HDS Certification – Requirement 31 Compliance
Health Data Host (HDS) Certified
Table of Contents
1. Overview of International Transfers
Status: Huma does not hold SecNumCloud 3.2 certification. However, we maintain hosting infrastructure primarily within the European Economic Area (EEA) and implement strict controls for any limited transfers outside the EEA.
As a health data processor certified under the French Health Data Host (HDS) framework, Huma is required to publicly disclose all arrangements for transferring personal health data (Données de Santé à Caractère Personnel - DSCPs) outside the European Economic Area.
This page provides:
A complete list of sub-processors and their data locations
Details of non-EEA access by third-country legislation
Risks associated with unauthorized access under third-country law
Supplementary safeguards implemented to mitigate those risks
Data subject rights and remedies
2. Legal Framework
HDS Requirement 31 & 30
Under the French Health Data Host (HDS) certification standard, Articles R1111-9 and R1111-15 of the French Code de la Santé Publique, hosts must:
Requirement 31: Publicly disclose all transfers of DSCPs outside the EEA, including the countries involved, the nature of access, and the measures implemented to ensure equivalent protection.
Requirement 30: Inform clients about non-European regulations under which unauthorized access could be imposed, and describe measures and residual risks.
GDPR Chapter V & Schrems II
All transfers are conducted in compliance with GDPR Article 45 (adequacy decisions) and Article 46 (appropriate safeguards), particularly Standard Contractual Clauses (SCCs).
Following the CJEU's Schrems II judgment (C-311/18), we have implemented supplementary technical and organizational safeguards to ensure the level of data protection is not undermined.
CNIL Adequacy List
For a list of countries ensuring an adequate level of data protection under GDPR Article 45, see the CNIL website.
3. Transfer Details & Sub-Processor Information
Huma engages the following sub-processors who may access or process personal health data:
DocuSign (Electronic Signature Service)
Role
Sub-processor
Primary Data Location
Ireland (EU)
Parent Company Country
United States
Data Processing Activity
Prescription approval signatures, clinical document signing
Data Elements
Signer name, email address, signature timestamp, signed prescription PDF (encrypted, may include patient identifiers such as ID or initials). No direct health data is processed – documents are created and encrypted by Huma prior to DocuSign access.
Safeguards
TLS 1.2+ encryption in transit
AES-256 encryption at rest in DocuSign EU data centres
Standard Contractual Clauses with supplementary safeguards
No onward transfers outside the EEA
Intercom (Customer Communication & Support)
Role
Sub-processor
Primary Data Location
Ireland (EU)
Parent Company Country
United States
Data Processing Activity
In-app messaging, support communications, user feedback
Data Elements
Limited to user contact details, message metadata, interaction logs (cookies, IP addresses), and feedback. No health data or patient message content is transferred – clinical messages remain within Huma's secure environment.
Safeguards
Primary processing in Ireland (EEA)
Standard Contractual Clauses (2021/914/EU) for any US access
End-to-end encryption where available
Strict access controls and audit trails
Data Processing Agreement with Sub-Processor Addendum
Twilio (Secure Communications Infrastructure)
Role
Sub-processor
Primary Data Locations
Ireland & Germany (EU)
Parent Company Country
United States
Data Processing Activity
Message delivery metadata, contact details, communication routing
Data Elements
Limited to phone numbers, email addresses, and message delivery metadata required for routing. No message content or health data is transferred.
Safeguards
Primary processing in EU data centres (Ireland, Germany)
Twilio Binding Corporate Rules (BCRs) for intra-group transfers
Standard Contractual Clauses (2021/914/EU) for US access
UK International Data Transfer Addendum (IDTA) for UK data
Supplementary technical and organizational measures
4. Risk Assessment – Requirement 30
As required by HDS Requirement 30, we identify and assess the risks of unauthorized access to DSCPs under third-country legislation:
HIGH LEGISLATIVE RISK
US CLOUD Act & FISA Amendments
Applicable to: DocuSign, Intercom, Twilio (all US parent companies)
Description: The US Clarifying Lawful Overseas Use of Data (CLOUD) Act allows US federal authorities to compel US companies (and foreign subsidiaries under US control) to disclose stored data without a foreign warrant. FISA Amendments Section 702 allows warrantless collection of foreign communications.
Potential Unauthorized Access: US law enforcement, intelligence agencies (NSA, FBI, CIA, DHS) may demand access to personal data for national security purposes without European judicial oversight or data subject notification.
Residual Risk Level: Medium-High – While primary processing occurs in the EU, limited support/routing operations in the US create exposure risk.
MEDIUM LEGISLATIVE RISK
Absence of Adequate Data Protection Framework
Applicable to: All US-based processors
Description: The US does not have a comprehensive federal data protection law equivalent to the GDPR. Data protection is fragmented across sector-specific laws (HIPAA, HITECH, COPPA) with significant gaps.
Potential Unauthorized Access: US companies have broad discretion in data use, monetization, and third-party sharing absent contractual restrictions. Less stringent oversight of data handling practices.
Residual Risk Level: Low-Medium – Mitigated by SCCs, DPAs, and contractual restrictions limiting data use to processing activities only.
LOW LEGISLATIVE RISK
Commercial Data Broker Market
Applicable to: All US processors
Description: The US data broker market allows third parties to purchase personal data from companies, subject to limited restrictions.
Potential Unauthorized Access: Unlikely in healthcare context due to HIPAA restrictions on Huma's processors; however, data outside HIPAA scope (user contact details, IP addresses) could theoretically be sold.
Residual Risk Level: Low – Substantially mitigated by contractual prohibitions on secondary use and data broker sales.
Summary of Non-European Regulations Requiring Access Disclosure
Regulation
Country
Scope
Risk to DSCPs
Mitigation
CLOUD Act (2018)
USA
Compelled disclosure by federal authorities
High – Direct access demand without EU judicial review
SCCs, DPA, UK IDTA; limited US processing; EU data residency
FISA § 702
USA
Warrantless collection for national security
High – Intelligence agency access without warrant
SCCs, supplementary safeguards, minimal US access
Federal Rules of Evidence / Discovery
USA
Civil litigation disclosure
Low – Limited to specific disputes; subject to protective orders
Contractual dispute resolution; limited scope
Absence of GDPR Equivalent
USA
Data use and retention discretion
Medium – Broad corporate discretion in data handling
Contractual DPA; processing limitations; no secondary use
5. Data Protection Safeguards
Huma implements multiple layers of safeguards to ensure the level of data protection guaranteed by GDPR is not undermined, in line with the EDPB's Recommendations 01/2020 (post-Schrems II):
Technical Safeguards
Data Minimization: Only essential personal data is transferred to sub-processors; health data remains within Huma's EEA infrastructure
Encryption in Transit: All transfers use TLS 1.2+ minimum; sensitive documents encrypted end-to-end
Encryption at Rest: AES-256 encryption for data stored in sub-processor systems
Pseudonymization: Where applicable, data is pseudonymized before transfer to limit re-identification risk
Access Controls: Role-based access control (RBAC) and principle of least privilege; audit logging of all data access
Network Segmentation: Health data processing segregated from general platform infrastructure
Data Location Controls: Primary processing geographically restricted to EEA data centres; limited exceptions documented and monitored
Contractual Safeguards
Standard Contractual Clauses (SCCs): All non-EEA transfers governed by European Commission-approved SCCs (Decision 2021/914/EU)
UK International Data Transfer Addendum (IDTA): For UK-originating data, transfers to non-UK/EEA entities governed by the UK IDTA (in addition to SCCs)
Binding Corporate Rules (BCRs): Twilio's BCRs provide EDPB-approved framework for intra-group transfers
Data Processing Agreements (DPAs): All sub-processors bound by DPA incorporating GDPR Article 28 and GDPR Chapter V requirements
Supplementary Measures Addendum: Explicit contractual commitments to implement EDPB Recommendations 01/2020
Limitation on Processing: Contractual prohibition on secondary use, data broker sales, or transfer to third parties without Huma's written consent
Sub-processor Chains: No sub-processor may engage further sub-processors without prior written approval by data controller and Huma
Organizational Safeguards
Data Protection Impact Assessments (DPIAs): Comprehensive DPIA conducted for each transfer arrangement; periodic review and update
Sub-processor Due Diligence: Annual security assessments and SOC 2 Type II audits (or equivalent) of sub-processors
Incident Response Plan: Documented procedures for breach notification, containment, and remediation within 72 hours per GDPR Article 33
Data Subject Rights Processes: Mechanisms to fulfill access, rectification, erasure, and portability requests within legal timeframes
Privacy Training: Annual GDPR and HDS compliance training for all staff handling personal data
Regulatory Cooperation: Commitment to cooperate with CNIL, DPA, and other data protection authorities on investigations and audits
Monitoring & Audit: Quarterly compliance monitoring; annual third-party audit of transfer arrangements
Recourse & Remedies
Legal Recourse in EU: Data subjects may lodge complaints with their national data protection authority (CNIL for France)
Right to Judicial Remedy: Data subjects may pursue judicial remedies in EU/EEA courts against unauthorized access under Article 79 GDPR
Contractual Indemnification: Huma contractually indemnifies customers against fines and damages arising from sub-processor breaches
Escalation Procedure: Data subjects may escalate concerns to Huma's Data Protection Officer (DPO) for investigation and remedy
6. Complete Transfer Matrix (Requirement 31)
The following table provides a comprehensive overview of all data transfer arrangements:
Sub-Processor
Data Processing Activity
Data Origin (From)
Primary Location (To)
Non-EEA Access
Legal Basis
Risk Level
Safeguards
DocuSign
Prescription document signature & approval
France, Portugal, Czech Republic, Sweden, UK
Ireland (EU)
No – data remains in EU
GDPR Article 46 (SCCs)
Low
TLS 1.2+, AES-256, SCCs, no onward transfer
Intercom
In-app messaging, support communications
France, Portugal, Czech Republic, Sweden, UK
Ireland (EU) / Limited US
Yes – US limited support access
GDPR Article 46 (SCCs + supplementary measures)
Medium
SCCs, DPA, UK IDTA, access controls, audit logs, minimal US processing
Twilio
Message delivery, communication routing
France, Portugal, Czech Republic, Sweden, UK
Ireland & Germany (EU) / Limited US
Yes – US support & routing access
GDPR Article 46 (SCCs + BCRs + supplementary measures)
Medium
SCCs, BCRs, UK IDTA, DPA, encryption, strict access controls, audit monitoring
Key Finding: Primary storage and processing of health data (DSCPs) occurs exclusively within the EEA (UK and EU data centres). Limited non-EEA access is restricted to metadata, support operations, and communication routing – never clinical content. All transfers protected by European Commission-approved Standard Contractual Clauses and supplementary technical/organizational safeguards.
7. Data Subject Rights & Remedies
Under GDPR and HDS certification, data subjects (patients) retain full rights regarding their personal health data:
GDPR Data Subject Rights
Right to Access (Article 15): Request a copy of your personal data held by Huma
Right to Rectification (Article 16): Correct inaccurate or incomplete personal data
Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
Right to Restriction (Article 18): Restrict processing of your data pending dispute resolution
Right to Portability (Article 20): Receive your data in a structured, portable format
Right to Object (Article 21): Object to processing for legitimate interests
Rights Related to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing
How to Exercise Your Rights
To exercise any of the above rights, submit a written request to:
Huma Data Protection Officer (DPO)
Email: dpo@huma.ai
Address: Huma Ltd , 13th Floor, Millbank Tower, 21-24 Millbank, London, SW1P 4QP, United Kingdom.
Response time: 30 calendar days (extendable to 60 days for complex requests)
Right to Lodge a Complaint
If you believe your rights have been violated, you have the right to lodge a complaint with your national data protection authority:
For France:
Commission Nationale de l'Informatique et des Libertés (CNIL)
Phone: +33 1 53 73 22 22
Online complaint form
Right to Judicial Remedy
You may seek judicial remedies in the courts of your country of residence for damages arising from unlawful processing or unauthorized access. Huma provides contractual indemnification for damages resulting from sub-processor breaches.
Right to Be Informed About Data Transfers
This page serves as your notice of international data transfers. Huma commits to:
Maintain transparency about all sub-processor arrangements
Update this disclosure within 30 days of any material change (new processor, change of location, change of safeguards)
Notify data subjects of any data breach involving non-EEA access within 72 hours per GDPR Article 33
Cooperate with data protection authorities on investigations
Important Notice
This disclosure is provided in compliance with HDS Requirement 31 (Article R1111-15 of the French Code de la Santé Publique) and GDPR Chapter V. It reflects Huma's commitment to transparency and data protection in the processing of personal health data.
Assessment of Adequacy: While Huma does not hold SecNumCloud 3.2 certification, we maintain equivalent data protection through:
Primary EEA data residency for all health data
European Commission-approved Standard Contractual Clauses (2021/914/EU)
EDPB Recommendations 01/2020 supplementary safeguards
Comprehensive technical, contractual, and organizational controls
Regular third-party security audits (SOC 2 Type II)
Regulatory Authority: For inquiries regarding this disclosure or Huma's HDS compliance, contact the CNIL or your local data protection authority.
Last Updated: March 20, 2026
Version: 1.0 – HDS Compliance Edition
This page is reviewed and updated quarterly, or upon material change to data transfer arrangements.