Data · GDPR · Compliance

Data & Compliance

Here is where our data comes from, how it is processed, and what we can provide to your DPO or procurement team.

01 · Data

Zero patient data.

No SIH access, no individual PMSI, no nominative clinical data. Only public professional data.

02 · Sources

100% public sources.

Health open data (HAS, IQSS, FINESS, ARS), public LinkedIn profiles, Ordre des médecins. No grey market, no scraping of authenticated sites.

03 · Infrastructure

European hosting, 12-month traceability.

Processing and storage exclusively on European infrastructure (France/Germany). Logs retained 12 months for auditability.

Frequently asked questions

What DPOs and procurement teams ask.

Are you a data processor under GDPR?

Yes. A DPA is signed before any engagement. We are a data processor for processing carried out on your behalf (enrichment, message sending).

Does data leave the EU?

No. Infrastructure 100% in France and Germany. For LLMs, we use European deployments (Azure OpenAI France Central or EU-hosted Mistral Large).

What happens in case of a deletion request?

Immediate and permanent deletion, propagated across all campaigns. Logged. Proof of processing delivered within 72h.

Can you provide your processing register?

Yes, on request at dpo@medify.fr. Provided within 5 business days.

Do you have ISO 27001 or HDS certification?

ISO 27001 in progress (Q3 2026 audit). HDS not required: we process no personal health data.

What legal basis do you use to process professional emails?

Legitimate interest B2B (GDPR recital 47), compliant with CNIL deliberation MR-004 and CNIL 2023 guidelines. Information notice and 1-click opt-out included in every message.

A specific compliance question?

Book your Demo