SecNumCloud
How Scrydon supports the ANSSI SecNumCloud baseline — sovereign cloud security for French public sector and critical infrastructure.
ANSSI's SecNumCloud is the French national cybersecurity agency's qualification scheme for cloud service providers handling sensitive data. It's commonly required by the French public sector and operators of essential / vital services.
Scrydon does not run SecNumCloud-qualified infrastructure itself — that qualification applies to cloud providers, not to applications running on them. Scrydon is built so that deploying it on a SecNumCloud-qualified provider (or on-prem) preserves your overall qualification.
How the customer-deployed model helps
SecNumCloud's hardest requirements concern data residency, sovereignty, and operator control. Scrydon's architecture sidesteps the most painful ones:
- Data residency. The platform runs in your cluster — typically a SecNumCloud-qualified IaaS in France. Customer data never leaves the qualified perimeter.
- Sovereignty. Scrydon (the vendor) has no access to the platform at runtime. The only outbound call is the license heartbeat to
license.scrydon.com. - Operator control. Your operations team owns the platform — its lifecycle, secrets, configuration, logs.
Required complements
To deploy Scrydon under SecNumCloud, you'll typically also need:
| Requirement | How |
|---|---|
| SecNumCloud-qualified IaaS | OVHCloud, Outscale, Iliad / Numspot, or another qualified provider. |
| Sovereign IdP | An IdP operating under SecNumCloud or equivalent. Microsoft Entra is not SecNumCloud-qualified; consider a sovereign alternative if your SecNumCloud scope requires it. |
| Sovereign AI providers | The integration registry can be restricted to self-hosted (Ollama, vLLM, Azure AI Foundry in a sovereign tenancy) or sovereign cloud LLM providers. |
The integration registry is the lever for the AI-provider question: you can install only the providers your SecNumCloud scope permits.
Air-gapped option
For deployments under stricter sovereignty constraints (e.g. classified environments), the air-gapped install path is the right starting point. The license heartbeat is optional in air-gapped mode (operations continue under your contractual licence), and the Copilot Backend dependency is opted out of.
Audit and evidence
| Control area | Scrydon support |
|---|---|
| Access management | Identity & Provisioning, Permission model |
| Logging and traceability | Audit logging with extended retention |
| Encryption | TLS 1.2+, mTLS internal, AES at rest; HYOK option for sovereign key management |
| Vulnerability management | Signed images, SBOM, scheduled patching |
| Operator transparency | This documentation site; the support relationship is documented |
Related
- Deployment → Air-gapped — for sovereign / classified deployments.
- Architecture → Trust zones — what's in the customer perimeter.
- Network boundary — egress allowlist for a tightly scoped deployment.