Security & sovereignty

An independent vendor, your health data in France

Ducal is backed by no investment fund. Our roadmap serves care facilities and regions — not a shareholder's return targets. Your data stays in France, on sovereign infrastructure, and your trust is never a trade-off.

Request a demoTalk to our team
The evidence

Verifiable commitments, not slogans

Four figures you can measure in our code and our infrastructure — not in a sales brochure.

HDS
Certified Health Data Hosting, in France (Scalingo · osc-fr1).
5,000+
Automated tests run continuously on the backend.
16
Continuous-integration checks passed on every deployment.
AES-256
Full encryption of health data at rest.

Health data is valuable. On illicit markets, a complete medical record trades for ten to twenty times the price of a credit card number — and cyberattacks against care facilities have multiplied in recent years. For a facility or a funder alike, the question is no longer "should we secure it?" but "who do we entrust the data to?".

Our answer comes down to one word: independence. While part of the medico-social patient-record market consolidates around investment funds, Ducal remains an independent vendor. That stance determines who decides the roadmap, where the data lives, and what is never sacrificed under profitability pressure.

Security and sovereignty are not a cost you endure. They are a promise of trust we keep — verifiable, documented, and contractually enforceable.

Sovereignty

Sovereign hosting & independence

Three commitments that make the difference between "data kept safe" and "data you stay in control of".

Data in France, HDS-certified host

Our health solutions are hosted at Scalingo, a French host certified as a Health Data Host (HDS), in the osc-fr1 region. No data is exposed to the US Cloud Act.

Outscale infrastructure, SecNumCloud-qualified

The underlying datacentre runs on Outscale infrastructure, qualified SecNumCloud by ANSSI — the highest sovereign-cloud qualification level in France. The qualification belongs to the infrastructure, not to a Ducal claim.

Independent vendor, no fund

Our roadmap is driven by facilities' needs and Ségur compliance — not by an investor's financial trade-offs. You know who you are talking to, and whom we work for.

Strict environment separation

Three isolated environments ensure no real data leaks outside production:

DEV
Synthetic data only. No real user data, even anonymised.
STAGING
Anonymised data, access restricted to the project team. Functional validation before going live.
PRODUCTION
Restricted, named access. Full access logging. End-to-end encryption at rest and in transit.

Segmented network

The infrastructure relies on restrictive firewall rules. Administrative access mandatorily requires a key-authenticated VPN. Services are segmented to limit lateral movement in case of compromise, and no database is reachable directly from the outside.

Security pipeline

Security isn't an end-of-project audit — it runs on every commit

Every code change passes through a continuous-integration pipeline before reaching production. Sixteen automated checks run on every deployment: nothing ships to production without passing them all.

gitleaks — secret detection in code and history
Semgrep — static analysis OWASP / Python / FastAPI, plus 6 custom HDS rules
pip-audit — CVE analysis on dependencies (blocking)
SBOM — CycloneDX software bill of materials on every build
RLS tests — multi-facility isolation verified without a superuser
Ségur conformance — interoperability checked on every run

Encryption & access

Data is protected at every moment of its lifecycle: in transit, at rest, and up to its certified destruction at end of contract.

End-to-end encryption

All communications are protected by TLS 1.3 minimum, with HSTS enabled across all our domains and obsolete protocols disabled without exception. At rest, health data is encrypted with AES-256-GCM; infrastructure volumes and backups are encrypted too.

Access, secrets & identities

MFA required
Multi-factor authentication required for any production access, without exception.
Key-based SSH
ED25519 key access, production exclusively via an authenticated VPN. No direct access from outside.
Least privilege
Each account accesses only the resources strictly needed for its role. Named, logged access.
Centralised secrets
Regular rotation, zero secrets in source code, zero secrets in logs. Revocation within 24 h after a mission ends.

Multi-facility isolation. At the database level itself, each facility sees only its own data: isolation is verified automatically on every deployment, including against privileged accounts. A facility can never reach another's data by mistake.

IA
Every commit is analysed automatically to detect any accidental secret — API keys, passwords, access tokens — even before it reaches the main repository.
Monitoring

Continuous monitoring & incident response

Detect fast, fix fast, and keep you informed. Our response-time commitments are measurable and enforceable.

Critical · CVSS 9-10
24 hours — emergency fix.
High · CVSS 7-8.9
72 hours — priority patch.
Moderate · CVSS 4-6.9
14 days — next sprint.
Low · CVSS 0.1-3.9
30 days — security backlog.

Incidents are classified from P1 (critical) to P4 (minor). For a P1 incident, the client is notified within 4 hours. If a data breach is confirmed, the CNIL is notified within 72 hours in line with the GDPR, and every incident is the subject of a documented post-mortem.

IA
AI code review on every pull request: the AI detects business-logic flaws and weak access controls — often invisible to conventional scanners — before anything reaches production.

Compliance & commitments

Ducal operates within the frameworks required to process health data in France, and commits each compliance point in the contract.

HDS
Health Data Hosting — Scalingo host certified (osc-fr1).
SecNumCloud
Underlying Outscale infrastructure qualified SecNumCloud by ANSSI.
GDPR
Personal-data protection — fully applied, systematic DPA.
PGSSI-S
General health IT security policy — authentication, accountability, traceability.
ANSSI — PSSI guide
Structure and governance of our security policy.
OWASP Top 10
Application security — continuously verified by the pipeline.
Ségur Wave 2 (DUI)
Résident module built Ségur-native for medico-social — within the Wave 2 referencing trajectory.

We never speak of "Ségur certification". Our Résident module is built Ségur-native for the medico-social corridor and is within the Wave 2 referencing trajectory. We state precisely where we stand, because trust is built on accurate facts.

Contractually, every project is covered by a Data Processing Agreement (DPA) as standard. Ducal maintains a records-of-processing register, applies privacy by design from the outset, and delivers the full source code to the client. At end of contract, a certified secure deletion is performed and documented.

Artificial intelligence

What AI does — and never does

AI strengthens our security every day. But its scope is strict, and human oversight is systematic.

What AI does
Static and semantic code analysis on every change
Detection of deep vulnerabilities (business logic, access controls)
Compliance checks on security configurations
Systematic code review on every pull request
What AI never does
No access to production databases
No access to production environments
No user data in AI prompts or contexts
No change deployed without human validation

As a system operating in healthcare, our use of AI falls under the high-risk category within the meaning of the European Artificial Intelligence Regulation (AI Act, EU 2024/1689). That is why human oversight is systematic at every step.

Read our AI usage charter →
Let's talk about your project

Sovereignty can be verified. Let's verify it together.

A real-world demonstration, answers to your security and compliance requirements, and access to our PSSI within a contractual framework.

Request a demoTalk to our team

Go further

Article

HDS hosting: the guide

What the Health Data Host certification covers, and why it protects your users.

Article

SecNumCloud & sovereign cloud

The most demanding ANSSI cloud qualification, and what it means in practice.

Article

Cybersecurity in care facilities

An overview of threats and best practices for health and medico-social organisations.

Article

Hospital cyberattacks: the toll

A look back at recent attacks on French facilities and their lessons.

Article

GDPR & health data

The specific obligations for processing personal health data.

Article

Post-cyberattack recovery plan

How a facility organises continuity and recovery in the face of a major incident.

Article

Open source & security in health

Code transparency and auditability: why they strengthen trust.

Article

Sovereign cloud in healthcare

Data localisation, the Cloud Act, and digital-sovereignty stakes for health.

Have a healthcare digitalization project?

Let's talk. We'll get back to you within 48 hours with an initial proposal tailored to your needs.

Contact Us