Eighty hospitals. OVH Canada. HDS recertification.

The customer is a French e-health platform headquartered in Lyon, providing telemedicine and electronic prescription infrastructure to roughly 80 hospital systems and several thousand private clinics across France. Email volume runs at about 1.8 million sends a month, almost entirely transactional: appointment confirmations to patients, prescription dispatch notifications to pharmacies, clinical handover messages between practitioners, and DMP (Dossier Médical Partagé) update notifications. The platform operates under HDS certification (Hébergeur de Données de Santé), the French health-data hosting regime that applies to any infrastructure handling patient health information on French territory. We were engaged in October 2025, two weeks after the OVH Canada ruling.

The trigger was the September 2025 OVH ruling. The platform had been operating its email infrastructure on OVH's Roubaix and Strasbourg facilities for six years, with HDS certification granted on the basis that data processing remained under French law and within French territory. The ruling reframed the analysis. OVH's Canadian subsidiary, although operationally separate, made the parent group reachable through Canadian process under the same logic that had applied to US providers under the CLOUD Act. The platform's general counsel reviewed the ruling on 28 September 2025 and the legal opinion was delivered to the executive team within seven days. The opinion concluded that continued use of OVH for HDS-scope workloads created a structural exposure to non-French legal process that was incompatible with the Article L1111-8 of the French public health code requirements. The decision to migrate was made on 3 October 2025. The deadline was the platform's HDS certification renewal in March 2026.

HDS certification is not equivalent to GDPR. It overlaps with GDPR but adds requirements that GDPR alone does not impose. The hosting provider must be HDS-certified directly. Sub-processors that touch HDS-scope data must also be HDS-certified or operate under a written derogation from the platform's CNIL filing. Data must remain on French territory unless the platform has explicitly notified CNIL of cross-border processing under Article L1111-8 and obtained the corresponding amendment to its CNIL declaration. Encryption-at-rest is mandatory with key custody under the platform's control rather than the hosting provider's. Audit logs covering admin access to HDS-scope systems must be retained for ten years. The platform's previous configuration on OVH met these requirements through OVH's HDS-certified offering, which is one of the larger HDS-certified hosting environments in France. Migrating off OVH meant either finding another HDS-certified provider with comparable scale or accepting that some HDS-scope workloads might need to remain on a different architecture from the rest.

We were honest with the platform during the first call. Big Box Hosting is not HDS-certified. Our infrastructure meets or exceeds HDS technical requirements (encryption-at-rest with customer-controlled keys, EU-only sub-processors, ten-year audit log retention on append-only storage, French law applicability through our local registered representative arrangement), but we have not pursued formal HDS certification. The reasoning is documented on our trust page and parallels our position on ISO 27001 and SOC 2: the certification is expensive, time-consuming, and oriented to organisational scale we do not have. The platform's general counsel reviewed our position over three calls and concluded that the email-only workload (transactional notifications, no clinical content beyond appointment metadata, no diagnostic information, no DMP record content) could be handled under a derogation route in the platform's CNIL filing rather than requiring our infrastructure to be formally HDS-certified. The clinical-content workloads remained on a separate platform that did hold HDS certification, with our infrastructure handling only the notification layer.

The engagement ran from 15 October 2025 to 28 February 2026, with the HDS recertification audit scheduled for the week of 9 March 2026. The five-month timeline was tighter than the German media engagement but looser than the UK fintech case, because the regulatory deadline (HDS recertification) was real but the technical migration was simpler — the platform's email infrastructure was a relatively conventional Postfix-with-bounce-handler setup, with none of the in-house custom queue manager complexity that had slowed the German case.

Months 1-2: jurisdiction selection and provisioning. The first month was jurisdiction selection. Of our five PoPs, only Luxembourg made sense for this engagement. Slovenia is HQ but does not have the French regulatory familiarity the platform's general counsel wanted in case of a CNIL inquiry. Switzerland is outside the EU, which adds complexity to the data-flow analysis under HDS even with the adequacy decision. Iceland adds latency that the platform's transactional volume cannot absorb. Sweden is geographically far enough from France that the latency to mailbox providers serving French recipients adds 40-60ms compared to Luxembourg or Frankfurt. Luxembourg sat at the right distance. The platform's CNIL filing was amended to declare cross-border processing into Luxembourg with the Article L1111-8 derogation, citing the EU-internal nature of the transfer and the absence of any non-EU corporate counterparty in the data flow. Provisioning of the dedicated PowerMTA cluster in Luxembourg ran in parallel with the CNIL amendment process during November 2025. The cluster was operational by 5 December 2025.

Month 3: parallel sending and validation. Month three was parallel sending. We ran a 30-day parallel period from 8 December 2025 to 7 January 2026, with traffic split 90/10 between OVH and our Luxembourg cluster initially, ramping to 50/50 by the end of week two. The split was not random; we sent specific notification categories through the new path (appointment reminders, prescription dispatch confirmations) and held back others (clinical handover messages, DMP update notifications) until we had three weeks of comparative deliverability data. The data was favourable. Inbox placement at La Poste mail (the largest French ISP for older patient demographics) moved from 76 percent to 89 percent. Free.fr placement moved from 81 percent to 92 percent. Orange (Wanadoo) placement was already strong at 94 percent and barely moved. Cutover happened in two stages: appointment-related traffic on 22 January 2026, prescription-related traffic on 5 February 2026. The platform retained the OVH infrastructure as cold standby through to the HDS recertification date, with the contractual exit clause triggered after the audit resolved without findings.

Month 5: HDS recertification audit. Month five was the HDS recertification audit and post-audit cleanup. The audit itself ran across 9-13 March 2026, with the certifier reviewing the platform's full HDS-scope architecture including the email notification layer that now ran on our Luxembourg infrastructure. The certifier's principal question on our portion of the architecture was the basis for processing in Luxembourg rather than France. The platform's general counsel walked the certifier through the CNIL amendment, the Article L1111-8 derogation, our DPA, our sub-processor list, our security questionnaire response, and the technical and organisational measures documented in our trust page. The audit closed on 16 March 2026 with the recertification granted for the next two years and one minor finding noted (the platform's documentation of the email-layer derogation could be more detailed for non-French audit reviewers, which we addressed by producing an English-language addendum to the DPA). No technical findings were raised against our infrastructure.

What measurably improved. The measurable outcomes after the recertification. HDS recertification granted for two years through March 2028. Inbox placement at La Poste improved from 76 to 89 percent and held that level across the post-cutover ninety days. Free.fr from 81 to 92 percent. Orange largely flat at 94 percent (already strong, marginal improvement to 95 percent). Hard bounce rate on appointment reminders fell from 1.1 percent to 0.6 percent, mostly because the new infrastructure correctly handled French ISP-specific bounce codes that the OVH configuration had been classifying as soft bounces. The platform's email infrastructure cost decreased by roughly 22 percent year-over-year, primarily because the Luxembourg PoP is more cost-efficient at our scale than OVH's HDS-certified offering at the platform's scale. The architecture is materially simpler than the previous OVH configuration, with one MTA cluster instead of three and one bounce-handler instead of a federated set across regions.

What did not change. The clinical-content workloads remained on the platform's separately-HDS-certified provider. Our infrastructure handles only the notification layer, not the patient health record content. This was explicit in the engagement scope from the first call, and we declined a follow-up conversation in February 2026 about expanding into HDS-scope clinical content because we still are not HDS-certified and pursuing certification for one customer would distort our cost basis for the other 600. The platform accepted the answer. Two of the platform's competitors did not, and chose providers willing to pursue HDS certification on their behalf at the certification cost passed through to the customer. We expect to lose more deals on this basis as French e-health continues to consolidate, and that is the price of not pursuing certifications we do not believe materially improve operational discipline. The patient mailing list quality, which was outside our scope, did not improve through the engagement. The platform's marketing team continues to send to a small percentage of recipients whose consent records are old enough that re-permission would be the appropriate operational step. We have flagged this on every quarterly review.