How Medicapp Pro protects your patients' health data. Certified HADS infrastructure, GDPR compliance, full audit trail.
Medicapp Pro relies on OSPI's infrastructure, a certified health data hosting provider. Medicapp does not operate its own data centers.
OSPI is a certified Health Data Hosting provider (HADS), accredited by the French Ministry of Health. This certification ensures that the physical, network and software infrastructure meets French and European regulatory requirements for processing personal health data.
Data is hosted exclusively in France, in data centers compliant with ISO 27001 standards. There is no data transfer outside the European Union.
Authentication is managed by Medicapp through a multi-factor authentication (MFA) mechanism deployed on OSPI's infrastructure. Access rights management between practitioners is fully delegated to the client via Trust Spaces, with read or write permissions revocable at any time. All actions are subject to a full audit trail accessible directly from the front-end applications.
The relationship between Medicapp Connect SAS and OSPI is governed by a data processing agreement compliant with Article 28 of the GDPR (DPA). This agreement is available on request.
OSPI's certifications are available upon request. If you are a DPO, compliance officer or CIO, we will provide the attestations on simple request at contact@medicappconnect.com.
The certifications below are those of our hosting provider OSPI. They are available upon request.
Certified Health Data Hosting Provider. Accreditation issued by the French Ministry of Health, valid for France and the EU. Covers hosting, backup and archival of personal health data.
Information security management system. Covers risk management, access controls, physical and logical security, incident management.
Measurement of information security management effectiveness. Ensures continuous monitoring and improvement of security controls.
Quality management. Ensures that hosting and support processes meet documented and audited quality standards.
Authentication and access management are handled by Medicapp Connect SAS, deployed on OSPI's secure infrastructure.
Access to Medicapp Pro is protected by multi-factor authentication. This security layer is managed by Medicapp and deployed on OSPI's infrastructure.
All actions on health data are subject to a full audit. The history of access, consultations and modifications is accessible directly from the front-end applications (web and iOS) by the healthcare professional.
Healthcare professionals manage access rights for other practitioners to their data via Trust Spaces. They assign read or write permissions and can revoke them at any time. Medicapp does not intervene in this management — the client is fully autonomous.
Data remains accessible offline on authenticated devices. Local encryption is maintained. Synchronisation occurs automatically when the network returns.
Medicapp Connect SAS acts as a data processor within the meaning of Article 28 of the GDPR. The healthcare professional or organisation remains the data controller.
Processing is based on patient consent (data collection via protocols) and the legal obligation to maintain medical records.
Right of access, rectification, portability and erasure are implemented in the platform. The practitioner can export or delete a patient record at any time.
The Data Protection Officer of Medicapp Connect SAS can be reached at contact@medicappconnect.com.
In the event of a data breach, Medicapp commits to notifying the data controller within a timeframe compatible with the 72-hour notification obligation to the supervisory authority (CNIL).
The record of processing activities is maintained in accordance with Article 30 of the GDPR. Available on request.
Health data is hosted and processed exclusively in France. No sub-processor operates outside the European Union.
Data is retained as long as the professional account is active. After termination, data remains accessible in read-only mode for 30 days, then is archived in accordance with legal medical record retention obligations (20 years in France).
The practitioner can export all their data at any time (structured format). Permanent deletion is executed on request, subject to legal retention obligations.
Backups are performed daily by OSPI's infrastructure. They are encrypted, geo-replicated within French territory, and tested regularly.
OSPI's infrastructure has a documented BCP covering hardware, network and software failure scenarios. Redundancy of critical components.
In the event of a major incident, the DRP provides for service recovery. RPO (maximum data loss) and RTO (recovery time) targets are documented and available on request.
In the event of cloud service unavailability, the native iOS app retains a local copy of the data. The practitioner continues working. Synchronisation resumes automatically.
Medicapp implements HL7 profiles for structuring patient data, clinical documents (CDA — ISO/HL7 10781) and medical questionnaires. This ensures interoperability with hospital and community health information systems.
Patient data can be exported in structured and standardised formats, compatible with hospital systems and practice management software.
Evaluating Medicapp Pro for your organisation? Here are the documents we can provide.
HADS, ISO 27001, ISO 27004, ISO 9001. Originals or certified copies.
Compliant with Article 28 of the GDPR. Covers obligations, purposes, security measures.
Technical and organisational measures, encryption, access control, incident management.
Business continuity and disaster recovery plans, RPO/RTO targets, test procedures.
Article 30 of the GDPR. Purposes, data categories, retention periods, sub-processors.
Have your own compliance questionnaire? Send it to us, we will complete it.
Contact us to receive certifications, the DPA, or to schedule a call with our security team.