HDS and ISO27001, protect your sensitive data

Launching a tech project involving sensitive data? Theodo Cloud is HDS certified and assists you in building and managing your cloud infrastructure.

Protect my sensitive data

Our certifications

Understanding HDS certification

We understand that HDS certification can be complex to grasp. Below, we address frequently asked questions about Hosting Healthcare Data and the ISO27001 standard.

1. What are HDS and ISO27001 certifications?

The ISO27001 certification is an international standard that demonstrates the establishment of a robust Information Security Management System (ISMS). This standard ensures the confidentiality, availability, integrity, and traceability of information to protect against cyberattacks or other types of risks. Obtaining the ISO27001 certification is a mandatory prerequisite for obtaining the HDS (Healthcare Data Host) certification. HDS is a more stringent overlay of ISO27001, which healthcare actors must comply with.

Companies that handle healthcare data must comply with the HDS regulations, regardless of their size or type of hosting (On-Premise or Cloud). Additionally, many companies outside the healthcare sector (finance, defense, etc.) choose to comply with HDS requirements, even if they are not legally obligated to do so.

The HDS certification is often categorized into different "levels." Here's what they correspond to:

  • Levels 1 and 2 apply to physical servers. If you have your own physical servers, you will need to comply with these first two levels.
  • Levels 3, 4, 5, and 6 apply to application environments. These levels are mandatory regardless of your hosting type (Cloud or physical).


In summary, if you have your own physical servers, you will be evaluated for levels 1 to 6. If you are on the Cloud, your Cloud provider will handle certification for levels 1 and 2, and you will be evaluated for levels 3 to 6.

If your business requires hosting healthcare data, you have two options. First, you can contact a certification body such as AFNOR, BSI Group, Bureau Veritas, etc., and initiate the certification process. Alternatively, you can engage a certified HDS provider to design, enhance, maintain, and secure your infrastructure in accordance with the regulations. Theodo Cloud is one of these service providers.

This is a complex question that depends on your company's specific needs. However, there are two key questions you can consider to make your decision. The first question is: Do I have the internal resources (human and financial) to undergo the certification process and maintain it?

To give you an idea, the certification process may cost around €150,000, considering the certification fees and human resources expenses. In the following years, you would need to budget around €20,000 annually to maintain the certification.

The second question is: Do I need to achieve compliance within the next year or in the longer term? Obtaining this certification requires considering the time frame involved.

If you have the resources and a year ahead of you, you can contact the certification bodies mentioned earlier. If not, it is advisable to opt for a certified HDS hosting provider like Theodo Cloud.

Theodo Cloud is HDS and ISO27001 certified

Levels 3, 4, 5 and 6

Theodo Cloud has been accredited for HDS since 2022 by BSI Group. Here is the exact description of our certification: "Design, security, and management of Cloud infrastructure hosting personal health data with coverage of ANS activities numbers 3, 4, 5, and 6 of the HDS reference system version 1.1 (2018) in accordance with the statement of applicability DDA 08/02/22."

We build and manage your cloud infrastructure to securely host your exposed data in compliance with HDS, whether it is related to health or simply sensitive information. We adhere to the most rigorous standards in data security.

HDS certification

ISO27001 certification

Our HDS and ISO27001 offers

We have 3 offers to meet your HDS and ISO27001 compliance needs. We provide guidance for each of these offers to help you understand and interpret these standards.

Request your quote
ISO27001 HDS managed offers

ISO27001 and HDS managed services

Are you looking to maintain your infrastructure and handle your most sensitive data with the highest level of security? As Theodo Cloud is certified as a "Hosters of Health Data," our experts ensure daily compliance with HDS and ISO27001 standards. We guarantee the implementation of the most demanding data security practices and provide you with complete visibility into our interventions. If you want to learn more about our managed services offer, you can visit our dedicated page.

HDS audit

ISO27001 and HDS audit

Do you want to assess the security level of your data according to the highest requirements? Our experts audit your infrastructure against the criteria of these standards and provide you with actionable and prioritized recommendations to achieve the required level based on your company's needs. It's important to note that an audit does not guarantee HDS compliance. The criteria must be consistently validated to be compliant. Therefore, conducting an HDS audit does not provide the "Certified Hosters of Health Data" stamp.

ISO27001 HDS build

ISO27001 and HDS infrastrucure build

Are you hosting sensitive data and looking to build or evolve your cloud infrastructure? Our DevOps experts accompany you on all projects involving sensitive data. Whether it's implementing the recommendations from our audit, building a new infrastructure, or evolving it to meet Theodo Cloud's quality and HDS compliance standards, we ensure that the compliance process does not slow down your developers, allowing for daily production deployments.


YAMAS, our compliance framework

Our engineers have developed a framework called YAMAS, which allows for a rapid evaluation of your security level based on 60 criteria in accordance with ISO27001 and HDS standards. Initially designed for healthcare data, we have extended its protective requirements to all our critical projects. A significant portion of these criteria are automated, providing a clear overview of the tasks at hand at a glance. This tool enables us to offer maximum transparency on these standards at any stage of your project. YAMAS serves as the foundation for our audits and is also utilized for HDS managed services to ensure ongoing compliance. Additionally, it is employed in build projects to verify that the constructed solution meets the required level of standards.
framework yamas
Our expertise

Staying at the forefront of technology

Our partners

Google Cloud, Amazon AWS, Azure, OVHcloud, Scaleway, and Kubernetes trust us to implement their technologies in compliance with HDS and ISO27001 for our clients.

Microsoft Azure

Each intervention follows the following process

Agile methodology
  1. Sensitivity qualification

    The project begins with a sensitivity/criticality qualification phase. It is at this stage that we can confirm whether you need to comply with HDS and ISO27001 standards for healthcare data or any other sensitive data. Based on the evaluation, we will recommend whether or not compliance is strongly advisable.

  2. Contractualization

    If it is determined that the project needs to comply with these standards, the next step is to sign the contract and the HDS appendix. These documents ensure compliance with HDS and ISO27001 standards and are signed by both parties. We then collaboratively establish a RACI matrix to define the responsibilities and roles of each stakeholder in the project.

  3. Technical challenge

    Our cybersecurity experts conduct a risk analysis to identify all security risks. They propose an action plan that will be included in the project's roadmap. The team also analyzes the infrastructure's quality and compliance with HDS and ISO27001 standards to gain a comprehensive view of the necessary tasks. The HDS and ISO27001 standards provide a framework in which our team defines the success criteria. This definition of success leverages existing infrastructure to reinforce what you already have without adding unnecessary constraints.

  4. Project

    Our DevOps experts follow the roadmap established during the technical challenge phase. One of our SecOps experts supervises the tasks that involve "functional security specifications," which encompass all the tasks related to the risk analysis. The SecOps expert ensures their proper implementation. Toward the end of the build project, a member of the Information Security Management System (ISMS) conducts an audit to assess the quality and compliance with the standards.

  5. HDS managed services

    After the project's completion, the HDS infogérance phase begins, ensuring ongoing compliance with HDS and ISO27001 standards. Please refer to our dedicated page for more details about our infogérance methodology.

  6. Reversibility

    If you have chosen not to have us manage your infrastructure, this phase replaces the previous one. During this stage, we establish a plan to withdraw access and ensure a smooth exit from the project in compliance with the standards.

The deliverables

Here are some deliverables that our team provides to our clients based on the chosen HDS and ISO27001 compliance offers.


Target architecture diagram

At the beginning of the project, you will be provided with a target architecture diagram. It allows us to present what we plan to implement and ensure that we address all your requirements and constraints.


ROSE quality score

Theodo Cloud's DevOps experts calculate the ROSE quality score of your infrastructure using our ROSE framework. This enables us to prioritize technical tasks at each sprint, ensuring a Resilient, Operable, and Secure infrastructure. By doing so, we ensure that HDS compliance does not hinder the work of developers and operations teams.


Risk analysis

Our DevSecOps experts list all risk scenarios, assign a criticality score to each, and attach an action plan with expected results for closure. This report is provided at the beginning of the project and serves as a reference throughout the entire project.


YAMAS compliance report

Throughout the project, we provide you with access to your YAMAS compliance score. This tool allows us to make HDS and ISO27001 compliance elements transparent and accessible. You can easily identify where your infrastructure stands in relation to these standards.

Our promise

Ensuring your HDS compliance

Your success is our top priority. That's why it's essential for us to provide our expertise on these complex subjects. But our support goes even further:

  • monitoring informatique

    Total transparency on standard requirements

  • expertise

    High-level cloud and cybersecurity expertise to deliver quality infrastructure rapidly

  • accompagnement

    Compliance implementation that does not slow down your developers

  • recommendations

    Rapid deployment as in any industry

  • HDS build for a healthcare actor

    Our client is a healthcare company launching a new application to enhance medical monitoring of specific pathologies. They are required to comply with HDS standards, but they also have a challenge regarding data accessibility from their users to ensure ease of data exploitation for learning purposes. The architecture must be highly decoupled to reduce compliance checks required for each production release. These constraints were hindering the deployment of their application.

    • Key highlights

      Key highlights

      • Infrastructure is divided into Terraform SAMD and non-SAMD bricks
      • Construction of a compliant production deployment process (Release process) according to standards
      • Infrastructure subjected to load testing
      • Fine-grained IAM (Identity and Access Management) to manage access to sensitive patient data, especially in the Data Scientist environment
      • Reduced exposure through a Tooling environment (monitoring, CI/CD, security analysis)
      • Creation of a secure environment for the analysis and exploitation of healthcare data
      • Weekly meetings to ensure compliance with HDS standards
    • Results


      • Uptime of 99.99% over the last 6 months
      • HDS-certified platform
      • Deployment of +10 data ingestion and processing microservices for Data Engineers based on standardized templates
      • Weekly production releases