Health data hosting : Understanding the HDS Certification

Hosting health data is not something you can improvise. These are highly sensitive records, governed by strict legal and technical requirements.

In France, this responsibility has a name: the HDS certification (Hébergement de Données de Santé, or Health Data Hosting). It ensures that technical service providers meet the highest standards of security, traceability, and regulatory compliance.

In this article, we’ll walk you through what HDS certification is, who it applies to, why it matters, and how Scalingo has made the commitment to cover every regulatory scope defined by law, offering a reliable, sovereign, and fully compliant solution for healthcare organizations.

What is HDS (Health Data Hosting)?

HDS is a mandatory French certification that governs how personal health data can be legally hosted and managed.

Introduced by the French Agence du Numérique en Santé (ANS), it applies to all technical providers including cloud platforms, hosting companies, and managed service providers who store or process this type of sensitive data. (We’ll define exactly what qualifies as health data in a moment.)

The HDS framework ensures that providers like Scalingo adhere to the highest levels of security and confidentiality, on par with standards seen in critical sectors like banking or national defense.

How does the HDS certification process work?

We won’t dive into every step of the HDS certification process here since it could fill an article of its own. But here’s what you need to know: obtaining HDS certification means meeting exceptionally high standards, particularly in areas such as:

• Infrastructure security
• Access confidentiality and traceability
• Service continuity and availability
• Strict compliance with the GDPR, supported by the ISO 27001 standard

And no, it doesn’t happen overnight.

Getting certified takes months of preparation, including audits by an independent organization accredited by the COFRAC, extensive documentation, detailed process updates, and most importantly, company-wide involvement that extends far beyond the security or infrastructure teams.

Here’s a visual summary of the key points:

As you can see, it’s not just a box to tick or a certificate to showcase on your website. It’s a deep, structural commitment that reshapes how hosting, maintenance, and even client relationships are approached in a field as sensitive as healthcare.

Why is HDS Certification So Important?

Health data is among the most sensitive information that exists. It directly concerns a person’s physical and mental well-being, and can sometimes reveal delicate social or family situations.

Now imagine the risks if that information were to circulate in a digital system without adequate protection.

If health data falls into the wrong hands, the consequences can be severe:

• Privacy breaches – exposure of medical conditions, psychological issues, confidential treatments, or personal health history

• Discrimination – in employment, insurance, or even housing

• Blackmail or extortion – some ransomware attacks specifically target hospitals and clinics, exploiting the value of sensitive data to demand payment

It’s precisely to reduce these risks that the HDS (Health Data Hosting) certification was created.

What Counts as “Health Data”? What Does the Law Say?

The reference definition of “health data” comes from the GDPR (General Data Protection Regulation) and the French Data Protection Authority (CNIL):

“Health data is any personal information related to the physical or mental health of an individual, past, present, or future. This includes, for example, diagnoses, test results, prescriptions, or even indirect data such as heart rate measured by a connected device, if it can be used to infer a person’s state of health.”

Examples of information commonly considered health data include:

• Blood test results or a COVID test result
• A medical diagnosis (e.g., diabetes, depression)
• Information from a prescription or medical certificate
• Data collected from a connected device (e.g., heart rate, step count)
• Records of a medical appointment or hospitalization
• Genetic or biological data, even if anonymized, if it can be re-identified

What Is an HDS “Scope of Certification”?

Now that we’ve defined what qualifies as health data, another key question comes up: who is allowed to host it, and under what conditions?

This is exactly where HDS certification becomes relevant, especially when it comes to its different scopes.

A common misconception is that all HDS certifications are the same. In practice, an HDS certification refers to a set of clearly defined scopes, not a universal stamp of approval. It is a modular system that reflects the specific role a provider plays in handling health data.

👉 In simple terms, HDS certification can cover up to six distinct activities. Some companies are certified for just one, others for several. Very few cover all of them.

Here are the six official HDS hosting scopes:

1. Physical facility hosting

This scope ensures that the buildings housing the servers (such as data centers) comply with strict standards. These include controlled access, fire safety systems, backup power supply, and other physical safeguards.

2. Physical infrastructure hosting

This covers the actual hardware — servers, storage arrays, network equipment. The goal is to ensure that these components are installed, maintained, and monitored under optimal security and operational conditions.

3. Application platform hosting

This involves everything that allows applications to run properly. It includes operating systems, databases, middleware, and other foundational software layers.

4. Virtual infrastructure hosting

This scope covers virtual environments such as virtual machines or containers. They must be properly isolated, secured, and continuously monitored, just like the rest of the infrastructure.

5. Managed services for information systems

This refers to the daily operations that keep an information system stable, secure, and compliant. It includes monitoring, patch management, incident handling, and operational maintenance.

6. Offsite health data backup

The final scope, but by no means the least important, concerns backups. These must be stored at a separate location with the same level of security and traceability as the primary data.

These six scopes are defined by the Agence du Numérique en Santé (ANS) and outlined in the official HDS Certification Framework.

Scalingo: A Fully HDS-Certified PaaS

So what about Scalingo? We made the deliberate and ambitious choice to obtain certification across all six HDS scopes. This means our PaaS platform is fully compliant, from physical infrastructure to software operations and data backup.

This level of coverage is still rare in the French cloud ecosystem, and it allows us to support our healthcare clients with a turnkey solution. No need to manage multiple vendors or navigate regulatory complexity alone.

Beyond the certification itself, it reflects a deeper commitment and philosophy we believe in.

At Scalingo, this commitment is reflected in a company-wide effort. From InfoSec and engineering to support and product teams, everyone is involved. And that’s what makes the certification meaningful. It’s not just a document, it’s something that lives in our everyday practices.

👉 Learn more about Scalingo hosting for the health sector

FAQ on Health Data Hosting (HDS)

Still have questions? Here are the answers to the most common concerns our users have about HDS hosting and what it involves.

1. Can health data be hosted on AWS, Azure, or Google Cloud?

Yes, but under some conditions.

In theory, AWS, Google Cloud, and other American hyperscalers can host health data in France, provided that their services are certified for the relevant HDS scopes. Some of their offerings have indeed received this certification, which is a positive step.

👉 However, caution is needed:

• Not all services offered by these providers are covered by the certification.
• It is the responsibility of the application provider to carefully verify which specific HDS scopes are actually certified (physical infrastructure? software platform? managed services? backups?).
• Most importantly, hosting with a non-European provider can raise concerns about data sovereignty and GDPR compliance, particularly due to the implications of the US Cloud Act.
• Regulatory bodies such as the CNIL, the Conseil d’État, and the ANS strongly recommend favoring sovereign solutions, hosted within the European Economic Area and not subject to conflicting extraterritorial laws.

2. What is the difference between ISO 27001 and HDS?

The ISO 27001 standard and the HDS certification share a common goal: ensuring a high level of information security. However, they serve slightly different purposes:

ISO 27001 is an international standard that defines best practices for securing information systems, across all industries. It is based on principles such as risk assessment, access management, and security governance.

HDS (Health Data Hosting) is a mandatory French certification required for hosting health data. It builds upon ISO 27001 but includes additional requirements specific to the healthcare sector, such as data sovereignty, enhanced traceability, and guaranteed service availability.

💡 At Scalingo, we are certified for both, to ensure secure, compliant, and sovereign health data hosting.

3. Which companies are required to be HDS certified?

Any company that hosts personal health data on behalf of third parties must be HDS certified.

This includes:

• Infrastructure providers (data centers, cloud platforms)
• Healthcare SaaS providers
• Managed service providers or technical subcontractors
• Startups and IT services companies that handle or store identifiable medical data (telemedicine, care coordination, patient records, etc.)

📌 Important: If you process health data only for your own internal needs (for example, a hospital hosting its own data on its own servers), HDS certification is not mandatory, but very strict security requirements still apply.

4. Is HDS certification enough to be GDPR compliant?

Not really.

HDS certification is complementary to, but does not replace, compliance with the GDPR (General Data Protection Regulation).

👉 To be GDPR compliant, a company must meet a set of legal obligations related to the protection of personal data, including:

• having a lawful basis for data processing
• being transparent with users
• respecting individuals’ rights (such as access, rectification, and deletion)
• collecting only the data that is strictly necessary
• appointing a Data Protection Officer (DPO), in certain cases

On its side, the HDS certification focuses exclusively on the hosting of health data, with strict requirements around security, traceability, availability, and data sovereignty.

5. Are HDS and HIPAA the same thing?

At first glance, HIPAA (Health Insurance Portability and Accountability Act) and HDS certification appear to share the same goal: protecting sensitive health data. And in spirit, that’s true: both aim to ensure the confidentiality, security, and reliability of medical information.

However, in practice, the approaches are somewhat different.

HIPAA is a United States regulation that applies to the entire American healthcare system. It defines strict rules on data privacy, as well as broader patient rights and mandatory security measures.

Being HIPAA-compliant is therefore not sufficient to legally host health data in France. Likewise, HDS certification does not guarantee HIPAA compliance in the United States.

💡 At Scalingo, we support both French and international organizations, and we’re here to help you navigate between these frameworks based on your specific regulatory requirements.

6. Is HDS certification dependent on using a SecNumCloud region?

No. HDS certification does not require hosting in a cloud region certified under SecNumCloud.

HDS is a certification specific to the healthcare sector. It governs how health data must be hosted and ensures a high level of security, confidentiality, and GDPR compliance. However, it does not mandate the use of a SecNumCloud-certified provider.

SecNumCloud, on the other hand, is a separate high-security label issued by ANSSI (France’s National Cybersecurity Agency). It applies to cloud service providers across all sectors and is designed to ensure maximum data sovereignty, particularly in the face of extraterritorial laws such as the US Cloud Act.

In summary:

• HDS: mandatory for hosting health data
• SecNumCloud: recommended to enhance sovereignty, but not mandatory

7. What is a “Healthcare Professional Point of Contact”?

As part of HDS certification requirements, Scalingo must designate a healthcare professional point of contact for each client. This contact plays a critical role. They must be able to identify a licensed healthcare professional who is authorized to act when needed — for example, to approve access to health data or respond to a security incident.

Additionally, Scalingo must be able to provide this list to the relevant authority without delay, especially in the event that HDS certification is suspended or withdrawn. This is a requirement outlined in the official HDS framework (version 1.1.1f, requirement 4.5.4).

Launching a Healthcare Project? Let’s Talk.

Not sure about your HDS requirements? Looking for a GDPR-compliant cloud partner, certified in health data hosting, based in France, and deeply familiar with the needs of the healthcare sector?

👉 Get in touch with our team — we’d be happy to discuss your project.