Security and resilience
At Scaleway, there is no compromise when it comes to your data
The security of our customers' data, in addition to being our core business, is our daily priority. That is why Scaleway has implemented an information security management approach and implements best security practices, continuously reinforced with a continuous improvement process. Obtaining industry-standard labels and certifications, which are a guarantee of quality and trust for our customers, is the result of these efforts to provide our clients with ever-higher protection.
Compliance and certifications
ISO/IEC 27001:2022
The ISO/IEC 27001:2022 standard is the reference standard for Information Security Management Systems (ISMS). It defines the requirements that an ISMS must meet.
The ISO/IEC 27001:2022 standard provides companies of all sizes and industries with guidance on establishing, implementing, maintaining and continually improving an information security management system.
Compliance with the ISO/IEC 27001:2022 standard means that an organization or company has implemented a system to manage the risks associated with the security of data held or processed by the company, and that this system adheres to all best practices and principles established in this international standard.
HDS
Scaleway is certified "Hébergeur de Données de Santé" (Health Data Host) since July 2024. Managed by the French National Agency for Digital Health (ANS), under the supervision of the Ministry of Health, the HDS certification framework is one of the most demanding that digital service providers must comply with in order to host and manage health data in France. Scaleway's certification confirms the implementation of rigorous technical and organizational measures to protect health data; compliance with legal and regulatory requirements; and submission to regular audits to ensure a high level of security for health data.
SecNumCloud
Scaleway announced its entry into the SecNumCloud qualification process in January 2025.
SecNumCloud is a French qualification that certifies that cloud solutions meet the highest standards of security and compliance, particularly for sensitive data. It guarantees that customer companies benefit from a secure cloud infrastructure that complies with French and European legal and regulatory requirements.
Once obtained, the final qualification will attest that the "Scaleway Cloud" offering meets the requirements set by the General Secretariat for Defense and National Security (SGDSN) and the National Agency for the Security of Information Systems (ANSSI), thereby meeting the standards of the highest levels of the French administration.
GDPR
Scaleway attaches great importance to the protection of its customers' data and respect for their privacy. As such, Scaleway, as a European cloud provider, undertakes to comply with the General Data Protection Regulation (EU) 2016/679 (GDPR) and to protect its customers' data, notably through the implementation of contractual, technical, and organizational measures, in order to best meet their needs.
HDS Table of Guarantees
HDS offers are part of a specific commercial process. It is strictly forbidden to host healthcare data without going through the dedicated process. If you want to know more about the terms and conditions of subscription, please contact us directly at contact@scaleway.com.
As part of our HDS offers, there is no transfer of personal health data to a country outside the European Economic Area unless prior instruction has been given by the data controller. Furthermore, no transfer of personal health data is made outside of France, as our HDS offers are limited to hosting in our Data Centers located in France.
| Scaleway SAS | Opcore SAS | |
|---|---|---|
| Business name of the actor | Scaleway SAS | Opcore SAS |
| Role in the hosting service (Host/processor) | Host | Processor |
| HDS certified (yes/no/exempted) | Yes | Yes |
| SecNumCloud 3.2 qualified | No | No |
| Hosting activities in which the player is involved |
Activities #1 and #2 (Dedibox & Elastic Metal) Activities #1, #2, #3, #4 (Object Storage) Activities #1, #2 and #3 (Virtual Private Cloud) | Activity #1 |
| Access to personal health data from countries outside the European Economic Area, by the Host or one of its processors (Requirement No 29 of the HDS framework) |
No, no access to data from a country outside the European Economic Area If yes, specify the country concerned: - covered by an adequacy decision within the meaning of Article 45 of the GDPR : N/A - not covered by an adequacy decision within the meaning of Article 45 of the GDPR : N/A |
No, no access to data from a country outside the European Economic Area If yes, specify the country concerned: - covered by an adequacy decision within the meaning of Article 45 of the GDPR : N/A - not covered by an adequacy decision within the meaning of Article 45 of the GDPR : N/A |
| Host or processor subject to a risk of access to personal health data from countries outside the European Economic Area, imposed by the legislation of a third country in breach of EU law (Requirement no 30 of the HDS framework) |
No If yes, specify the country concerned: N/A |
No If yes, specify the country concerned: N/A |
Operational Security and Incident Response
The CSIRT (Computer Security Incident Response Team) Scaleway is the operational team in charge of responding to computer security incidents and preventing cyber security risks. Its main role is to ensure effective, coordinated management of security incidents, minimizing the impact on the organization's systems, data and operations..