Your medical data is not merely “protected”. It is designed to be unreadable by anyone — including us — without your explicit cryptographic consent.
A decryption key is derived from your password on your phone (Argon2id). It never leaves your device. Without it, your data is unreadable — including to us.
Every document, every result, every note is encrypted client-side with AES-256-GCM. What reaches our servers is an opaque blob. A database leak would reveal nothing.
We host your encrypted data, we do not access it. This is the so-called zero-knowledge architecture: the provider cannot read what it stores. Even under judicial order.
Every time you grant access (doctor, family, third party), the event is written to an audit chain. You see who consulted what, and you revoke with one tap.
Some French health platforms host their data on US clouds. Even encrypted, that data falls under the jurisdiction of the Cloud Act — a US law that allows an American prosecutor to demand access.
Criterion
My Data My Care
US Cloud Platforms
Sovereignty & Portability
The sovereignty of your data implies its full portability: see how our architecture lets your record cross borders without compromising security.
Your medical data stays encrypted on our servers — never on a blockchain (which would be slow, costly and dangerous).
Instead, every authorisation you grant, every third-party access, every revocation is written to a permissioned chain. Immutable. Verifiable by you and by a court of law.
Access Log — Example
Dr. Lefebvre
Access granted · 24h
Today · 14:20
Dr. Lefebvre
Record consulted
Today · 14:32
Cerba Lab
Results imported
Yesterday · 09:15
Dr. Mercier
Access revoked
3 days ago
Hash: 0x7a3f…e2c1 · Verified ✓
Health Data Hosting, 2026 certification mandatory in France
European regulation on personal data — rights to access, rectification, portability, erasure
Mon Espace Santé catalogue listing, DMP feeding, FHIR R4 interop
National Health Identity, professional authentication via Carte CPS
Digital accessibility at AAA level, above the European EN 301 549 standard
V1 strictly outside medical-device scope. Predictive-AI module in V2, high-risk compliant August 2026
Truly solid security is security you can prove. Here are the mechanisms anyone can use to verify our claims.
Our security is audited every quarter by an independent firm. Reports are published on this page.
A rewards programme open to security researchers. The more critical the flaw, the higher the bounty.
Our FHIR connectors and mobile application are published on GitHub. Auditable by any developer.
Every government request received, every incident, every security change is documented publicly.
Our security team answers directly. Cybersecurity researcher, DPO of a facility, tech journalist — write to us.
security@mydatamycare.com