Rainbow HDS Paid Service – Special Terms of Use

Rainbow HDS is a certified, secure healthcare communication and data exchange platform where ALE ensures compliant hosting and security, while the Client retains full responsibility for regulatory compliance, data governance, and rights management.

For the detailed Terms & Conditions, please see the full document available on this page.

1. Purpose & Scope

The Special Terms define the conditions under which ALE International provides the Rainbow HDS Service, a UCaaS communication platform certified for Health Data Hosting (HDS). These terms supplement and take precedence over the General Terms of Use.

2. Key Definitions

• Client: Healthcare professional or organization using Rainbow HDS to exchange or store Personal Health Data.
• Health Data (PHR): Any identifiable information related to a person’s physical or mental health.
• Data Subjects: Individuals whose data is processed.
• Users: Staff or authorized individuals accessing the Service.
• Host: ALE (with OVH as subcontractor) acting as a certified Health Data Host.

3. Description of the Service

Rainbow HDS provides secure messaging, file sharing, communication, and data storage in compliance with HDS regulations. ALE performs certified hosting activities including infrastructure provision, platform management, operations, and data backup.

Important:

• Rainbow HDS is not an official archiving service.
• ALE provides tools and exports so the Client can archive data themselves or via a certified third party.

All data (production, logs, metadata, backups) is hosted exclusively in France (EEA).

4. Roles & Responsibilities

ALE (Data Processor & HDS Host) must:

• Ensure confidentiality, integrity, and availability of Health Data.
• Maintain HDS & ISO 27001 certification.
• Provide secure access using strong authentication.
• Implement business continuity & disaster recovery (RTO 48h / RPO 24h).
• Notify incidents to the Authorized Reseller (target: within 48h).
• Keep logs for 12 months and maintain traceability.
• Restrict access to personal data by subcontractors (only identification data for support).

Client (Data Controller) must:

• Fully comply with GDPR, Public Health Code, and PGSSI S.
• Inform Data Subjects and manage consent.
• Handle all data subject rights requests (access, deletion, rectification, etc.).
• Ensure users are authorized and trained to process Health Data.
• Manage authentication, workstation security, and access control.
• Avoid including Health Data in support tickets.
• Implement its own Health Data archiving policy.
• Designate primary & secondary contacts for HDS operations.

5. Data Subjects’ Rights

The Client is solely responsible for:

• Authenticating requesters
• Assessing admissibility (e.g., legal retention periods)
• Responding to rights requests

ALE assists only if the Client cannot respond and contact is made within defined timeframes.

6. Security & Incident Management

ALE applies strict technical and organizational measures aligned with ISO 27001 & HDS requirements.

In case of an incident affecting Health Data:

• ALE notifies the Reseller
• Crisis management procedures may apply
• Service may operate in degraded mode
• The Client must notify authorities and impacted individuals if required

Misuse of the service by the Customer is excluded from incident responsibilities.

7. Subcontracting

• OVH is the certified hosting subcontractor (HDS LNE 35608 0).
• ALE may update the subcontractor list with prior notice.
• Contracts include GDPR compliant data processing clauses.

8. Liability

ALE’s liability is limited, especially in cases involving:

• Client’s non-compliance
• Misuse or disclosure of passwords
• Client-caused data loss or corruption
• Failure to archive Health Data appropriately

Backups by ALE do not replace regulatory archiving obligations.

9. Audit & Certification

• ALE undergoes annual HDS surveillance audits and full certification every 3 years.
• Clients may conduct audits per ALE’s audit procedure.
• Loss of certification allows the Client to terminate the contract without penalty.
• ALE must assist in recovering all Health Data.

10. Reversibility (End of Service)

• ALE returns data within 30 days of a formal request.
• Data is provided in open, readable formats.
• Client must verify completeness.
• ALE deletes all Customer Data after 60 days.
• Reversibility is free unless extraction exceeds 3 business days.