Where to host your DiGA after the ban on US cloud providers?

Veselina Staneva

It has been a while since the EU-US Privacy Shield was struck down by the European Court of Justice(ECJ back) in July 2020. What does this mean for German digital health applications (DiGA or "apps on prescription“) developers today, and is there still confusion around ensuring compliance for their apps?

What changed for German DiGAs in July last year?

Last summer, the ECJ ruled on a case known as Schrems II and as a result of the final judgment, the US was excluded from the list of countries with a GDPR adequacy decision. In other words - there was no longer an exception to the German law which allowed storing health data collected by digital health apps outside the EU.

Ban on US-based cloud providers for processing health data

The German Digital Care Act(DVG) Fast Track puts harsh rules for security and data protection. The Federal Institute for Drugs and Medical Devices (BfArM) must approve all DiGAs before they can be listed and be prescribed by doctors. Said simply, if your app uses a US cloud provider it just won’t make the cut.

It is quite likely, your DiGA is dependent on one US-based provider at least, regardless of the fact that you’re paying for a EU clusters in specific. “Architecture redesign”, “extra costs” , “migration”...those are just a few of the things that come to mind after you read the above lines.

Suddenly, DiGA developers were left with a very limited choice for providers and also quite many unknowns like:

  • “If the US cloud provider has an EU subsidiary, could I use it?”
  • “Can my DiGA still be published on the major app stores?”
  • “What about using iOS and Google notification systems in my DiGA?”

And up to today, there is still much confusion around.

What’s the EDPB and BfArM latest stand on the matter?

In November 2020, The European Data Protection Board (EDPB) released new guidance in regards to third country data transfers. In short it states that any form of data access is ocnsidered officially a data transfer. The Board also provided clear instructions on how to be compliant and the main point is to ensure a proper level of protection of any transferred data.

On the other hand, BfArM provided a bit more clarity by releasing special guidance about where third country cloud providers stand. Nevertheless, it was also stated that this guidance can be overruled by a data protection authority (only in Germany there are 18 DPAs). BfArM also noted that US cloud providers with an EU subsidiary can be used for processing personal data solely in the cases when the following conditions are met:

  • prior to storing data on the cloud, it is encrypted at record level;
  • the encryption keys are kept and protected in another place.

Additionally, it was marked that uploading your app via various app stores and sending out push notifications is permitted. Still, the notifications you sent must not contain health data.

Another point is that physically based in the US DiGA developers were also banned but have a slight chance in getting eligibility. They would have to set up a separate by law subsidiary in the EU and arrange a licensed representative.

Can I host my DiGA on SashiDo?

We offer an EU-based cloud platform that enables any DIGA developer to build and host applications hassle-free. We’re on our own equipment in the European region, and the infrastructure itself is located in the Iliad Datacenters in Paris, France. This means that if your app is hosted in our European region, all your customer's data will be stored on those servers!

What’s more, our customers’ data is stored in separate access-controlled databases per application. Communication is encrypted with SSL certificates, access to servers is restricted and only explicitly allowed ports and protocols are allowed by Firewalls.

Of course, our platform is also fully GDPR compliant. And you as an app owner that uses Sashido are the controller of the personal data of your users. To make your life easier, we’ve prepared a simple checklist for you to verify on How to make your mobile app GDPR compliant.

So, if the ban on US cloud providers affects your services then look no further - SashiDo.io meets the prescribed requirements for 3rd party cloud providers and our team is here to help!

Missing what you need?

See our FAQsorChat with us

Veselina Staneva

Business Dev & Product Manager @ SashiDo.

Find answers to all your questions

Our Frequently Asked Questions section is here to help.