diff --git a/pages/block-storage/menu.ts b/pages/block-storage/menu.ts
index f6d643332b..bfa5da0c55 100644
--- a/pages/block-storage/menu.ts
+++ b/pages/block-storage/menu.ts
@@ -90,6 +90,10 @@ export const blockStorageMenu = {
},
{
items: [
+ {
+ label: 'Storage shared responsibility model',
+ slug: 'storage-shared-responsibility-model',
+ },
{
label:
'Differences between Block Storage volumes',
diff --git a/pages/block-storage/reference-content/storage-shared-responsibility-model.mdx b/pages/block-storage/reference-content/storage-shared-responsibility-model.mdx
new file mode 100644
index 0000000000..7e09656a0d
--- /dev/null
+++ b/pages/block-storage/reference-content/storage-shared-responsibility-model.mdx
@@ -0,0 +1,366 @@
+---
+title: Scaleway storage services shared responsibility model
+description: Learn about the shared responsibility model for Scaleway Block Storage and Scaleway Object Storage, outlining the roles of Scaleway and users in managing data encryption security, and healthcare data hosting (HDS) compliance.
+tags: storage shared responsibility model compliance hds health data hosting
+dates:
+ posted: 2025-11-12
+ validation: 2025-11-12
+---
+
+This document outlines the roles and responsibilities for maintaining and securing your Scaleway storage services, Block Storage and Object Storage including Glacier. Our shared responsibility model clarifies the division of duties between Scaleway and our users, ensuring clarity in managing availability, backups, configurations, and security measures for your storage solutions. By understanding this shared responsibility, you can optimize the performance, reliability, and security of your Scaleway storage services.
+
+## Service provision
+
+Scaleway is responsible for the operational maintenance of all components essential to providing the Service. These include:
+
+* **Physical infrastructure:** Managing the physical sites that house the hardware infrastructure used for the Service.
+
+* **Hardware infrastructure:** Maintaining the underlying hardware. Monitors resource utilization rate and updates its capacity plan.
+
+* **Virtual infrastructure:** Ensuring the functionality of the virtualized environment.
+
+* **Hosting platform:** Operating the application and database hosting platform.
+
+* **Network:** Establishing storage space connectivity in its default configuration.
+
+* **Applications and databases:** Maintaining the applications and databases themselves.
+
+Furthermore, Scaleway procures the necessary licenses and usage rights for any third-party solutions that are either used by Scaleway in delivering the Service or made available to the client as part of the Service. It provides the client with necessary information regarding the characteristics and conditions of use of the Service. It also plans and implements updates to the various Service components also considering third-party products used within the Service.
+
+You are responsible to ensure that users comply with the Service's terms of use.
+
+Scaleway is responsible for monitoring, managing, and forecasting the Service APIs and physical cluster capacity.
+
+You are responsible for informing Scaleway ahead of time of significant changes in your storage capacity forecast.
+
+## Logs and monitoring
+
+Scaleway is responsible for the proper monitoring of the Service, including:
+
+* Retaining access logs and event traces related to the use and administration of the Services, such as objects and storage spaces (volumes, buckets) creation and deletion, server configuration (including physical and software resource configuration), and user and access rights additions and deletions.
+
+* Making access logs and event traces available to the client upon request.
+
+### Your responsibilities
+
+* Retain access logs and event traces provided by the Service Provider.
+
+* Ensure the successful completion of tasks performed while using the Service (e.g., volume creation for Block Storage, implementing integrity checksums for Object Storage).
+
+* Monitor the available and remaining space within your provisioned volumes.
+
+## Product resiliency
+
+### Availability and steadiness
+
+Scaleway ensures high availability through resilient infrastructure, and technical and organizational measures, including monitoring service health and incident detection for the data hosted within the Service. Scaleway provides and maintains the operational condition of the control plane and APIs.
+
+Scaleway is responsible for:
+
+* Implementing resiliency for the Services within at least an Availability Zone (AZ), and for multi-AZ storage tiers only, across multiple Availability Zones.
+
+* Monitoring service health, performance, and balancing the load of use of the Service.
+
+You are responsible for:
+
+* Implementing technical and organizational measures to ensure the continuity of your activities, taking into account the conditions of use and characteristics of the Service, including the nature and criticality of data stored.
+
+* Configuring the Service in accordance with your needs, particularly in terms of availability.
+
+* Monitoring and notifying us of breaches of Service Level Agreement concerning the availability of the service.
+
+#### Performance
+
+You are responsible for optimizing your applications' use of Storage Services. Scaleway monitors and optimizes infrastructure-level performance, but note that:
+
+* Glacier cold storage data access requires object restoration and can incur delays,
+
+* For the Object Storage Service, multipart uploads and concurrent requests should be used for large files.
+
+**Data Integrity**
+
+For all Storage Services, you are responsible for:
+
+* Verifying the successful completion of read and write operations.
+
+* Verifying the successful completion and integrity of backups.
+
+For the Object Storage Service, Scaleway provides a checksum of each uploaded object, allowing the client to perform integrity control or control the integrity of the checksum provided to the client at the time of upload, if applicable.
+
+You are responsible for:
+
+* Verifying the successful completion of the upload via a checksum control.
+
+* Controlling the availability and integrity of objects, and restoring damaged objects.
+
+## Backups and replication
+
+While Scaleway provides internal resiliency mechanisms and features, it is your responsibility to implement a backup strategy appropriate to your needs and the criticality of your activities, including:
+
+* External backups.
+
+* Replication to other regions (as allowed by regulations).
+
+* Management of your backups and snapshots, and regular verification of their integrity.
+
+Internal resilience does not protect against accidental deletions or application-level corruption.
+
+## Configuration and management
+
+Scaleway is responsible for the configuration of API and dataplane settings.
+
+You are responsible for managing the state of your storage spaces and objects. This includes monitoring and configuring service-level features and policies available for your storage space.
+
+You are responsible for:
+
+* Creating storage spaces (buckets, volumes)
+
+* Provisioning additional space or storage spaces according to your needs
+
+* Managing volume attachment, detachment, and deletion according to your needs
+
+* Managing snapshots, and snapshots deletion according to your needs
+
+### Object Storage class & lifecycle rules
+
+You are responsible for selecting appropriate storage classes, cleaning up unnecessary parts or data, and using lifecycle rules according to your needs. Note that a delay may occur if transitioning or expiring a high number of objects through lifecycle rules per day.
+
+### Access control
+
+Scaleway provides versioning, IAM, and specific Service-level access control tools (ACLs, bucket policies.)
+
+You are responsible for managing authorizations and access of your personnel to the Service (Console, API and storage spaces), and for ensuring the security of your personnel's authentication means. Your responsibilities include:
+
+* Ensuring public visibility settings align with your intentions.
+
+* Regularly reviewing access rules and permissions.
+
+* Activating two-factor authentication (2FA).
+
+* Configuring bucket policies (enforcing access limitations under certain conditions such as whitelisting or blacklisting certain IPs (allow or deny, IP range)).
+
+Scaleway enforces your configurations but does not intervene in its definition or maintenance.
+
+### Versioning
+
+You are responsible for:
+
+* Enabling or deactivating versioning for data recovery.
+
+* Managing versioned objects' lifecycle according to your needs.
+
+## Encryption and data deletion
+
+### Encryption
+
+You are responsible for using the encryption methods provided by Scaleway or other third-party encryption solutions.
+
+For client-side encryption or customer-managed encryption keys, you are responsible for:
+
+* Managing your encryption keys securely, including activating HTTPS for secure transit.
+
+* Guaranteeing availability, resiliency, or backups for your keys.
+
+* Handling key lifecycle management, rotation, and secure storage.
+
+* Ensuring data becomes permanently inaccessible when keys are destroyed.
+
+### Encryption in transit
+
+Scaleway provides secure HTTPS endpoints. You must:
+
+* Ensure clients use HTTPS.
+
+* Avoid transmitting unencrypted data.
+
+* Validate certificates and enforce TLS in custom tools.
+
+### Data deletion
+
+Deletion is initiated only by you, manually, or via configured retention rules.
+
+Scaleway:
+
+* Deletes volumes/snapshots/objects upon request, or after the configured retention period.
+
+* Does not check volume/snapshots/object content before deletion.
+
+* Cannot recover data if versioning is not enabled.
+
+## Data residency
+
+* The customer is responsible for selecting the data location at the time of volume/bucket creation.
+
+* Scaleway commits not to modify the geographical location of data without the prior agreement of the customer.
+
+* The Glacier class systematically stores objects in Paris, regardless of the Region chosen for the bucket.
+
+## Identity and access management
+
+Scaleway provides tools for access control (IAM, ACLs, and policies). You are responsible for:
+
+* Defining and regularly auditing permissions.
+
+* Following least-privilege principles.
+
+* Managing and protecting API keys and credentials.
+
+* Detecting and responding to unauthorized access.
+
+## Platform and service security
+
+### Scaleway responsibilities
+
+Scaleway ensures:
+
+* Physical and network security of datacenters.
+
+* Resiliency according to storage class criteria and DDoS protections.
+
+* Risk analysis and mitigation related to the implementation and provision of services.
+
+* Detecting security threats or data violations.
+
+Scaleway manages the authorizations, controls and secures the access of its personnel to the Service management interfaces, API, servers, network equipment and other components used within the Service. Scaleway ensures the security of its personnel's authentication means.
+
+Scaleway manages and monitors vulnerabilities related to the provision of its Services (infrastructure, OS, software, etc.) and implements corrective measures.
+
+See Security & Resilience and Trust Center.
+
+### User responsibilities
+
+You are responsible for:
+
+* Securing your applications and clients.
+
+* Conducting risk analysis and mitigation related to your use of the Service.
+
+* Controlling and protecting access to hardware infrastructures and hosting sites that are not under Scaleway's control and responsibility.
+
+* Implementing proper error handling.
+
+* Monitoring your usage, logs and patterns.
+
+* Conducting periodic vulnerability tests, and applying corrective measures, also for third-party and open-source products
+
+* Communicating known vulnerabilities, security incidents, or detected anomalies to Scaleway.
+
+## Service termination
+
+You determine when to terminate using the Service and are responsible for:
+
+* Planning and implementing reversibility operations.
+
+* Recovering all data.
+
+* Ensuring the complete finalization of reversibility operations before triggering the deletion of objects, snapshots or storage spaces (volumes, buckets).
+
+* Confirming the successful deletion of storage resources at the end of the reversibility process.
+
+Scaleway undertakes to:
+
+* Maintain the availability of the Service until the effective termination date to ensure the smooth progress of reversibility operations.
+
+* Make available to the Client, upon simple request, its reversibility policy as well as any relevant information for the execution of these operations.
+
+* Guarantee the effective deletion of storage resources upon deletion request. Scaleway is responsible for deleting all data from the storage material before disposal and destroying the storage media.
+
+* Provide a data deletion certificate upon request.
+
+## HDS specifics (Hébergement de Données de Santé)
+
+This section outlines the specific requirements and responsibilities for hosting healthcare data in compliance with the HDS regulatory framework.
+
+### HDS compliance requirements
+
+When storing healthcare data within Scaleway Storage Services, the client is responsible for:
+
+* Signing Scaleway's HDS contract.
+
+* Ensuring access is restricted to authorized personnel.
+
+* Creating new volumes, snapshots, or buckets specifically for uploading HDS-compliant data.
+
+* Following Scaleway’s documentation on ensuring HDS compliance.
+
+* Using authorized storage classes only and not using the object lifecycle rules feature.
+
+Scaleway undertakes to provide HDS-certified infrastructure, and commits to maintain this certification. The loss of said certification may result in the termination of Scaleway’s commercial relationship with the HDS client. The aforementioned elements are included in the HDS contract signed by the client.
+
+### Data residency
+
+Scaleway guarantees that data remains within the authorized datacenters in Paris and does not access personal health data hosted by the client.
+
+You must:
+
+* Create storage spaces (volumes, buckets, snapshots) containing healthcare data in France only.
+
+* Configure replication within the authorized geographical perimeter (France) only.
+
+* Ensure backups residency remains within the authorized geographical perimeter (France only)
+
+You must not configure replication, snapshots, backups or transfer data to regions outside the authorized perimeter.
+
+### HDS-compliant resources identification
+
+You are responsible for:
+
+* Knowing which Storage resources are HDS or not.
+
+* Attaching volumes to HDS-compliant Instances only.
+
+### Block Storage encryption and data deletion
+
+Encryption at rest is mandatory for Volumes hosting healthcare data. Deleted data cannot be restored.
+
+When using Block Storage, you are required to:
+
+* Encrypt volumes
+
+* Ensure secure key deletion after deleting data within your volumes to meet compliance requirements.
+
+Scaleway is responsible for:
+
+* Encrypting at rest the physical disks on which volumes are stored with state-of-the-art compliant encryption keys.
+
+* Managing the lifecycle, rotation and deletion of the disk encryption keys to access the underlying instances.
+
+### Object Storage encryption and data deletion
+
+Encryption at rest is mandatory for Object Storage buckets hosting healthcare data, with HDS-compliant key handling by Scaleway. Scaleway provides HDS-compatible mechanisms to encrypt data at rest and guarantee HDS-compliant data deletion.
+
+When using the Object Storage service, you are required to:
+
+* Follow the guidelines detailed in the documentation in order to enforce the additional encryption mechanisms required for HDS compliance.
+
+* Ensuring client-side data encryption or relying on existing encryption methods provided by Scaleway Object Storage.
+
+* Enforcing additional encryption mechanisms to guarantee HDS-compliant data deletion as described in documentation.
+
+#### Data deletion
+
+* Deletion of data stored in HDS-compliant buckets is irreversible: keys are destroyed using compliant crypto-shredding methods,
+
+* Deleted data cannot be restored,
+
+* The client must ensure backups before deletion. If SSE-C is used, the client must ensure secure key deletion to meet compliance requirements.
+
+Scaleway must maintain technical guarantees for secure deletion of healthcare data.
+
+### HDS-compliant storage classes and prohibited features
+
+For the Object Storage service:
+
+* You must use authorized HDS-certified storage classes only (Standard, One Zone). Glacier class is not HDS-compliant and must not be used by the client to store healthcare data.
+
+* You must not use the lifecycle rules feature that is not permitted for HDS-compliant buckets hosting healthcare data.
+
+For the Block Storage service:
+
+* You must not use legacy Block volumes and snapshots to host your HDS-compliant healthcare data.
+
+* If exporting/importing snapshots to and from Scaleway Object Storage, you must ensure to follow the above guidelines for end-to-end compliance across the Services.
+
+
+This documentation must be read in conjunction with Scaleway's HDS contract and current certifications. In case of doubt, contact HDS support for clarification.
+
diff --git a/pages/object-storage/api-cli/bucket-operations.mdx b/pages/object-storage/api-cli/bucket-operations.mdx
index 3ba2d3f885..f295416858 100644
--- a/pages/object-storage/api-cli/bucket-operations.mdx
+++ b/pages/object-storage/api-cli/bucket-operations.mdx
@@ -577,6 +577,41 @@ Authorization: authorization string
```
+## PutBucketEncryption
+
+This operation configures default encryption and Amazon S3 Bucket Keys for an existing bucket.
+
+
+ If the operation is successful, no output will be returned.
+
+
+```xml no-copy
+PUT /?encryption HTTP/1.1
+Host: Bucket.s3.amazonaws.com
+Content-MD5: ContentMD5
+x-amz-sdk-checksum-algorithm: ChecksumAlgorithm
+x-amz-expected-bucket-owner: ExpectedBucketOwner
+
+
+
+
+ string
+ string
+
+ boolean
+
+ ...
+
+```
+
+**CLI command**
+
+```bash
+aws s3api put-bucket-encryption \
+--bucket BucketName \
+--server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'
+```
+
## PutBucketLifecycleConfiguration
**Sample request**
diff --git a/pages/object-storage/how-to/host-healthcare-data.mdx b/pages/object-storage/how-to/host-healthcare-data.mdx
new file mode 100644
index 0000000000..4d8f0c4fb1
--- /dev/null
+++ b/pages/object-storage/how-to/host-healthcare-data.mdx
@@ -0,0 +1,129 @@
+---
+title: How to create a compliant bucket to host healthcare data
+description: This page details the steps to follow to create a compliant bucket using Scaleway Object Storage to host healthcare data
+tags: hds healthcare data health compliant compliance regulatory
+dates:
+ validation: 2025-11-12
+ posted: 2025-11-12
+---
+import Requirements from '@macros/iam/requirements.mdx'
+
+When hosting healthcare data using Scaleway Object Storage, you must follow the recommendations outlined in the [shared responsibility model](/object-storage/reference-content/storage-shared-responsibility-model/) to ensure compliance with legal and regulatory requirements, such as data protection laws, and industry standards.
+
+Adhering to these guidelines helps safeguard sensitive information against unauthorized access, breaches, and data loss, while also clarifying the roles and responsibilities between the cloud provider and the customer.
+
+This documentation provides the following elements:
+
+- A procedure to create a compliant bucket
+- Information on prohibited actions
+- Compliant encryption methods
+- Compliant deletion methods
+- A checklist to ensure you are ready to safely store healthcare data
+
+
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- Signed an HDS contract with Scaleway for the guarantees outlined in the [shared responsibility model](/object-storage/reference-content/storage-shared-responsibility-model/) to apply
+
+## How to create a compliant bucket
+
+To host healthcare data in compliance with HDS requirements, you must create a new bucket. This is to make sure that no lifecycle rule exists, and that every object uploaded to this bucket is properly encrypted.
+
+1. Click **Object Storage** on the left side menu of the console. The Object Storage dashboard displays.
+
+2. Click **+ Create bucket**. The bucket creation page displays.
+
+3. Enter a **name** for your bucket.
+
+4. Select the **Paris** region.
+
+5. Set the bucket visibility to **Private**.
+
+6. Select a **use case** for your bucket.
+
+7. Enable [bucket versioning](/object-storage/how-to/use-bucket-versioning/) if you want to store multiple versions of your objects (this may lead to higher storage costs).
+
+8. Optionally, you can use the cost estimator to estimate your Object Storage costs.
+
+9. Click **Create bucket** to confirm.
+
+10. If you use an encryption mechanism other than [SSE-C](#encryption-with-sse-c), enable bucket encryption using the [PutBucketEncryption](/object-storage/api-cli/bucket-operations/#putbucketencryption) action.
+
+Your bucket is now ready to store healthcare data. Before uploading objects to the bucket, refer to the sections below for information on how to encrypt and delete your objects in compliance with regulations.
+
+## Prohibited actions on a compliant bucket
+
+To host healthcare data, you must comply with the following requirements:
+
+- You must not use an existing bucket.
+
+- You must not use the [Glacier](/object-storage/concepts/#storage-classes) storage class. Refer to the [Shared responsibility model](/object-storage/reference-content/storage-shared-responsibility-model/) for more information on this requirement.
+
+- You must not use [lifecycle rules](/object-storage/concepts/#lifecycle-configuration) in your compliant bucket.
+
+- If you use a [customer-side encryption mechanism](#customer-side-encryption), you must not delete the bucket encryption.
+
+
+Failure to comply with these requirements may lead to voiding compliance on the objects contained in the bucket.
+
+
+## How to encrypt objects
+
+Objects in a compliant bucket must be encrypted to make sure data is protected. To achieve this, you can either use Scaleway's SSE-C feature, or encrypt objects yourself before uploading them to your bucket.
+
+### Encryption with SSE-C
+
+Scaleway's SSE-C (**S**erver-**S**ide **E**ncryption with **C**ustomer-provided keys) mechanism guarantees that objects uploaded to the bucket are properly encrypted.
+
+You can check that your objects are properly encrypted by performing a simple `HeadObject` operation on an encrypted object without the SSE-C headers. Scaleway Object Storage will return a `400` error if SSE-C has been used to upload this object.
+
+Refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-c/) for comprehensive information on how to encrypt objects using SSE-C.
+
+### Customer-side encryption
+
+Customer-side encryption ensures that sensitive data is protected before reaching Scaleway Object Storage, giving you control over the encryption mechanism, and key management. This method must be used in combination with [Scaleway's HDS-compliant deletion method](#deleting-objects-with-customer-side-encryption).
+
+## How to delete objects
+
+Objects must be deleted in a compliant way to make sure data cannot be retrieved by any means immediately afterward. When using the HDS-compliant method (using the `PutBucketEncryption` action), Scaleway encrypts your uploaded objects with a dedicated key that will be instantly deleted upon receiving a deletion request for the targeted objects.
+
+This mechanism guarantees your objects cannot be immediately retrieved, even if it takes additional time to process the deletion of all the remaining chunks of your deleted objects.
+
+### Deleting objects encrypted with SSE-C
+
+If you use Scaleway's SSE-C to encrypt your data, using [DeleteObject](/object-storage/api-cli/object-operations/#deleteobject) is sufficient to guarantee that your object is deleted in compliance with the regulatory requirements.
+
+### Deleting objects with customer-side encryption
+
+If you do not use Scaleway's SSE-C to encrypt your data, you must use Scaleway's HDS-compliant method to delete objects. You must enable bucket encryption beforehand, using the `PutBucketEncryption` operation.
+
+
+This mechanism is designed to handle compliant deletion of your data, and not its encryption. Make sure to use it in combination with a compliant encryption method, such as SSE-C or any other customer-side approach to upload your objects.
+
+
+## Enforcing compliance using bucket policies
+
+To enforce compliance regarding the storage class and lifecycle rules, you can set up a bucket policy. **Bucket policies automatically deny any action that is not explicitly allowed in a statement**, allowing for fine-grained permissions management.
+
+Refer to the [dedicated documentation](/object-storage/api-cli/bucket-policy/) for more information on bucket policies.
+
+## Compliant bucket creation checklist
+
+Make sure that your bucket follows the requirements below:
+
+1. Make sure that you [created your bucket](#how-to-create-a-compliant-bucket) in the **France - Paris** (`fr-par`) region.
+
+2. Use [bucket policies](#enforcing-compliance-using-bucket-policies) to restrict permissions and prevent unwanted operations.
+
+3. Make sure that there are no active lifecycle rules for your bucket.
+
+4. Make sure that your objects within this bucket are not stored using the **Glacier** storage class.
+
+5. Use a valid [encryption method](#how-to-encrypt-objects).
+
+6. Configure your bucket for [compliant HDS deletion](#how-to-delete-objects).
+
+7. Follow the provided security best practices at all times.
+
+Refer to the [Object Storage Shared Responsibility Model](/object-storage/reference-content/storage-shared-responsibility-model/) for comprehensive information on the legal framework to host healthcare data.
\ No newline at end of file
diff --git a/pages/object-storage/menu.ts b/pages/object-storage/menu.ts
index d5e4593493..6a5c9d2302 100644
--- a/pages/object-storage/menu.ts
+++ b/pages/object-storage/menu.ts
@@ -58,6 +58,10 @@ export const objectStorageMenu = {
label: 'Manage lifecycle rules',
slug: 'manage-lifecycle-rules',
},
+ {
+ label: 'Host healthcare data (HDS)',
+ slug: 'host-healthcare-data',
+ },
{
label: 'View and abort incomplete multipart uploads',
slug: 'abort-incomplete-mpu',
@@ -184,6 +188,10 @@ export const objectStorageMenu = {
},
{
items: [
+ {
+ label: 'Storage shared responsibility model',
+ slug: 'storage-shared-responsibility-model',
+ },
{
label: 'Optimize your Object Storage performance',
slug: 'optimize-object-storage-performance',
diff --git a/pages/object-storage/reference-content/storage-shared-responsibility-model.mdx b/pages/object-storage/reference-content/storage-shared-responsibility-model.mdx
new file mode 100644
index 0000000000..7e09656a0d
--- /dev/null
+++ b/pages/object-storage/reference-content/storage-shared-responsibility-model.mdx
@@ -0,0 +1,366 @@
+---
+title: Scaleway storage services shared responsibility model
+description: Learn about the shared responsibility model for Scaleway Block Storage and Scaleway Object Storage, outlining the roles of Scaleway and users in managing data encryption security, and healthcare data hosting (HDS) compliance.
+tags: storage shared responsibility model compliance hds health data hosting
+dates:
+ posted: 2025-11-12
+ validation: 2025-11-12
+---
+
+This document outlines the roles and responsibilities for maintaining and securing your Scaleway storage services, Block Storage and Object Storage including Glacier. Our shared responsibility model clarifies the division of duties between Scaleway and our users, ensuring clarity in managing availability, backups, configurations, and security measures for your storage solutions. By understanding this shared responsibility, you can optimize the performance, reliability, and security of your Scaleway storage services.
+
+## Service provision
+
+Scaleway is responsible for the operational maintenance of all components essential to providing the Service. These include:
+
+* **Physical infrastructure:** Managing the physical sites that house the hardware infrastructure used for the Service.
+
+* **Hardware infrastructure:** Maintaining the underlying hardware. Monitors resource utilization rate and updates its capacity plan.
+
+* **Virtual infrastructure:** Ensuring the functionality of the virtualized environment.
+
+* **Hosting platform:** Operating the application and database hosting platform.
+
+* **Network:** Establishing storage space connectivity in its default configuration.
+
+* **Applications and databases:** Maintaining the applications and databases themselves.
+
+Furthermore, Scaleway procures the necessary licenses and usage rights for any third-party solutions that are either used by Scaleway in delivering the Service or made available to the client as part of the Service. It provides the client with necessary information regarding the characteristics and conditions of use of the Service. It also plans and implements updates to the various Service components also considering third-party products used within the Service.
+
+You are responsible to ensure that users comply with the Service's terms of use.
+
+Scaleway is responsible for monitoring, managing, and forecasting the Service APIs and physical cluster capacity.
+
+You are responsible for informing Scaleway ahead of time of significant changes in your storage capacity forecast.
+
+## Logs and monitoring
+
+Scaleway is responsible for the proper monitoring of the Service, including:
+
+* Retaining access logs and event traces related to the use and administration of the Services, such as objects and storage spaces (volumes, buckets) creation and deletion, server configuration (including physical and software resource configuration), and user and access rights additions and deletions.
+
+* Making access logs and event traces available to the client upon request.
+
+### Your responsibilities
+
+* Retain access logs and event traces provided by the Service Provider.
+
+* Ensure the successful completion of tasks performed while using the Service (e.g., volume creation for Block Storage, implementing integrity checksums for Object Storage).
+
+* Monitor the available and remaining space within your provisioned volumes.
+
+## Product resiliency
+
+### Availability and steadiness
+
+Scaleway ensures high availability through resilient infrastructure, and technical and organizational measures, including monitoring service health and incident detection for the data hosted within the Service. Scaleway provides and maintains the operational condition of the control plane and APIs.
+
+Scaleway is responsible for:
+
+* Implementing resiliency for the Services within at least an Availability Zone (AZ), and for multi-AZ storage tiers only, across multiple Availability Zones.
+
+* Monitoring service health, performance, and balancing the load of use of the Service.
+
+You are responsible for:
+
+* Implementing technical and organizational measures to ensure the continuity of your activities, taking into account the conditions of use and characteristics of the Service, including the nature and criticality of data stored.
+
+* Configuring the Service in accordance with your needs, particularly in terms of availability.
+
+* Monitoring and notifying us of breaches of Service Level Agreement concerning the availability of the service.
+
+#### Performance
+
+You are responsible for optimizing your applications' use of Storage Services. Scaleway monitors and optimizes infrastructure-level performance, but note that:
+
+* Glacier cold storage data access requires object restoration and can incur delays,
+
+* For the Object Storage Service, multipart uploads and concurrent requests should be used for large files.
+
+**Data Integrity**
+
+For all Storage Services, you are responsible for:
+
+* Verifying the successful completion of read and write operations.
+
+* Verifying the successful completion and integrity of backups.
+
+For the Object Storage Service, Scaleway provides a checksum of each uploaded object, allowing the client to perform integrity control or control the integrity of the checksum provided to the client at the time of upload, if applicable.
+
+You are responsible for:
+
+* Verifying the successful completion of the upload via a checksum control.
+
+* Controlling the availability and integrity of objects, and restoring damaged objects.
+
+## Backups and replication
+
+While Scaleway provides internal resiliency mechanisms and features, it is your responsibility to implement a backup strategy appropriate to your needs and the criticality of your activities, including:
+
+* External backups.
+
+* Replication to other regions (as allowed by regulations).
+
+* Management of your backups and snapshots, and regular verification of their integrity.
+
+Internal resilience does not protect against accidental deletions or application-level corruption.
+
+## Configuration and management
+
+Scaleway is responsible for the configuration of API and dataplane settings.
+
+You are responsible for managing the state of your storage spaces and objects. This includes monitoring and configuring service-level features and policies available for your storage space.
+
+You are responsible for:
+
+* Creating storage spaces (buckets, volumes)
+
+* Provisioning additional space or storage spaces according to your needs
+
+* Managing volume attachment, detachment, and deletion according to your needs
+
+* Managing snapshots, and snapshots deletion according to your needs
+
+### Object Storage class & lifecycle rules
+
+You are responsible for selecting appropriate storage classes, cleaning up unnecessary parts or data, and using lifecycle rules according to your needs. Note that a delay may occur if transitioning or expiring a high number of objects through lifecycle rules per day.
+
+### Access control
+
+Scaleway provides versioning, IAM, and specific Service-level access control tools (ACLs, bucket policies.)
+
+You are responsible for managing authorizations and access of your personnel to the Service (Console, API and storage spaces), and for ensuring the security of your personnel's authentication means. Your responsibilities include:
+
+* Ensuring public visibility settings align with your intentions.
+
+* Regularly reviewing access rules and permissions.
+
+* Activating two-factor authentication (2FA).
+
+* Configuring bucket policies (enforcing access limitations under certain conditions such as whitelisting or blacklisting certain IPs (allow or deny, IP range)).
+
+Scaleway enforces your configurations but does not intervene in its definition or maintenance.
+
+### Versioning
+
+You are responsible for:
+
+* Enabling or deactivating versioning for data recovery.
+
+* Managing versioned objects' lifecycle according to your needs.
+
+## Encryption and data deletion
+
+### Encryption
+
+You are responsible for using the encryption methods provided by Scaleway or other third-party encryption solutions.
+
+For client-side encryption or customer-managed encryption keys, you are responsible for:
+
+* Managing your encryption keys securely, including activating HTTPS for secure transit.
+
+* Guaranteeing availability, resiliency, or backups for your keys.
+
+* Handling key lifecycle management, rotation, and secure storage.
+
+* Ensuring data becomes permanently inaccessible when keys are destroyed.
+
+### Encryption in transit
+
+Scaleway provides secure HTTPS endpoints. You must:
+
+* Ensure clients use HTTPS.
+
+* Avoid transmitting unencrypted data.
+
+* Validate certificates and enforce TLS in custom tools.
+
+### Data deletion
+
+Deletion is initiated only by you, manually, or via configured retention rules.
+
+Scaleway:
+
+* Deletes volumes/snapshots/objects upon request, or after the configured retention period.
+
+* Does not check volume/snapshots/object content before deletion.
+
+* Cannot recover data if versioning is not enabled.
+
+## Data residency
+
+* The customer is responsible for selecting the data location at the time of volume/bucket creation.
+
+* Scaleway commits not to modify the geographical location of data without the prior agreement of the customer.
+
+* The Glacier class systematically stores objects in Paris, regardless of the Region chosen for the bucket.
+
+## Identity and access management
+
+Scaleway provides tools for access control (IAM, ACLs, and policies). You are responsible for:
+
+* Defining and regularly auditing permissions.
+
+* Following least-privilege principles.
+
+* Managing and protecting API keys and credentials.
+
+* Detecting and responding to unauthorized access.
+
+## Platform and service security
+
+### Scaleway responsibilities
+
+Scaleway ensures:
+
+* Physical and network security of datacenters.
+
+* Resiliency according to storage class criteria and DDoS protections.
+
+* Risk analysis and mitigation related to the implementation and provision of services.
+
+* Detecting security threats or data violations.
+
+Scaleway manages the authorizations, controls and secures the access of its personnel to the Service management interfaces, API, servers, network equipment and other components used within the Service. Scaleway ensures the security of its personnel's authentication means.
+
+Scaleway manages and monitors vulnerabilities related to the provision of its Services (infrastructure, OS, software, etc.) and implements corrective measures.
+
+See Security & Resilience and Trust Center.
+
+### User responsibilities
+
+You are responsible for:
+
+* Securing your applications and clients.
+
+* Conducting risk analysis and mitigation related to your use of the Service.
+
+* Controlling and protecting access to hardware infrastructures and hosting sites that are not under Scaleway's control and responsibility.
+
+* Implementing proper error handling.
+
+* Monitoring your usage, logs and patterns.
+
+* Conducting periodic vulnerability tests, and applying corrective measures, also for third-party and open-source products
+
+* Communicating known vulnerabilities, security incidents, or detected anomalies to Scaleway.
+
+## Service termination
+
+You determine when to terminate using the Service and are responsible for:
+
+* Planning and implementing reversibility operations.
+
+* Recovering all data.
+
+* Ensuring the complete finalization of reversibility operations before triggering the deletion of objects, snapshots or storage spaces (volumes, buckets).
+
+* Confirming the successful deletion of storage resources at the end of the reversibility process.
+
+Scaleway undertakes to:
+
+* Maintain the availability of the Service until the effective termination date to ensure the smooth progress of reversibility operations.
+
+* Make available to the Client, upon simple request, its reversibility policy as well as any relevant information for the execution of these operations.
+
+* Guarantee the effective deletion of storage resources upon deletion request. Scaleway is responsible for deleting all data from the storage material before disposal and destroying the storage media.
+
+* Provide a data deletion certificate upon request.
+
+## HDS specifics (Hébergement de Données de Santé)
+
+This section outlines the specific requirements and responsibilities for hosting healthcare data in compliance with the HDS regulatory framework.
+
+### HDS compliance requirements
+
+When storing healthcare data within Scaleway Storage Services, the client is responsible for:
+
+* Signing Scaleway's HDS contract.
+
+* Ensuring access is restricted to authorized personnel.
+
+* Creating new volumes, snapshots, or buckets specifically for uploading HDS-compliant data.
+
+* Following Scaleway’s documentation on ensuring HDS compliance.
+
+* Using authorized storage classes only and not using the object lifecycle rules feature.
+
+Scaleway undertakes to provide HDS-certified infrastructure, and commits to maintain this certification. The loss of said certification may result in the termination of Scaleway’s commercial relationship with the HDS client. The aforementioned elements are included in the HDS contract signed by the client.
+
+### Data residency
+
+Scaleway guarantees that data remains within the authorized datacenters in Paris and does not access personal health data hosted by the client.
+
+You must:
+
+* Create storage spaces (volumes, buckets, snapshots) containing healthcare data in France only.
+
+* Configure replication within the authorized geographical perimeter (France) only.
+
+* Ensure backups residency remains within the authorized geographical perimeter (France only)
+
+You must not configure replication, snapshots, backups or transfer data to regions outside the authorized perimeter.
+
+### HDS-compliant resources identification
+
+You are responsible for:
+
+* Knowing which Storage resources are HDS or not.
+
+* Attaching volumes to HDS-compliant Instances only.
+
+### Block Storage encryption and data deletion
+
+Encryption at rest is mandatory for Volumes hosting healthcare data. Deleted data cannot be restored.
+
+When using Block Storage, you are required to:
+
+* Encrypt volumes
+
+* Ensure secure key deletion after deleting data within your volumes to meet compliance requirements.
+
+Scaleway is responsible for:
+
+* Encrypting at rest the physical disks on which volumes are stored with state-of-the-art compliant encryption keys.
+
+* Managing the lifecycle, rotation and deletion of the disk encryption keys to access the underlying instances.
+
+### Object Storage encryption and data deletion
+
+Encryption at rest is mandatory for Object Storage buckets hosting healthcare data, with HDS-compliant key handling by Scaleway. Scaleway provides HDS-compatible mechanisms to encrypt data at rest and guarantee HDS-compliant data deletion.
+
+When using the Object Storage service, you are required to:
+
+* Follow the guidelines detailed in the documentation in order to enforce the additional encryption mechanisms required for HDS compliance.
+
+* Ensuring client-side data encryption or relying on existing encryption methods provided by Scaleway Object Storage.
+
+* Enforcing additional encryption mechanisms to guarantee HDS-compliant data deletion as described in documentation.
+
+#### Data deletion
+
+* Deletion of data stored in HDS-compliant buckets is irreversible: keys are destroyed using compliant crypto-shredding methods,
+
+* Deleted data cannot be restored,
+
+* The client must ensure backups before deletion. If SSE-C is used, the client must ensure secure key deletion to meet compliance requirements.
+
+Scaleway must maintain technical guarantees for secure deletion of healthcare data.
+
+### HDS-compliant storage classes and prohibited features
+
+For the Object Storage service:
+
+* You must use authorized HDS-certified storage classes only (Standard, One Zone). Glacier class is not HDS-compliant and must not be used by the client to store healthcare data.
+
+* You must not use the lifecycle rules feature that is not permitted for HDS-compliant buckets hosting healthcare data.
+
+For the Block Storage service:
+
+* You must not use legacy Block volumes and snapshots to host your HDS-compliant healthcare data.
+
+* If exporting/importing snapshots to and from Scaleway Object Storage, you must ensure to follow the above guidelines for end-to-end compliance across the Services.
+
+
+This documentation must be read in conjunction with Scaleway's HDS contract and current certifications. In case of doubt, contact HDS support for clarification.
+