If you process personal health data collected in the course of care in France, the law does not just ask you to be careful with it. It tells you where it may be hosted: with a provider holding the Hébergeur de Données de Santé (HDS) certification. For data teams, that single requirement reshapes the whole analytics architecture, often more than the GDPR itself.
What HDS actually is
HDS is a French certification, anchored in the Public Health Code, covering the hosting of personal health data collected during prevention, diagnosis or care. It certifies the hosting layer: physical infrastructure, virtual infrastructure, platform administration, backup. A provider earns the certification per activity, and customers must check which activities are actually covered.
Two consequences matter for analytics:
- You cannot put identifiable patient data on a non-certified hosting stack, no matter how good your contracts are.
- The certification follows the hosting, so the question “where does my data platform physically run?” stops being an infrastructure detail and becomes a legal gate.
The good news for European teams: certified options exist at scale. OVHcloud, among others, offers HDS-certified hosting, which means a sovereign architecture and an HDS-compliant one can be the same architecture.
Health data is also GDPR special category
HDS stacks on top of Article 9 GDPR: health data is special-category personal data, with a default prohibition on processing and a short list of exceptions. For a data platform this translates into expectations that go beyond hosting:
- Strict access control and isolation, so a research workspace never sees the care workspace’s identifiable rows
- A complete audit trail of who accessed what, exportable for the DPO and the CNIL
- De-identification pipelines with lineage, so you can show exactly how an identifiable dataset became a research cohort
- Residency you can demonstrate, not just promise
The architecture that satisfies both
The pattern that works is consistent: keep the data plane on certified, European hosting that you contract for, and let the platform orchestrate without ever holding the data.
This is exactly what a bring-your-own-cloud design provides. With Polnor, compute, storage and SQL warehouses run inside your own cloud account, on the hosting arrangement you chose, which can be your provider’s HDS-certified offering. The control plane orchestrates from France and never stores your health data: identifiable rows, de-identified cohorts and model artifacts all stay on your bucket, in your region, under your keys. Polnor adds what HDS and the GDPR expect operationally: per-workspace isolation, an exportable audit log, and automatic lineage from raw tables to research datasets and trained models.
One honest caveat, because this area is full of overclaiming: HDS certifies hosting providers, not analytics software. What your platform must do is not break the compliance of the certified hosting underneath, and give you the controls the rest of the framework expects. Be suspicious of any vendor who phrases it differently.
A short checklist before your next health-data project
- Which HDS activities does your hosting cover, and do they match how you use the platform?
- Can you prove, bucket by bucket, where identifiable data lives?
- Is the de-identification step traceable end to end?
- Can the DPO query the audit trail without filing a ticket?
- If you change vendors, do the datasets survive in an open format?
If your answers are shaky on two or more of these, request a demo: health data is where the sovereign architecture stops being philosophy and starts being the permit to operate.