Hosting Health Data on Exoscale

Overview

At Exoscale, we recognize that health data is among the most sensitive categories of information our customers may process. We therefore apply the highest standards of confidentiality, integrity, and availability to the infrastructure and services that host such data.

Our security and compliance framework is designed to meet or exceed the requirements of European and international regulations governing health data, including:

  • HDS certification (France) – for hosting health data under Article L.1111-8 of the French Public Health Code
  • BSI C5 Type 2 attestation – ensuring conformity with the German Federal Office for Information Security (BSI) Cloud Computing Compliance Controls Catalogue
  • HIPAA alignment (USA) – through a dedicated Business Associate Subcontractor Agreement (BASA), available for customers processing Protected Health Information (PHI) under U.S. HIPAA and HITECH regulations

This page summarizes the principles, certifications, and contractual mechanisms that enable health-sector organizations to confidently use Exoscale’s European cloud for regulated workloads.

For the detailed representation of HDS guarantees, please see our dedicated page:

Our Core Principles for Hosting Health Data

  1. Data Sovereignty within Europe

    • All Exoscale zones are located exclusively within the European Economic Area (EEA).
    • Customers can select the specific region for their workloads (e.g. CH, DE, AT).
    • Exoscale commits not to transfer or replicate health data outside the selected region unless expressly instructed by the customer or required by law.
  2. Defense-in-Depth Security Architecture

    • Security controls are aligned with ISO/IEC 27001, SOC 2 Type II, and HDS standards.
    • All data is encrypted in transit (TLS) and at rest, with key management under Exoscale or customer control.
    • Administrative access to systems that could contain health data is strictly least-privilege, multi-factor protected, time-bound, and logged.
  3. Transparency and Shared Responsibility

    • Customers retain control over their virtual machines, applications, and encryption keys.
    • Exoscale provides a transparent Shared Responsibility Matrix in its DPA and HDS appendices.
    • Detailed subprocessor information (e.g. Equinix, A1 Telekom Austria, Aiven Oy) is publicly available.
  4. Incident Response and Breach Notification

    • Security incidents impacting health data are managed under our centralized Security Operations process.
    • Notifications are made without undue delay in accordance with GDPR Articles 33–34, HDS requirements, or HIPAA 45 CFR 164.410, as applicable.
  5. Auditability and Continuous Assurance

    • Exoscale maintains third-party audit reports (HDS, ISO/IEC 27001, SOC 2 Type 2, C5 Type 2).
    • Customers may request summaries or perform audits under the terms of the Data Processing Agreement (DPA) or HDS Addendum.

Certifications and Regulatory Alignment

🇫🇷 France – HDS Certification

Exoscale is certified as a Health Data Hosting Provider (Hébergeur de Données de Santé, HDS) under Article L.1111-8 of the French Public Health Code. This certification ensures that Exoscale meets the stringent requirements for hosting personal health data, including governance, access control, business continuity, and subcontractor management.

Scope of certification:

  • (1) Physical hosting sites
  • (2) Physical infrastructure
  • (3) Virtual infrastructure
  • (4) Application hosting platform
  • (6) Outsourced backups

Hosting locations under HDS certification:

  • Switzerland (CH): Equinix Geneva, Equinix Zurich
  • Germany (DE): Equinix Frankfurt, Equinix Munich
  • Austria (AT): A1 Telekom Austria, Vienna

Detailed public representation of guarantees (“Représentation des garanties HDS”) is maintained in our dedicated publication and updated periodically according to the HDS 2024 v2 framework (EXI 28–31).

🇩🇪 Germany – BSI C5 Type 2 Attestation

Exoscale holds a BSI C5 Type 2 attestation, demonstrating that its information security controls comply with the Cloud Computing Compliance Controls Catalogue (C5) established by the German Federal Office for Information Security (BSI).

This framework ensures:

  • Transparent data processing practices
  • Comprehensive logging and auditability
  • Adherence to ISO/IEC 27001 and SOC 2 aligned controls
  • Documented evidence of control effectiveness over a defined audit period

As a result, Exoscale is suitable for hosting workloads subject to German healthcare data protection regulations and other critical sectors governed by C5 compliance.

🇺🇸 HIPAA and HITECH (on-demand)

For U.S. customers or international organizations handling Protected Health Information (PHI) under HIPAA, Exoscale offers a Business Associate Subcontractor Agreement (BASA) that complements the existing Data Processing Agreement (DPA).

This agreement:

  • Incorporates the requirements of 45 C.F.R. Parts 160 & 164, including the Privacy, Security, and Breach Notification Rules.
  • Clarifies that Exoscale provides infrastructure-level services only and does not process PHI at the application layer.
  • Details access controls, encryption, incident notification timelines, and subcontractor transparency.
  • Enables BA/Exoscale relationships to remain compliant with HIPAA’s “satisfactory assurances” obligations.

Subcontractors and Data Residency

RoleEntityCountryFunctionCertifications / Safeguards
Data center operatorEquinixCH / DESite facilities and utilitiesISO/IEC 27001, PCI DSS, SOC 2
Data center operatorA1 Telekom Austria GroupAT / BGSite facilities and utilitiesISO/IEC 27001, ISO 9001
DBaaS orchestration partnerAiven OyFIControl-plane orchestration, maintenanceISO/IEC 27001, GDPR SCCs where applicable

All subprocessors operate within the EEA or Switzerland, and all access is time-bound, MFA-protected, logged, and contractually restricted. No data transfers occur outside the EEA unless (a) required by law, (b) based on an EU adequacy decision, or (c) supported by Standard Contractual Clauses (SCCs) with appropriate supplementary measures.

Customer Responsibilities

Exoscale provides the secure infrastructure and control-plane environment; customers are responsible for:

  • Application-level and OS-level security configuration
  • Management of access credentials and encryption keys
  • Backup and restoration configuration for self-managed workloads
  • Ensuring compliance of their own data processing activities with applicable law (e.g. GDPR, HIPAA, or HDS)

Audits and Transparency

Customers hosting health data can rely on Exoscale’s compliance framework and supporting documentation to demonstrate their own compliance obligations.
Exoscale provides several mechanisms to facilitate auditability and transparency:

  • Audit Rights:
    Customers are contractually granted an audit right as defined in the Data Processing Agreement (DPA).
    For specific regulated use cases, this may be further detailed in a dedicated addendum to ensure with health data specific regulatory requirements not covered by our regular personal data protection clauses.

  • Compliance Center:
    Exoscale maintains a self-service Compliance Center, accessible from the Exoscale Portal.
    It provides on-demand access—after acceptance of a Non-Disclosure Agreement—to audit reports and certifications, including:

    • ISO/IEC 27001, 27017, and 27018 certificates
    • SOC 2 Type 2 and BSI C5 Type 2 reports
    • HDS and TISAX attestations
    • Third-party compliance information (e.g., data center operators)

These resources allow customers to independently verify Exoscale’s controls and include them as part of their own regulatory compliance evidence.