Trust Center

Your data security is our priority

ANA Healthcare builds its products and manages its operations with security as the foundation. Discover our commitments, certifications, and practices.

End-to-end encrypted
GDPR compliant
Audit-ready
Designed for France

Certifications & Compliance

Our roadmap to the highest security standards for health data.

In Progress

ISO 27001:2022

Information Security Management System — international standard for managing security risks.

Target: November 2026

In Progress

HDS v2

French certification required for hosting personal health data. Activities 1-6.

Target: November 2026

Compliant

GDPR

General Data Protection Regulation. External DPO: Dipeeo.

Deployment Models

ANA Cohort adapts to your infrastructure and regulatory requirements. Two deployment modes are available.

Available

Mode A — On-Premise

ANA Cohort is deployed on your institution's infrastructure. You retain full control of your data — nothing leaves your network. ANA Healthcare provides the software, updates, and technical support through the remote access you define.

  • Data hosted on your infrastructure
  • Full control by the institution
  • Technical support via secured remote access
  • Ideal for institutions with their own IT department
Coming soon

Mode B — Hosted Cloud

ANA Healthcare hosts ANA Cohort on HDS-certified cloud infrastructure in France (AWS eu-west-3, Paris). The entire environment is managed by ANA: deployment, updates, backups, and monitoring.

  • HDS-certified hosting in France (AWS Paris)
  • Encryption at rest with dedicated keys
  • Automated backups and disaster recovery
  • No infrastructure to manage on the client side

Our security program

Concrete measures built into our daily operations — not checkboxes.

Access Control

Multi-factor authentication enforced on all accounts. Quarterly access reviews. Least privilege principle applied systematically.

Encryption

Infrastructure designed for encryption at rest (AES-256) with keys managed by ANA Healthcare. All communications in transit protected by TLS 1.2+.

Vulnerability Management

Continuous code and dependency scanning. SLA-based remediation: 48h for critical. Every code change automatically scanned before production.

Incident Response

Structured process with playbooks, post-incident analysis, and continuous improvement. Real-time alerts via EDR on all endpoints.

Vendor Management

Security assessment of all subprocessors. Registry maintained with DPA tracking. Full list available on request.

Security Awareness

Continuous training for all employees. Monthly phishing simulations. Threat monitoring (CERT-FR, ANSSI, ENISA).

Secure Development

Automated review on every merge request: SAST, SCA, secrets detection, IaC scanning. High and critical vulnerabilities block deployment.

Business Continuity

Encrypted backups, documented recovery plan, Git mirror for source code recovery. Regular restore testing.

Health data sovereignty

Our infrastructure is designed for sovereign health data hosting in France.

🇫🇷 Paris

Hosted in France

Our platform is deployed exclusively in France (AWS eu-west-3, Paris) with an HDS-certified provider.

Compliant

No extra-EU transfers

Our architecture is designed so that no health data transits outside the European Economic Area.

On request

Subprocessors

Full subprocessor list available on request or as part of the contractual framework (DPA). Only AWS is designated for health data hosting.

View our detailed data sovereignty page →

Security Report

Request our real-time security report, based on continuous monitoring of our code and infrastructure by Aikido Security.

Request a report

Frequently asked questions

Security contact

For any questions regarding data security, compliance, or to report a vulnerability, contact us directly or use the form.

Address
ANA Healthcare
1 Boulevard Montplaisir
13011 Marseille, France
Email
security@ana-healthcare.com
security.txt
View our security.txt
ANA Healthcare