| Business name of the actor | Role in the hosting service (Host/processor of the Host) | HDS certified (yes / no / exempted) | SecNumCloud 3.2 qualified | Hosting activities in which the player is involved | Access to personal health data from countries outside the European Economic Area, by the Host or one of its processors (Requirement No.29 of the HDS framework) | Host or processor subject to a risk of access to personal health data from countries outside the European Economic Area, imposed by the legislation of a third country in breach of EU law (Requirement 30 of the HDS framework) |
| Aptar Digital Health (ADH) | Host | Yes | No | 5. The management and operation of the information system containing the health data; Backing up health data. 6. Backing up health data. | ‘Access to personal health data from countries outside the European Economic Area (EEA) is governed by the following safeguards, in accordance with Requirement No. 29 of the HDS framework: Standard Contractual Clauses (SCCs) are established with all processors located outside the EEA, ensuring GDPR-compliant data transfers. A Data Protection Impact Assessment (DPIA) is conducted for the Digital Solution, detailing the technical and organizational measures implemented to mitigate risks related to international data transfers. A Data Processing Agreement (DPA) is signed with the Client, specifying roles, responsibilities, and data protection obligations. An HDS-compliant agreement is in place with the Client, ensuring adherence to French regulatory requirements for health data hosting. | ‘ADH has assessed the risk of access to personal health data by third-country authorities and confirms that: ADH is established within the European Economic Area (EEA) and is not subject to legislation from a third country that would compel access to personal health data in a manner that conflicts with EU law. ADH ensures that any access to personal health data is strictly controlled, logged, and limited to authorized personnel within the EEA or from a country providing an adequate level of protection within the meaning of Article 45 of the GDPR. ADH has implemented appropriate technical and organizational measures to prevent unauthorized access, including encryption, access control, and regular audits. |
| Amazon Web Services (AWS) | Processor | Yes | No | The provision and maintenance in operational condition of physical sites for hosting the hardware infrastructure of the information system used to process the health data; The provision and maintenance in operational condition of the hardware infrastructure of the information system used to process the health data; The provision and maintenance in operational condition of the virtual infrastructure of the information system used to process the health data; The provision and maintenance in operational condition of the platform for hosting information system applications; | ‘For our processor AWS, the following safeguards are in place: AWS Global Data Processing Addendum (GDPR DPA), which includes the Standard Contractual Clauses (SCCs) approved by the European Commission to ensure lawful international data transfers. The geographic region for data storage is explicitly defined in the contract by ADH, ensuring that personal health data is stored within a specified and compliant AWS region. AWS implements a comprehensive set of technical and organizational measures, including encryption, access controls, and monitoring, as detailed in their security documentation and compliance certifications (ISO 27001, HDS certification in France). | ‘Amazon Web Services (AWS), as a non-EEA headquartered entity, may be subject to third-country legislation (e.g., U.S. CLOUD Act). To mitigate this risk: AWS has committed contractually to the Standard Contractual Clauses (SCCs) approved by the European Commission, which include safeguards against unlawful data access [Global Data Processing Addendum (GDPR DPA)]. The data storage region is explicitly set to France, ensuring that personal health data is physically located within the EEA. AWS has published transparency reports and legal challenge mechanisms to resist unlawful or disproportionate data access requests from third-country authorities. AWS is HDS-certified, and its infrastructure complies with French health data hosting requirements, including strict access controls and encryption. |
| Microsoft Azure | Processor | Yes | No | The provision and maintenance in operational condition of physical sites for hosting the hardware infrastructure of the information system used to process the health data; The provision and maintenance in operational condition of the hardware infrastructure of the information system used to process the health data; The provision and maintenance in operational condition of the virtual infrastructure of the information system used to process the health data; The provision and maintenance in operational condition of the platform for hosting information system applications; | ‘For our processor Microsoft Azure, the following safeguards are implemented: A Data Protection Addendum (DPA) for Microsoft Professional Services outlines Microsoft’s obligations for handling and protecting personal data in compliance with the General Data Protection Regulation (GDPR), including provisions for international data transfers. Microsoft Azure contractually commits to the European Commission’s Standard Contractual Clauses (SCCs) for transfers of personal data to countries outside the EEA. The Azure region selected for data storage is France, ensuring data residency within the European Economic Area and alignment with French regulatory requirements. Microsoft Azure holds a valid HDS (Hébergeur de Données de Santé) certification, attesting to its compliance with French health data hosting standards. | ‘Microsoft Azure, headquartered outside the EEA, may be subject to third-country legislation. To address this: Microsoft Azure contractually adheres to the European Commission’s SCCs, which include obligations to notify and challenge unlawful access requests. The Azure region selected is France, ensuring data residency within the EEA. Microsoft has implemented Defending Your Data policies and legal safeguards to challenge government access requests that conflict with EU law. Microsoft Azure is HDS-certified to ensure compliance with French regulations. |
