, Google Cloud, and other American hyperscalers can host health data in France, provided that their services are certified for the relevant HDS scopes. Some of their offerings have indeed received this certification, which is a positive step.
👉 However, caution is needed:
The ISO 27001 standard and the HDS certification share a common goal: ensuring a high level of information security. However, they serve slightly different purposes:
ISO 27001 is an international standard that defines best practices for securing information systems, across all industries. It is based on principles such as risk assessment, access management, and security governance.
HDS (Health Data Hosting) is a mandatory French certification required for hosting health data. It builds upon ISO 27001 but includes additional requirements specific to the healthcare sector, such as data sovereignty, enhanced traceability, and guaranteed service availability.
💡 At Scalingo, we are certified for both, to ensure secure, compliant, and sovereign health data hosting.
Any company that hosts personal health data on behalf of third parties must be HDS certified.
This includes:
📌 Important: If you process health data only for your own internal needs (for example, a hospital hosting its own data on its own servers), HDS certification is not mandatory, but very strict security requirements still apply.
Not really.
HDS certification is complementary to, but does not replace, compliance with the GDPR (General Data Protection Regulation).
👉 To be GDPR compliant, a company must meet a set of legal obligations related to the protection of personal data, including:
On its side, the HDS certification focuses exclusively on the hosting of health data, with strict requirements around security, traceability, availability, and data sovereignty.
At first glance, HIPAA (Health Insurance Portability and Accountability Act) and HDS certification appear to share the same goal: protecting sensitive health data. And in spirit, that’s true: both aim to ensure the confidentiality, security, and reliability of medical information.
However, in practice, the approaches are somewhat different.
HIPAA is a United States regulation that applies to the entire American healthcare system. It defines strict rules on data privacy, as well as broader patient rights and mandatory security measures.
Being HIPAA-compliant is therefore not sufficient to legally host health data in France. Likewise, HDS certification does not guarantee HIPAA compliance in the United States.
💡 At Scalingo, we support both French and international organizations, and we’re here to help you navigate between these frameworks based on your specific regulatory requirements.
No. HDS certification does not require hosting in a cloud region certified under SecNumCloud.
HDS is a certification specific to the healthcare sector. It governs how health data must be hosted and ensures a high level of security, confidentiality, and GDPR compliance. However, it does not mandate the use of a SecNumCloud-certified provider.
SecNumCloud, on the other hand, is a separate high-security label issued by ANSSI (France’s National Cybersecurity Agency). It applies to cloud service providers across all sectors and is designed to ensure maximum data sovereignty, particularly in the face of extraterritorial laws such as the US Cloud Act.
In summary:
As part of HDS certification requirements, Scalingo must designate a healthcare professional point of contact for each client. This contact plays a critical role. They must be able to identify a licensed healthcare professional who is authorized to act when needed — for example, to approve access to health data or respond to a security incident.
Additionally, Scalingo must be able to provide this list to the relevant authority without delay, especially in the event that HDS certification is suspended or withdrawn. This is a requirement outlined in the official HDS framework (version 1.1.1f, requirement 4.5.4).
Not sure about your HDS requirements? Looking for a GDPR-compliant cloud partner, certified in health data hosting, based in France, and deeply familiar with the needs of the healthcare sector?
👉 Get in touch with our team — we’d be happy to discuss your project.
At Scalingo (with our partners) we use trackers on our website.
Some of those are mandatory for the use of our website and can't be refused.
Some others are used to measure our audience as well as to improve our relationship with you or to send you quality content and advertising.