How Ducal uses AI in its development practice.
Ducal is a development agency specialized in sovereign digital healthcare. Artificial intelligence is at the core of how we develop: we use it to design, write, review, and audit the code of our solutions faster, better, and more securely.
This charter describes our exact use of AI in our development practice, the principles that govern it, and the guarantees we provide to our clients regarding the protection of their data and their patients' data.
Version 1.2 — February 2026
Claude Code, Anthropic's development agent, is our primary tool.
Ducal uses Claude Code, Anthropic's development agent, as its primary software development tool. Claude Code reads a project's source code, proposes implementations, detects vulnerabilities, refactors functions, and generates tests.
Claude Code primarily works on the source code of our solutions: PHP files, TypeScript, infrastructure configurations, technical documentation. For maintenance and deployment needs, it can also execute commands on production servers, under explicit instruction and validation from a Ducal engineer.
It never sees the contents of production databases, patient records, or health data — these are encrypted at rest and never pass through development tools.
The tool is American and hosted in the United States. This is acceptable because it never sees health data: it only sees source code and technical documentation. We state this clearly rather than claiming total sovereignty that wouldn't exist.
Code produced with Claude Code is reviewed, tested, and validated by our engineers before any deployment. Claude Code is a development accelerator, not a decision-maker. The responsibility for every deployed line of code remains entirely with Ducal.
Furthermore, using Claude Code to detect vulnerabilities in our codebases strengthens the security of our solutions beyond what traditional audit methods allow: the tool reasons about the complete architecture of an application rather than relying on known patterns alone.
The sovereignty paradox
Using an American tool for development paradoxically makes us more sovereign: by reducing development costs by an order of magnitude, AI enables small French teams to build credible alternatives to legacy vendors — hosted in France, on SecNumCloud infrastructure, with native interoperability.
Read our founding article: Why hospital CIOs will finally be able to choose their software →Systematic human responsibility. Claude Code makes no decisions alone. Every output is subject to human validation by a Ducal engineer before any production deployment. AI accelerates and deepens our work; the decision remains with the engineers.
No health data in development tools. The tools our engineers use for work never receive real patient or client data. Test environments exclusively use fictitious or anonymized data. Health data in production is encrypted at rest (AES-256) and is only decrypted within the application, never in a development context.
Risk level qualification. Before each new project or feature developed with AI assistance, Ducal assesses the risk level per the European AI regulation (AI Act). This assessment is documented and can be shared with the client upon request.
Technical documentation. Ducal maintains for each solution documentation describing the AI tools used in development, their known capabilities and limitations, and the validation procedures applied. This documentation is available for regulatory authorities and clients who request it.
The use of AI coding agents raises a specific question that most charters ignore: these tools read the source code in its entirety, including configuration and environment files. Without precautions, an API key, a database password, or an infrastructure secret could end up being transmitted to an external model.
Strict separation between code and secrets. No credential, API key, password, or infrastructure secret is stored in the source code. All secrets are managed via HashiCorp Vault (dedicated server, hosted in France) or environment variables injected at deployment time, never in plaintext in versioned files.
Exclusion of sensitive files from AI context. Files containing secrets (.env, credential files, certificates, private keys) are excluded from the context transmitted to the AI agent via exclusion rules configured and verified for each project. Technical references needed for documentation (service names, network architecture) may appear in documentation accessible to the agent, but never the secret values themselves.
Centralized production secret management. Production secrets are managed via HashiCorp Vault, a dedicated secret manager hosted on separate infrastructure. Applications access secrets via an application authentication mechanism (AppRole), without secrets ever being exposed in plaintext on development workstations or in CI/CD tools.
Production database isolation. Production databases reside on a private subnet, not directly accessible from the Internet. Any maintenance access requires a key-authenticated SSH tunnel, under explicit instruction from an engineer, and is fully audited. Claude Code never directly accesses the contents of production databases.
Regular credential rotation. API keys and infrastructure secrets are rotated regularly, and immediately if there is any doubt about involuntary exposure.
Access traceability. Access to production secrets is tracked and limited to strict necessity. Any unusual access triggers a review.
AI Act (EU Regulation 2024/1689). The AI Act came into force on August 1, 2024. Ducal is proactively preparing for full compliance with high-risk system requirements expected from August 2026. In this context, Ducal commits to mapping AI usage in each solution developed, qualifying their risk level, and maintaining the technical documentation required by the regulation. This process is progressive and documented.
GDPR. Source code developed with Claude Code never contains personal data. GDPR obligations applicable to solutions deployed for clients remain entirely under Ducal's responsibility as a data processor, regardless of the tools used for their development.
HDS (Health Data Hosting). Healthcare solutions developed by Ducal are hosted on HDS-certified infrastructure, located in France. The use of Claude Code for development has no impact on this framework: health data hosted in production never passes through development tools.
This charter is revised with each significant change in our practices, the tools we use, or the applicable regulatory framework. The current version is always available on ducal.tech.
Any changes to the tools or practices described here are communicated to affected clients before implementation.
Ducal uses Claude Code, Anthropic's development agent, to accelerate and secure its software development. This tool works on source code and technical documentation: no health data, patient data, or client data is ever transmitted to it. Code produced is systematically reviewed and validated by a Ducal engineer before any deployment. The responsibility for every line of code remains entirely with Ducal. Clients may request details of these practices or specify terms upon request. The full charter is available at ducal.tech.
Ducal, 2026 — ducal.tech
Let's talk. We'll get back to you within 48 hours with an initial proposal tailored to your needs.
Contact Us →