# For health data, compliance is an engineering posture, not a badge

- Category: product
- Author: Doru (https://indie.md/people/doru-bota/)
- Source: https://indie.md/events/indie-tm-9-timisoara-may-2026/
- Canonical URL: https://indie.md/advice/health-data-compliance-is-engineering/

The moment your product stores diagnoses, treatments, or medical images, you are processing special-category health data under Article 9 of the GDPR, which is prohibited by default and allowed only on a specific lawful basis such as the provision of health care or explicit consent. That triggers a higher bar than ordinary personal data: a data protection impact assessment, encryption and pseudonymization, access limited to staff bound by confidentiality, and a signed data-processing agreement that makes you the processor to each clinic's controller. A "GDPR Compliant" badge on the landing page is marketing; for health data it has to be a documented engineering and legal reality. When you build a vertical SaaS that touches a regulated data class, the binding constraint is not your feature set, it is the data class, and you should design for it from the first table you create.