HDS Certification – Requirement 31 Compliance
Health Data Host (HDS) Certified
Table of Contents
1. Overview of International Transfers
Status: Huma does not hold SecNumCloud 3.2 certification. However, we maintain hosting infrastructure primarily within the European Economic Area (EEA) and implement strict controls for any limited transfers outside the EEA.
As a health data processor certified under the French Health Data Host (HDS) framework, Huma is required to publicly disclose all arrangements for transferring personal health data (Données de Santé à Caractère Personnel - DSCPs) outside the European Economic Area.
This page provides:
A complete list of sub-processors and their data locations
Details of non-EEA access by third-country legislation
Risks associated with unauthorized access under third-country law
Supplementary safeguards implemented to mitigate those risks
Data subject rights and remedies
2. Legal Framework
HDS Requirement 31 & 30
Under the French Health Data Host (HDS) certification standard, Articles R1111-9 and R1111-15 of the French Code de la Santé Publique, hosts must:
Requirement 31: Publicly disclose all transfers of DSCPs outside the EEA, including the countries involved, the nature of access, and the measures implemented to ensure equivalent protection.
Requirement 30: Inform clients about non-European regulations under which unauthorized access could be imposed, and describe measures and residual risks.
GDPR Chapter V & Schrems II
All transfers are conducted in compliance with GDPR Article 45 (adequacy decisions) and Article 46 (appropriate safeguards), particularly Standard Contractual Clauses (SCCs).
Following the CJEU's Schrems II judgment (C-311/18), we have implemented supplementary technical and organizational safeguards to ensure the level of data protection is not undermined.
CNIL Adequacy List
For a list of countries ensuring an adequate level of data protection under GDPR Article 45, see the CNIL website.
3. Transfer Details & Sub-Processor Information
Huma engages the following sub-processors who may access or process personal health data:
Amazon Web Services (AWS) – Cloud Infrastructure
Role
Sub-processor
Primary Data Location
Ireland & Frankfurt (EU)
Parent Company Country
United States
Data Processing Activity
Cloud hosting, storage, compute, and managed services for Huma platform infrastructure
Data Elements
Personal health data (DSCPs), user identifiers, application data, system logs, and backups as required to deliver the platform. All health data is stored exclusively in EEA regions.
Safeguards
Primary data residency in EEA (eu-west-1 / eu-central-1)
TLS 1.2+ encryption in transit; AES-256 encryption at rest
Standard Contractual Clauses (2021/914/EU) for any US parent access
AWS Data Processing Addendum incorporating GDPR Article 28
RBAC, VPC network isolation, and CloudTrail audit logging
ISO 27001, SOC 2 Type II, and CSA STAR certified infrastructure
No onward transfers outside EEA without prior written approval
DocuSign – Electronic Signature Service
Role
Sub-processor
Primary Data Location
Ireland (EU)
Parent Company Country
United States
Data Processing Activity
Prescription approval signatures, clinical document signing
Data Elements
Signer name, email address, signature timestamp, signed prescription PDF (encrypted, may include patient identifiers such as ID or initials). No direct health data is processed – documents are created and encrypted by Huma prior to DocuSign access.
Safeguards
TLS 1.2+ encryption in transit
AES-256 encryption at rest in DocuSign EU data centres
Standard Contractual Clauses with supplementary safeguards
No onward transfers outside the EEA
Google Cloud Platform (GCP) – Cloud Infrastructure
Role
Sub-processor
Primary Data Location
Belgium & Frankfurt (EU)
Parent Company Country
United States
Data Processing Activity
Cloud hosting, storage, compute, and managed database services for Huma platform components
Data Elements
Personal health data (DSCPs), user identifiers, application data, system logs, and backups as required to deliver the platform. All health data is stored exclusively in EEA regions.
Safeguards
Primary data residency in EEA (europe-west1 / europe-west3)
TLS 1.2+ encryption in transit; AES-256 encryption at rest
Standard Contractual Clauses (2021/914/EU) for any US parent access
Google Cloud Data Processing Addendum incorporating GDPR Article 28
VPC Service Controls, IAM, and Cloud Audit Logs
ISO 27001, SOC 2 Type II, and ISO 27701 certified infrastructure
No onward transfers outside EEA without prior written approval
Intercom - Customer Communication & Support
Role
Sub-processor
Primary Data Location
Ireland (EU)
Parent Company Country
United States
Data Processing Activity
In-app messaging, support communications, user feedback
Data Elements
Limited to user contact details, message metadata, interaction logs (cookies, IP addresses), and feedback. No health data or patient message content is transferred – clinical messages remain within Huma's secure environment.
Safeguards
Primary processing in Ireland (EEA)
Standard Contractual Clauses (2021/914/EU) for any US access
End-to-end encryption where available
Strict access controls and audit trails
Data Processing Agreement with Sub-Processor Addendum
Jira / Atlassian – Project & Issue Tracking
Role
Sub-processor
Primary Data Location
EU (Atlassian Cloud – EU region)
Parent Company Country
Australia / United States
Data Processing Activity
Internal issue tracking, incident management, and development project coordination
Data Elements
Limited to staff identifiers, issue descriptions, and operational metadata used in internal workflows. No patient health data (DSCPs) is intentionally processed within Jira; any incidental inclusion is subject to data minimisation controls.
Safeguards
EU data residency elected via Atlassian Data Residency programme
Standard Contractual Clauses (2021/914/EU) for any non-EEA access
Atlassian Cloud Data Processing Addendum incorporating GDPR Article 28
SSO, MFA, and RBAC enforced; access limited to authorised staff
SOC 2 Type II and ISO 27001 certified infrastructure
Data minimisation policy: staff trained not to log patient identifiers in issue tracking systems
Mixpanel – Product Analytics
Role
Sub-processor
Primary Data Location
United States
Parent Company Country
United States
Data Processing Activity
Product analytics, user behaviour tracking, feature usage analysis
Data Elements
Anonymised or pseudonymised usage event data, device identifiers, IP addresses, and interaction metadata. No clinical health data or patient identifiers are transferred; data is pseudonymised by Huma prior to ingestion.
Safeguards
Data pseudonymisation and anonymisation applied by Huma prior to transfer
Standard Contractual Clauses (2021/914/EU) governing the transfer
Mixpanel Data Processing Agreement incorporating GDPR Article 28
IP anonymisation enabled; data minimisation applied at point of collection
Contractual prohibition on secondary use and data broker sales
Pendo – Product Analytics & In-App Guidance
Role
Sub-processor
Primary Data Location
United States
Parent Company Country
United States
Data Processing Activity
In-app user guidance, onboarding flows, product analytics, and feature adoption tracking
Data Elements
Pseudonymised user identifiers, interaction metadata, session data, and device information. No clinical health data or DSCPs are transferred; identifiers are pseudonymised by Huma prior to transfer.
Safeguards
Data pseudonymisation applied by Huma prior to transfer
Standard Contractual Clauses (2021/914/EU) governing the transfer
Pendo Data Processing Agreement incorporating GDPR Article 28
Contractual restriction on secondary use, data monetisation, and onward transfer
Twilio (Secure Communications Infrastructure)
Role
Sub-processor
Primary Data Location
Ireland & Germany (EU)
Parent Company Country
United States
Data Processing Activity
Message delivery metadata, contact details, communication routing
Data Elements
Limited to phone numbers, email addresses, and message delivery metadata required for routing. No message content or health data is transferred.
Safeguards
Primary processing in EU data centres (Ireland, Germany)
Twilio Binding Corporate Rules (BCRs) for intra-group transfers
Standard Contractual Clauses (2021/914/EU) for US access
UK International Data Transfer Addendum (IDTA) for UK data
Supplementary technical and organizational measures
4. Risk Assessment – Requirement 30
As required by HDS Requirement 30, we identify and assess the risks of unauthorized access to DSCPs under third-country legislation:
HIGH LEGISLATIVE RISK
US CLOUD Act & FISA Amendments
Applicable to: DocuSign, Intercom, Twilio (all US parent companies)
Description: The US Clarifying Lawful Overseas Use of Data (CLOUD) Act allows US federal authorities to compel US companies (and foreign subsidiaries under US control) to disclose stored data without a foreign warrant. FISA Amendments Section 702 allows warrantless collection of foreign communications.
Potential Unauthorized Access: US law enforcement, intelligence agencies (NSA, FBI, CIA, DHS) may demand access to personal data for national security purposes without European judicial oversight or data subject notification.
Residual Risk Level: Medium-High – While primary processing occurs in the EU, limited support/routing operations in the US create exposure risk.
MEDIUM LEGISLATIVE RISK
Absence of Adequate Data Protection Framework
Applicable to: All US-based processors
Description: The US does not have a comprehensive federal data protection law equivalent to the GDPR. Data protection is fragmented across sector-specific laws (HIPAA, HITECH, COPPA) with significant gaps.
Potential Unauthorized Access: US companies have broad discretion in data use, monetization, and third-party sharing absent contractual restrictions. Less stringent oversight of data handling practices.
Residual Risk Level: Low-Medium – Mitigated by SCCs, DPAs, and contractual restrictions limiting data use to processing activities only.
LOW LEGISLATIVE RISK
Commercial Data Broker Market
Applicable to: All US processors
Description: The US data broker market allows third parties to purchase personal data from companies, subject to limited restrictions.
Potential Unauthorized Access: Unlikely in healthcare context due to HIPAA restrictions on Huma's processors; however, data outside HIPAA scope (user contact details, IP addresses) could theoretically be sold.
Residual Risk Level: Low – Substantially mitigated by contractual prohibitions on secondary use and data broker sales.
MEDIUM LEGISLATIVE RISK
Australian Assistance and Access Act 2018
Applicable to: Jira / Atlassian (Australian parent company)
Description: Australia's Assistance and Access Act 2018 (the "AA Act") allows Australian government agencies to compel technology companies to provide access to encrypted communications and stored data. Atlassian, as an Australian-headquartered company, is subject to this legislation regardless of where data is stored.
Potential Unauthorised Access: Australian intelligence and law enforcement agencies may issue Technical Assistance Notices (TANs) or Technical Capability Notices (TCNs) compelling Atlassian to provide access to data or build access capabilities, without equivalent European judicial oversight.
Residual Risk Level: Low–Medium — Mitigated by EU data residency, SCCs, DPA, and the fact that no patient health data is intentionally processed within Jira. Limited to operational and staff metadata only.
HIGH LEGISLATIVE RISK
US CLOUD Act & FISA Amendments (Analytics Processors)
Applicable to: Mixpanel, Pendo (US parent companies)
Description: As with DocuSign, Intercom, and Twilio, both Mixpanel and Pendo are US-incorporated entities subject to the CLOUD Act and FISA Section 702. US federal authorities may compel disclosure of stored data without a foreign warrant or data subject notification.
Potential Unauthorised Access: US law enforcement and intelligence agencies may demand access to data held by Mixpanel and Pendo, including pseudonymised identifiers and usage analytics.
Residual Risk Level: Medium — Substantially mitigated by pseudonymisation and anonymisation applied by Huma prior to transfer, meaning data accessible to these processors cannot readily be re-identified without Huma's internal identifiers. No clinical content is transferred.
Summary of Non-European Regulations Requiring Access Disclosure
Regulation
Country
Scope
Risk to DSCPs
Mitigation
CLOUD Act (2018)
USA
Compelled disclosure by federal authorities
High – Direct access demand without EU judicial review
SCCs, DPA, UK IDTA; limited US processing; EU data residency
FISA § 702
USA
Warrantless collection for national security
High – Intelligence agency access without warrant
SCCs, supplementary safeguards, minimal US access
Federal Rules of Evidence / Discovery
USA
Civil litigation disclosure
Low – Limited to specific disputes; subject to protective orders
Contractual dispute resolution; limited scope
Absence of GDPR Equivalent
USA
Data use and retention discretion
Medium – Broad corporate discretion in data handling
Contractual DPA; processing limitations; no secondary use
5. Data Protection Safeguards
Huma implements multiple layers of safeguards to ensure the level of data protection guaranteed by GDPR is not undermined, in line with the EDPB's Recommendations 01/2020 (post-Schrems II):
Technical Safeguards
Data Minimization: Only essential personal data is transferred to sub-processors; health data remains within Huma's EEA infrastructure
Encryption in Transit: All transfers use TLS 1.2+ minimum; sensitive documents encrypted end-to-end
Encryption at Rest: AES-256 encryption for data stored in sub-processor systems
Pseudonymization: Where applicable, data is pseudonymized before transfer to limit re-identification risk
Access Controls: Role-based access control (RBAC) and principle of least privilege; audit logging of all data access
Network Segmentation: Health data processing segregated from general platform infrastructure
Data Location Controls: Primary processing geographically restricted to EEA data centres; limited exceptions documented and monitored
Contractual Safeguards
Standard Contractual Clauses (SCCs): All non-EEA transfers governed by European Commission-approved SCCs (Decision 2021/914/EU)
UK International Data Transfer Addendum (IDTA): For UK-originating data, transfers to non-UK/EEA entities governed by the UK IDTA (in addition to SCCs)
Binding Corporate Rules (BCRs): Twilio's BCRs provide EDPB-approved framework for intra-group transfers
Data Processing Agreements (DPAs): All sub-processors bound by DPA incorporating GDPR Article 28 and GDPR Chapter V requirements
Supplementary Measures Addendum: Explicit contractual commitments to implement EDPB Recommendations 01/2020
Limitation on Processing: Contractual prohibition on secondary use, data broker sales, or transfer to third parties without Huma's written consent
Sub-processor Chains: No sub-processor may engage further sub-processors without prior written approval by data controller and Huma
Organizational Safeguards
Data Protection Impact Assessments (DPIAs): Comprehensive DPIA conducted for each transfer arrangement; periodic review and update
Sub-processor Due Diligence: Annual security assessments and SOC 2 Type II audits (or equivalent) of sub-processors
Incident Response Plan: Documented procedures for breach notification, containment, and remediation within 72 hours per GDPR Article 33
Data Subject Rights Processes: Mechanisms to fulfill access, rectification, erasure, and portability requests within legal timeframes
Privacy Training: Annual GDPR and HDS compliance training for all staff handling personal data
Regulatory Cooperation: Commitment to cooperate with CNIL, DPA, and other data protection authorities on investigations and audits
Monitoring & Audit: Quarterly compliance monitoring; annual third-party audit of transfer arrangements
Recourse & Remedies
Legal Recourse in EU: Data subjects may lodge complaints with their national data protection authority (CNIL for France)
Right to Judicial Remedy: Data subjects may pursue judicial remedies in EU/EEA courts against unauthorized access under Article 79 GDPR
Contractual Indemnification: Huma contractually indemnifies customers against fines and damages arising from sub-processor breaches
Escalation Procedure: Data subjects may escalate concerns to Huma's Data Protection Officer (DPO) for investigation and remedy
6. Complete Transfer Matrix (Requirement 31)
The following table provides a comprehensive overview of all data transfer arrangements:
Sub-Processor
Data Processing Activity
Data Origin (From)
Primary Location (To)
Non-EEA Access
Legal Basis
Risk Level
Safeguards
AWS
Cloud infrastructure, storage, compute
France, Portugal, Czech Republic, Sweden, UK
Ireland & Frankfurt (EU)
No – health data remains in EEA
GDPR Article 46 (SCCs)
Low
TLS 1.2+, AES-256, SCCs, VPC isolation, CloudTrail, SOC 2 Type II
DocuSign
Prescription document signature & approval
France, Portugal, Czech Republic, Sweden, UK
Ireland (EU)
No – data remains in EU
GDPR Article 46 (SCCs)
Low
TLS 1.2+, AES-256, SCCs, no onward transfer
GCP
Cloud infrastructure, storage, managed databases
France, Portugal, Czech Republic, Sweden, UK
Belgium & Frankfurt (EU)
No – health data remains in EEA
GDPR Article 46 (SCCs)
Low
TLS 1.2+, AES-256, SCCs, VPC Service Controls, IAM, SOC 2 Type II
Intercom
In-app messaging, support communications
France, Portugal, Czech Republic, Sweden, UK
Ireland (EU) / Limited US
Yes – US limited support access
GDPR Article 46 (SCCs + supplementary measures)
Medium
SCCs, DPA, UK IDTA, access controls, audit logs
Jira (Atlassian)
Issue tracking, incident management
France, Portugal, Czech Republic, Sweden, UK
EU (Atlassian Cloud) / Limited non-EEA
Yes – limited non-EEA access possible
GDPR Article 46 (SCCs)
Low–Medium
SCCs, DPA, EU data residency, SSO/MFA/RBAC, data minimisation policy
Mixpanel
Product analytics, usage tracking
France, Portugal, Czech Republic, Sweden, UK
United States
Yes – primary processing in US
GDPR Article 46 (SCCs + supplementary measures)
Medium
SCCs, DPA, pseudonymisation prior to transfer, no secondary use
Pendo
In-app guidance, product analytics
France, Portugal, Czech Republic, Sweden, UK
United States
Yes – primary processing in US
GDPR Article 46 (SCCs + supplementary measures)
Medium
SCCs, DPA, pseudonymisation prior to transfer, contractual restrictions
Twilio
Message delivery, communication routing
France, Portugal, Czech Republic, Sweden, UK
Ireland & Germany (EU) / Limited US
Yes – US support & routing access
GDPR Article 46 (SCCs + BCRs + supplementary measures)
Medium
SCCs, BCRs, UK IDTA, DPA, encryption, strict access controls
Key Finding: Primary storage and processing of health data (DSCPs) occurs exclusively within the EEA (UK and EU data centres). Limited non-EEA access is restricted to metadata, support operations, and communication routing – never clinical content. All transfers protected by European Commission-approved Standard Contractual Clauses and supplementary technical/organizational safeguards.
7. Data Subject Rights & Remedies
Under GDPR and HDS certification, data subjects (patients) retain full rights regarding their personal health data:
GDPR Data Subject Rights
Right to Access (Article 15): Request a copy of your personal data held by Huma
Right to Rectification (Article 16): Correct inaccurate or incomplete personal data
Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
Right to Restriction (Article 18): Restrict processing of your data pending dispute resolution
Right to Portability (Article 20): Receive your data in a structured, portable format
Right to Object (Article 21): Object to processing for legitimate interests
Rights Related to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing
How to Exercise Your Rights
To exercise any of the above rights, submit a written request to:
Huma Data Protection Officer (DPO)
Email: dpo@huma.ai
Address: Huma Ltd , 13th Floor, Millbank Tower, 21-24 Millbank, London, SW1P 4QP, United Kingdom.
Response time: 30 calendar days (extendable to 60 days for complex requests)
Right to Lodge a Complaint
If you believe your rights have been violated, you have the right to lodge a complaint with your national data protection authority:
For France:
Commission Nationale de l'Informatique et des Libertés (CNIL)
Phone: +33 1 53 73 22 22
Online complaint form
Right to Judicial Remedy
You may seek judicial remedies in the courts of your country of residence for damages arising from unlawful processing or unauthorized access. Huma provides contractual indemnification for damages resulting from sub-processor breaches.
Right to Be Informed About Data Transfers
This page serves as your notice of international data transfers. Huma commits to:
Maintain transparency about all sub-processor arrangements
Update this disclosure within 30 days of any material change (new processor, change of location, change of safeguards)
Notify data subjects of any data breach involving non-EEA access within 72 hours per GDPR Article 33
Cooperate with data protection authorities on investigations
Important Notice
This disclosure is provided in compliance with HDS Requirement 31 (Article R1111-15 of the French Code de la Santé Publique) and GDPR Chapter V. It reflects Huma's commitment to transparency and data protection in the processing of personal health data.
Assessment of Adequacy: While Huma does not hold SecNumCloud 3.2 certification, we maintain equivalent data protection through:
Primary EEA data residency for all health data
European Commission-approved Standard Contractual Clauses (2021/914/EU)
EDPB Recommendations 01/2020 supplementary safeguards
Comprehensive technical, contractual, and organizational controls
Regular third-party security audits (SOC 2 Type II)
Regulatory Authority: For inquiries regarding this disclosure or Huma's HDS compliance, contact the CNIL or your local data protection authority.
Last Updated: March 20, 2026
Version: 1.0 – HDS Compliance Edition
This page is reviewed and updated quarterly, or upon material change to data transfer arrangements.