Digital health, patient data, ~200 employees

GDPR-compliant cloud platform for a digital health provider

Designed and deployed a GDPR-compliant cloud architecture for a digital health platform handling patient data across five EU member states.

The client operated a digital health platform connecting patients with specialist clinicians across Ireland, the Netherlands, Germany, Spain, and France. The platform handled special-category health data under GDPR Article 9, with distinct data-residency requirements for Germany under federal data-protection law.

Our engagement began with a data-flow mapping exercise that produced a comprehensive picture of where patient data was processed, stored, and transmitted. Several third-party integrations were identified that did not have adequate data-processing agreements in place; resolving these was a prerequisite to the main migration.

The target architecture deployed patient data storage in EEA-resident AWS regions, with encryption at rest and in transit, field-level encryption for the highest-sensitivity data categories, and a zero-trust access model requiring MFA for all clinical-data access.

Germany's data-sovereignty requirement for the German patient cohort was addressed through a separate AWS Frankfurt account with explicit data-residency configuration and audit logging for cross-border transfers. A Data Protection Impact Assessment was produced and reviewed by the client's DPO and external data-protection counsel.

Outcome

GDPR-compliant architecture live across five EU member states; German data-residency requirement met; DPIA signed off by external counsel.