Custom Healthcare SaaS Development: HDS and GDPR

PeakLab designs and builds custom SaaS software for the healthcare sector: business platforms for pharmacies and laboratories, care coordination tools, patient portals, management software for facilities and companies serving the medical world. In practice, we handle the entire project from Paris: scoping, architecture, development, HDS-certified hosting (the French health data hosting certification), GDPR compliance applied to health data, and interoperability with the French ecosystem (the INS national health identity, Mon espace santé, and the Ségur du numérique requirements).

Our most concrete proof in the sector: the SaaS platform we built for ODD Pharma, a player in the pharmaceutical industry, now generates 6,000 € in monthly recurring revenue. It is not a prototype or a sales demo, it is a live product billed to its users every month.

This page is written for leaders whose business is already running: the founder of a company serving the medical sector, the head of a pharmacy or clinic network, a laboratory director who wants to turn in-house expertise into sellable software. If you are looking for your very first business idea, this is probably not the right door. If you run a profitable business and face a problem nobody solves properly, this is exactly our territory.

Building healthcare SaaS is not building regular SaaS with a medical coat of paint. Three regulatory workstreams shape the project from week one, and ignoring them gets paid for later in costly rework.

Health data hosting (HDS certification)

As soon as your software collects, stores or processes health data on behalf of third parties, hosting must be provided by an HDS-certified provider. This is neither optional nor a marketing label, it is a French legal obligation. The choice of host shapes the architecture (data location, encryption, backups, access logging) and the running costs. We design the infrastructure around this constraint from day one, rather than migrating in a hurry after a first audit or a client request.

GDPR applied to health data

Health data is a special category under GDPR: a specific legal basis, strict data minimisation, an impact assessment (DPIA) that is often mandatory, and regulated retention periods. In practice this lives in the code: fine-grained access rights per profile, a trace for every record consultation, anonymised or pseudonymised test environments, and export and deletion procedures on request. These mechanisms are designed when the database is modelled, not bolted on afterwards.

Interoperability: INS, Mon espace santé, Ségur du numérique

Isolated healthcare software loses value fast. The national health identity (INS) makes patient identification reliable, Mon espace santé, the successor to the DMP shared medical record, centralises documents, and the Ségur du numérique programme pushes all vendors towards shared exchange standards. Depending on your use case, interoperability can be a regulatory prerequisite or simply a decisive commercial advantage over closed software. We assess this during scoping to size the project correctly.

Not every situation justifies custom development, and we say so in meetings when that is the case. An off-the-shelf vendor product is often the right choice when your need is standard: scheduling, invoicing, routine claims transmission. Custom development becomes relevant in three specific situations.

The classic trap is bending a generic product with add-on modules and workarounds: two years in, you pay a high subscription for a tool nobody likes, owning neither the code nor the data. Conversely, a poorly scoped custom build becomes a bottomless pit. Our role is to settle this trade-off coldly, with numbers, before writing a single line of code.

We built for ODD Pharma, a client in the pharmaceutical industry, a SaaS platform now in production that generates 6,000 € in monthly recurring revenue. Beyond the number, this project illustrates our conviction: well-targeted business software in a regulated sector can become an asset that produces revenue, not just another IT cost line.

What this project taught us, and what we reinvest in every healthcare SaaS: compliance is treated as a product feature rather than a legal appendix, adoption by busy professionals is won with sober interfaces that save time from the very first use, and the subscription model must be designed into the technical foundation (account management, recurring billing, service tiers).

We do not publish a fictional price grid, but here are honest reference points. A first usable version of a custom healthcare SaaS is generally built in three to six months, depending on the functional scope and the level of interoperability required. On the budget side, a serious product in this sector represents an investment of several tens of thousands of euros, with HDS-certified hosting and traceability requirements adding a real premium compared to standard SaaS. Be wary of very low quotes: in healthcare, what is not budgeted at design time is paid for later in compliance work.

We are a tight-knit team founded by Lucien Arbieu and Fahari Hamada, and you work directly with the people who design and code your product. The project starts with a scoping phase where we translate your business expertise into specifications: who uses the software, which health data flows through it, which obligations apply, what gets billed. Then deliveries are short and regular: you see the product progress every two to three weeks on a test environment, with anonymised data. More than 20 projects delivered and a 4.9/5 Google rating across 18 reviews come down to one simple thing: we deliver what we announce, and we stay after launch to keep the product alive and help it handle growth.