Healthcare · Sector

Healthcare application developmentcompliant, sovereign, secure.

We design, take over, and modernise high-performance healthcare applications that comply with GDPR and are hosted on HDS-certified infrastructure—no AI-washing.

Discuss your healthcare project View our healthcare case studies

Garanties

Hosting on HDS-certified infrastructure
Data hosted in France
GDPR by design
Guaranteed reversibility

AP-HP

ProtectUs

SIFEM

01 — The healthcare context

Healthcare leaves no room for approximation.

Highly sensitive patient data, HDS and GDPR requirements, legacy or no-code applications at breaking point, and a constant tension between time-to-market and compliance. Building for healthcare means delivering on both.

Data that cannot afford mistakes

Patient records, imaging, results: the slightest leak compromises your liability and the trust of healthcare professionals. Security is not a luxury—it’s the foundation.

HDS and GDPR are non-negotiable

Certified health data hosting, access traceability, consent, right to erasure: the framework is strict, and it evolves. Better to build it in from the start.

Legacy systems that hinder care

Ageing business applications or no-code tools that can no longer handle the load or business rules: technical debt slows down teams and patients.

Move fast, without compromise

Operations demand delivery, compliance demands security. We refuse to choose: clear scoping, incremental delivery, security and compliance built in from the first line of code.

02 — What we do for healthcare

Four ways forward.

From bespoke solutions to legacy takeovers, every intervention is grounded in the same principles: compliance, sovereignty, and a transfer of skills that keeps you independent.

Custom medical applications

Web and mobile, offline mode, care and patient pathways. Designed for the field, built for audits—not the other way around.

WebMobileOffline

Application development

Migration & modernisation to a sovereign stack

Moving from a struggling no-code or legacy system to maintainable code, hosted in France. Gradual transition, with zero service disruption.

MigrationModernisation

No-code to code migration

AI assistants / RAG on your health data

Leverage your internal data (protocols, reports) with sovereign or on-premise models. Human oversight at every step—your code stays in-house.

RAGSovereign

AI assistants connected to your data

Legacy project takeovers

No-code or “vibe-coded” application to take over: audit, data security, migration to maintainable and compliant foundations.

AuditTakeover

Project takeover

03 — Compliance & sovereignty

Compliance is not a checkbox.
It’s the foundation.

For a healthcare institution, the real question isn’t “does it work?” but “where does my data go, who accesses it, and can I leave?”. Here are our answers, clearly and without jargon.

Hosting on HDS-certified infrastructure

Your health data is hosted in France, on HDS-certified infrastructure (OVH, Scaleway). Depending on your needs: managed mode or self-hosting under your institution’s direct control.

No data outside the EU

No reliance on non-European cloud providers. Your patients’ data stays in France—this is the starting point, not an option.

RGPD by design

Data minimisation, traceable consent, right to erasure, processing register: RGPD is built in from the start, never added as an afterthought.

RLS on all tables

Row-Level Security at the database level: every access is filtered by role and institution. Data separation isn’t just application-level—it’s embedded in the engine.

Anonymisation & pseudonymisation

Data used for management or research is anonymised or pseudonymised based on use case. Identifiable data does not circulate without reason.

Guaranteed reversibility

The code is yours, the data is exportable, the hosting is transferable. You’re never locked in with Scroll.

04 — Proof

Health projects already in production.

From hospital systems to medical imaging—three concrete examples, not promises.

AP-HPPublic Health · Hospital

Emergency patient intake form

HDS-compliant medical web application (sovereign hosting, anonymization, etc.) for the general public, responsive, QR code, pathology algorithm, interactive diagram, etc.

Next.jsPostgreSQLScalingo

ProtectUsHealthcare · No-code to code migration

Hospital RFID system rewritten for a dozen facilities.

Migration from Bubble to Next.js 15 + Supabase, self-hosted on OVH. Reversible switch, cabinet by cabinet, with no disruption to care services.

Next.jsSupabaseOVHSelf-host

protectus.eco ↗

SIFEMMedical Imaging · Women’s Health

dPEI Pocket — deep pelvic endometriosis scoring for radiologists.

Medical web and mobile application (iOS / Android) with offline mode and PDF generation. Deep pelvic endometriosis scoring; anonymized data analyzed by region.

WebiOS / AndroidOfflinePDF

dPEI evaluation

×4

connection time (1.2 s → 300 ms) — ProtectUs

service disruption during migration — ProtectUs

100 %

health data hosted in France — ProtectUs

05 — Stack & Method

A stack built to last and to be audited.

Modern, maintainable, and recruit-friendly. Above all, fully traceable end-to-end: every access is logged, every deployment is tested.

Front

Next.js

React

TypeScript

Back / Data

Supabase

PostgreSQL

RLS

Hosting

OVH

Scaleway

Self-host

Security

Encryption

Access logging

RGPD

Quality

CI/CD

Non-regression tests

Code review

06 — FAQ

Your questions, our answers.

The most common questions we address when scoping projects with healthcare institutions or healthtech startups.

HDS (Hébergeur de Données de Santé) is a mandatory French certification for hosting personal health data. It enforces strict security, confidentiality, and traceability guarantees. In practice: any application storing patient data must rely on HDS-certified infrastructure. We host your applications on HDS-certified infrastructure in France (OVH, Scaleway).

In France, on HDS-certified infrastructure. No data leaves the European Union. Depending on your needs, in managed mode or via self-hosting under your institution’s direct control.

Yes, by design: data minimisation, traceable consent, right to erasure, processing register, and Row-Level Security at the database level. GDPR compliance is built in from the scoping phase, not added later.

Yes. We audit the existing system (legacy, no-code, or AI-generated code), secure the data, then rebuild it on a maintainable, compliant foundation—step by step, with no service disruption. See our Migration no-code to code and Application modernisation expertise.

Yes, both. A university hospital, a clinic, a lab, or a healthtech startup have different constraints and rhythms—but the same compliance requirements. We tailor the scoping to your organisation.

Data encryption, Row-Level Security on all tables, access logging, anonymisation based on usage, and systematic code review. Security isn’t a final step—it’s embedded in the architecture.

Let’s discuss

A health application project? Let’s talk compliance, sovereignty, and timelines—concretely, without jargon.

Request a quote Book a meeting

Contact details

contact@agence-scroll.com

+33 6 48 03 90 27

20 Rue des Taillandiers
75011 Paris

Response within 24 business hours.