Transparency, not promises.
Security and compliance audits, disclosed vulnerabilities, government requests: we publish what is verifiable, and we honestly state what is not verifiable yet.
- Verifiable transparency
- Auditable open code
- French law
First annual report coming soon
My Data My Care is in a pre-launch phase. Consolidated figures (audits performed, CVEs disclosed, requisitions received) will be the subject of a first annual report published after our first year of operation. This page already presents our methodology and commitments; it will be updated as soon as real data becomes available.
Verified by independent third parties
Our audit commitments. Reports and attestations will be published or made available on request as they are completed.
Offensive audit by an independent cybersecurity firm before the V1 go-live. Summary published, detailed report on justified request.
Hosting with a certified Health Data Host (HDS) operator. The host's certificate is publicly verifiable.
Data Protection Impact Assessment and GDPR compliance review under the supervision of our DPO.
Digital accessibility audit targeting WCAG 2.1 level AA conformance, with a public accessibility statement.
Our encryption components and protocol core are designed to be publicly auditable. See our open-source approach.
No concealment, full disclosure
Every fixed security vulnerability will be publicly disclosed with its CVE identifier, severity and fix date.
No CVE disclosed to date
No publicly disclosed security vulnerability has been recorded so far. This registry will be updated transparently as soon as a CVE is published.
Vulnerabilities are fixed before disclosure, then published with a reasonable delay to allow affected deployments to update.
Requests from authorities
Judicial and administrative requisitions received, handled in strict compliance with French law. No foreign jurisdiction applies to our data hosted in France.
| Metric | Current period |
|---|---|
| Requisitions received | First annual report coming soon |
| Requisitions complied with | First annual report coming soon |
| Requisitions challenged or refused | First annual report coming soon |
| Accounts concerned | First annual report coming soon |
| Requests with a gag order | First annual report coming soon |
Data hosted in France, subject to French law only. We have received no request under the Cloud Act or any other extraterritorial jurisdiction — the absence of such a statement would itself be a signal (warrant canary).
Report a security flaw
Our responsible disclosure policy, designed to protect patients and researchers alike.
Scope
All our public applications (patient, doctor, landing) and our APIs are in scope. Testing must never target real patient data.
Safe harbor
Any research carried out in good faith, without compromising data confidentiality or service availability, will not result in any legal action on our part.
Response times
Acknowledgement within 72 h, first assessment within 7 days, critical fixes prioritized. You are kept informed at each step.
Recognition
Researchers who wish to be credited are listed in our hall of fame after the fix and coordinated disclosure.
To report a vulnerability, email security@mydatamycare.com
Transparency rests on a solid regulatory foundation: HDS, GDPR, Ségur, AI Act. Discover our compliance roadmap and detailed commitments.
See our compliance pageWhat you are asking
When will the first transparency report be published?
The first consolidated annual report will be published after our first year of operation. Until then, this page presents our methodology and commitments, and will be updated as soon as an audit, a CVE or a requisition warrants real data.
How do you handle security vulnerabilities?
Any reported flaw is assessed then fixed as a priority according to its severity. After the fix and a reasonable deployment delay, we publish a full disclosure with the CVE identifier, severity and fix date. We never conceal a fixed vulnerability.
What is a warrant canary and do you publish one?
A warrant canary is a statement affirming that no secret requisition has been received; its disappearance implicitly signals the opposite. As our data is hosted in France and subject to French law only, we explicitly state that we have received no extraterritorial request (Cloud Act). Removing this statement would constitute a signal.
Are your audits genuinely independent?
Yes. Penetration tests and compliance audits are entrusted to specialized third-party firms with no capital ties to My Data My Care. Attestations (the host's HDS certificate, pentest summaries) are verifiable or available on justified request.
A question about our security?
Researchers, DPOs, partners: our security team is here to answer. Transparency starts with dialogue.