Information relevant to Requirement 31 (HDS V2.0)

Business name of the actor	Role in the hosting service (Host/processor of the Host)	HDS certified	SecNumCloud 3.2 qualified	Hosting activities in which the actor is involved	Access to personal health data from countries outside the European Economic Area, by the Host or one of its processors (Requirement No. 29 of the HDS framework)	Host or processor subject to a risk of access to personal health data from countries outside the European Economic Area, imposed by the legislation of a third country in breach of EU law (Requirement no 30 of the HDS framework)
commercetools	Processor	Yes	No	Activities 4 and 5 (HDS v1.1) Activities 3 to 5 (HDS v2.0)	Yes. Support teams may have limited access from the US and other third countries not covered by an adequacy decision. Standard Contractual Clauses (SCCs) are in place.	Yes. United States. Risk mitigated via: SCCs and security controls (see TOMs) Storage-level encryption, with data and encryption keys hosted in the EU.
MongoDB	Processor	Yes	No	Activities 3 to 5	Yes. Technical support may access from the US, UK, Canada, India, Australia, Singapore, etc. See the MongoDB HDS-related publication and the certification status.	Yes. United States. The Atlas Control Plane is operated from the US. Risk mitigated via: SCCs and security controls (see Privacy Hub) Data Privacy Framework HDS certification Storage-level encryption, with data and encryption keys hosted in the EU.
Google GCP	Host	Yes	No	Activities 1 to 6	Yes. Customer support or telemetry data may be processed from countries such as the US. Data hosting location is customer-configurable. See GCP Data Processing and SCC policies. For more transparency regarding the DSCP processing, see the publication by Google.	Yes. United States. GCP services are subject to US law. Mitigations are in place via: EU SCCs and regionalization options. Data Privacy Framework HDS certification Storage-level encryption, with data and encryption keys hosted in the EU.