For a SaaS company founded in the past decade, a US-based hyperscaler offering services for hosting infrastructure would have been the natural place to start. However, the legal landscape has changed a lot, and deciding where to host your infrastructure is now more than just a technical exercise.

In this episode of Sovereign DBaaS Decoded, we are joined by Jens Alm, the founder & CEO of Prorenata, a SaaS company that helps schools document medical records. Jens and our host Vinay Joosery discuss the laws and regulations healthcare service providers must adhere to. They also discuss the pros and cons of hosting your infrastructure on AWS.

Since Jens has moved his infrastructure to a smaller local platform, we asked him to share why he made this move, the challenges he faced, and the lessons he’s learned. He also emphasizes that working with smaller service providers allows for meaningful long-term partnerships beyond customer-vendor relationships.

Episode Highlights

Laws and Regulations That Prorenata Abides By 

”We provide a medical record system, and there are several regulations both on the EU level and in Swedish law that regulate what you can do with patient data, how you need to store it, the security, et cetera.

And some of these are the same for anything like GDPR and all the regulations around that. And others, more specifically for medical stuff. The medical regulations in Sweden are, for instance, the patient data law that gives a lot of restrictions on how, what, who can access the data, and what they’re allowed to do with it.

On top of that, many of our customers have added their interpretations or thoughts and then requirements on how we are supposed to use their data and store their data. And in addition to this, a medical record system is typically a medical device, and a medical device has its whole set of regulations. […]

So there are a lot of requirements, but those are legal requirements that are put on anything from pacemakers to medical record systems in schools. That’s also quite a bit of regulation around documentation. […]

On top of that, we have the fact that we are serving public agencies, and they have different levels of secrecy or publicity.”

So that’s also something that we need to cater to. It’s typically the agency’s issue. But we need to ensure that our product makes it easy for them to say what of our material is public, what is secret, and how we classify it. That goes more into the business logic of our application.”

Can You Remain Compliant If You’re Hosting EU Citizen Healthcare Data on a US Hyperscaler?

”The answer to that is no. We don’t think you can remain compliant if you’re hosting healthcare data on the US hyperscaler. That’s what we think, and that’s what many of our customers think. […]

There’s no final legal statement on that because that seems not to be done yet. But everything points to personal data on a US hyperscaler being an issue. And the more sensitive the data, the bigger the issue.

And we deal with some of the most sensitive data, which means it’s a categorical no to store that on the US hyperscaler unless you make serious commitments to encryption. Or it’s a no with an asterisk — and a categorical no for us — but it’s going to be up to each business and public sector to decide. But people I talk to point out that you should keep it within the EU to be compliant.”

Challenges of Migrating From One Cloud Platform to Another

”We had a lot of issues in the beginning after pulling off the migration. We had to scale because we weren’t able to test the production load in the new environment. […]

We did not know how much overhead Kubernetes adds.

Also, what’s the difference between the MySQL server that we’re going to use now that runs Vanilla MySQL versus MySQL Aurora? Both have more performance but different performance characteristics, mostly in terms of scalability. […]

The clock was ticking. We had customers saying, ‘If you don’t do this by this date, you’re going to be out of compliance’ and not saying that they would fine us but hinting that this was not okay.

We had files in multiple locations. We started with only moving the files for the customers that were hard on the date — and then keeping the massive terabytes of files that took months to move in an orderly fashion over to the new provider because they also had capacity issues.

We were used to being at AWS, and if we need capacity, you say click, click, click, and you got it at our scale. But when we moved to a much smaller Swedish provider — a company approximately our size — they might not have the capacity.”

A Silver Lining

”We got up on Kubernetes, and we’re super happy about that. We can now spin up a new environment in minutes for testing, QA, and so on. We can have customers spin up a sandbox environment if they want to integrate with our API; they can get their sandbox. That was pretty hard before, and we can do it now easily.

And we also deploy much more easily and consistently. We can build the Docker images on each push of code, et cetera, et cetera. And we can also switch providers because we are working on top of generic open-source frameworks like Kubernetes and Docker.”