Ducal.tech operates under an ISSP (Information System Security Policy) aligned with ANSSI, HDS (Health Data Hosting), and GDPR frameworks. It's not a document gathering dust — it's the foundation of every technical decision.
Health data is valuable. On illicit markets, a complete medical record sells for ten to twenty times more than a credit card number. Healthcare organizations know this, often the hard way: cyberattacks against hospitals have multiplied in recent years.
That's why at Ducal, security is not a late-stage audit or a checkbox. It's an integrated approach embedded into every stage of design, development, and operations.
Ducal.tech maintains a formal Information System Security Policy (ISSP), compliant with ANSSI (French National Cybersecurity Agency) guidelines and aligned with HDS (Health Data Hosting), GDPR, and ISO 27001 frameworks. This document governs all activities of the collective. It is available upon request as part of a contractual relationship.
Derived from our ISSP, these principles guide every technical and organizational decision.
Multiple independent security layers. If one layer is compromised, the others hold.
Each account only accesses the resources strictly necessary for its mission. No more, no less.
Development, staging, and production are strictly isolated. Never any real data in dev.
Security is built into the architecture from day 1, not bolted on as an afterthought.
Default settings are the most protective possible. Privacy is not an option to enable.
AI strengthens our security daily. But it operates within strict boundaries.
As a system operating in the healthcare domain, our use of AI falls under the high-risk category per the European AI regulation (AI Act, EU 2024/1689). That is why human oversight is systematic at every stage.
All our healthcare solutions are hosted with Outscale (a Dassault Systemes subsidiary), an operator qualified SecNumCloud by ANSSI (French National Cybersecurity Agency) and certified Health Data Hosting (HDS). Data is located exclusively in France, with no exposure to the US Cloud Act.
Three strictly isolated environments ensure no real data ever leaks outside production:
The infrastructure relies on restrictive firewall rules. Administrative access requires a key-authenticated VPN. Services are segmented on the network to limit lateral movement in case of compromise. No database is directly accessible from the outside.
All communications are protected by TLS 1.3 minimum. HSTS is enabled across all our domains. Legacy protocols (TLS 1.0, TLS 1.1, SSLv3) are disabled without exception.
Health data is encrypted with AES-256-GCM. Infrastructure volumes are also encrypted at the storage level. Backups are encrypted before transfer and at rest.
The lifecycle of each piece of data is governed by four distinct phases:
Mandatory MFA. Multi-factor authentication is required for all access to production environments, without exception.
Password policy. 16-character minimum, bcrypt or argon2 hashing, no default passwords. Temporary credentials are disabled after first use.
SSH by key only. ED25519 key access, production access exclusively via authenticated VPN. No direct external access.
Centralized secret management. Rotation every 30 days (critical secrets) or 90 days (standard secrets). Zero secrets in source code, zero secrets in logs.
Named access. All access is individually tracked. Revocation within 24 hours after end of assignment. No shared accounts.
Incidents are classified from P1 (critical) to P4 (minor). In case of a P1 incident, the client is notified within 4 hours. If a data breach is confirmed, CNIL (French Data Protection Authority) is notified within 72 hours per GDPR requirements. Every incident is subject to a documented post-mortem.
A business continuity and disaster recovery plan (BCP/DRP) governs the response to any major incident. The backup strategy relies on multiple levels of replication.
Recovery objectives. RTO (recovery time objective) of 4 hours. RPO (maximum data loss) of 6 hours. Target availability of 99.5%. The DRP is tested annually and results are documented.
On the contractual side, every project includes a systematic Data Processing Agreement (DPA). Ducal maintains a processing register, applies privacy by design from inception, and delivers complete source code to the client. At contract end, a certified secure deletion is performed and documented.
Our Information System Security Policy (ISSP) is available in full as part of a contractual relationship.
Contact usEverything you need to know about Health Data Hosting certification and its implications.
Why ANSSI-qualified sovereign cloud is essential for healthcare.
Threats, obligations, and best practices for hospital IT departments.
Analysis of cyberattacks against French hospitals and lessons learned.
Legal obligations for collecting and processing health data.
How to prepare and execute a DRP in a hospital context.
Why open-source code is an asset for healthcare solution security.
Understanding sovereign cloud challenges for French health data.
Let's talk. We'll get back to you within 48 hours with an initial proposal tailored to your needs.
Contact Us →