Health Data Host (HDS) for Oracle Cloud Infrastructure

Table of remote access and data transfers

The scope of Oracle Cloud Infrastructure Services that may support the French health data hosting services under the Health Data Hosting (HDS) framework published by French ASIP Santé HDS Certification - Certification framework requirements and controls dated June 11, 2018 and updated on April 26, 2024.

The HDS Certification of Oracle Cloud Infrastructure Services is a regulatory requirement for hosting and/or processing of health data for French customers. The specifications for certification are based on:

ISO/IEC 27001:2022; and
other specifications for hosting of French customers’ health data like Public Health Code - Article R.1111-11

1. The following table provides the details of hosting and processing activities delivered by Oracle Cloud Infrastructure Services for French customers:

Business name of the actor	Role in the hosting service (Host/processor of the Host)	HDS certified (yes / no / exempted)	SecNumCloud 3.2 qualified	Hosting activities in which the player is involved	Access to personal health data from countries outside the European Economic Area, by the Host or one of its processors (Requirement No 29 of the HDS framework)	Host or processor subject to a risk of access to personal health data from countries outside the European Economic Area, imposed by the legislation of a third country in breach of EU law (Requirement no 30 of the HDS framework)
Oracle Cloud Infrastructure	Host Processor	Yes No Exempted	Yes, no risk of unauthorized access to data covered by HDS framework Requirement No 30 No	Activities 1 to 4 from Article R. 1111-9 of CSP (Code de la santé publique (Public health code))	Yes No, no access to data from a country outside the European Economic Area If yes, specify the country concerned: Remote access only for troubleshooting and maintenance may be provided by Oracle Cloud Infrastructure Services employees in certain non-EEA countries, the US and India depending on customer instructions. These customer instructions might have personal health data stored by them in OCI. OCI does not have direct access to personal health data which the Customers bring into OCI for storage. Refer to “Customer Data” section of Privacy Features of OCI (PDF) for more details. • covered by an adequacy decision within the meaning of Article 45 of the GDPR: United States of America. Oracle is registered under Data Privacy Frameworks (PDF) • not covered by an adequacy decision within the meaning of Article 45 of the GDPR: India Oracle ensures transfer safeguards are in place, such as Binding Corporate Rules for Processors and EU Standard Contractual Clauses (PDF). Data Processing Agreement (PDF) Data Transfer and additional jurisdiction specific terms Annex (PDF)	Yes No If yes, specify the country concerned:

2. The following subprocessors may be used for processing health data of French customers:

Business name of the actor	Role in the hosting service (Host/processor of the Host)	HDS certified (yes / no / exempted)	SecNumCloud 3.2 qualified	Hosting activities in which the player is involved	Access to personal health data from countries outside the European Economic Area, by the Host or one of its processors (Requirement No 29 of the HDS framework)	Host or processor subject to a risk of access to personal health data from countries outside the European Economic Area, imposed by the legislation of a third country in breach of EU law (Requirement no 30 of the HDS framework)
Twilio	Host Processor	Yes No Exempted	Yes, no risk of unauthorized access to data covered by HDS framework Requirement No 30 No	Activities 4 from Article R. 1111-9 of CSP (Code de la santé publique (Public health code)) SMS notifications for the Oracle Cloud Infrastructure Notifications Service. Optional customer initiated SMS notifications to IDCS (Identity Cloud Service) end-users for multifactor authentication passcodes.	Yes No, no access to data from a country outside the European Economic Area If yes, specify the country concerned: • covered by an adequacy decision within the meaning of Article 45 of the GDPR: United States of America. Twilio Inc. is registered under Data Privacy Framework Twilio Data Protection Addendum • not covered by an adequacy decision within the meaning of Article 45 of the GDPR: N/A	Yes No If yes, specify the country concerned:
xAI	Host Processor	Yes No Exempted	Yes, no risk of unauthorized access to data covered by HDS framework Requirement No 30 No	Activities 4 from Article R. 1111-9 of CSP (Code de la santé publique (Public health code)) Hosts the xAI Grok models which OCI Generative AI Service Customers can choose to call into.	Yes No, no access to data from a country outside the European Economic Area If yes, specify the country concerned: • covered by an adequacy decision within the meaning of Article 45 of the GDPR: United States of America. xAI Data Processing Addendum xAI Privacy Policy xAI’s Europe Privacy Policy Addendum Oracle Artificial Intelligence Terms (PDF) • not covered by an adequacy decision within the meaning of Article 45 of the GDPR: N/A	Yes No If yes, specify the country concerned:
Google	Host Processor	Yes No Exempted	Yes, no risk of unauthorized access to data covered by HDS framework Requirement No 30 No	Activities 4 from Article R. 1111-9 of CSP (Code de la santé publique (Public health code)) Hosts the Google Gemini models which OCI Generative AI Service Customers can choose to call into.	Yes No, no access to data from a country outside the European Economic Area If yes, specify the country concerned: • covered by an adequacy decision within the meaning of Article 45 of the GDPR: United States of America. Google is registered under Data Privacy Framework Generative AI in Google Workspace Privacy Hub Oracle Artificial Intelligence Terms (PDF) • not covered by an adequacy decision within the meaning of Article 45 of the GDPR: N/A	Yes No If yes, specify the country concerned: