This FAQ is designed to answer frequently asked questions about Butterfly's approach to privacy, data protection and security, including how Butterfly addresses compliance with global data protection regulations such as the General Data Protection Regulation ("GDPR"), Australia and New Zealand’s Privacy Act. It also aims to better inform our customers, medical professionals (like you), regarding the patient data you provide to Butterfly.
We hope you find the FAQ useful. Please note however that this does not constitute legal advice nor is it intended to instruct your business on the necessary steps it should take to comply with your legal obligations.
Yes, at Butterfly, we believe in privacy by design and have a privacy program in place.
We cannot advise you on what privacy compliance looks like for you, but we can tell you about how our Services work and the security controls we have built in. We work hard to ensure that our Services employ industry leading security controls but, ultimately, it is up to you to assess whether your use of our Services is right for your business. At Butterfly, we aim to make that assessment easy for you by:
If you have any further questions about Butterfly's data protection compliance, please email our DPO by reaching out to support@butterflynetinc.com .
Yes – information security is of paramount importance to us at Butterfly. We expect all of our people to play a role in maintaining the security of information that our customers entrust us with.
Our Security team is headed by our Chief Information Security Officer (CISO). Our CISO is supported by a dedicated information security team whose job it is to ensure that we have appropriate technical and organizational security measures in place, including the measures described here.
In connection with our Services, medical professionals can upload and host within the Butterfly Platform certain patient data ("Patient Data"). Our customers determine what Patient Data is uploaded to the Platform, but it may include the patient's name, gender, DOB as well as the MRN scans captured through the iQ Device. It may also include the medical professional’s clinical notes on the patient and their scans.
All Patient Data processed by Butterfly within the Butterfly Platform is considered personal information. The European Economic Area (EEA), and many countries outside the EEA, such as Australia and New Zealand, have laws, which protect the collection, use, storage and transfer of the personal information of their residents. In fact, Patient Data is in many places treated as sensitive data (or "special category data") and is therefore subject to elevated protection and compliance requirements
Butterfly has taken a number of steps so that its customers can confidently and securely capture and store Patient Data within the Butterfly Platform. Butterfly is committed to processing all personal information that we receive in compliance with applicable data protection and privacy laws.
Where your data is stored depends on the geographic location of your organization. We currently use the following AWS data centers to store data:
The regions do not limit customer access to Butterfly Network: they only dictate the geographic location where data is stored and where compute resources are provisioned. Note that while your data will be stored in the above regions, it may be accessed by Butterfly Network personnel located in the United States, but only to the extent necessary to support, secure and maintain the services in accordance with our contract with our customers. Data in pseudonymized or aggregated form may also be stored in our central storage and processing systems in the United States or Europe.
No, this is not the case. British Columbia’s Freedom of Information and Protection of Privacy Act (FOIPPA) and Nova Scotia’s Personal Information International Disclosure Protection Act (PIIDPA) contain exceptions whereby public bodies in those provinces can store personal information outside of Canada if the information has been identified to the individual and the individual who the information is about has consented to their information being accessed from or stored in another jurisdiction in accordance FOIPPA’s or PIIDPA’s regulations. PIIDPA provides further leeway to heads of Nova Scotian public bodies to allow the storage of personal information outside of Canada where the storage is to meet the necessary requirements of the public body's operation.
No, GDPR does not require EEA personal data stay in the EEA. GDPR does restrict transfers of EEA personal data outside the EEA to countries like the United States, unless the recipient provides appropriate safeguards for such data. However, Butterfly Network's EEA data processing addendum, which includes our Standard Contractual Clauses, enables our customers to lawfully transfer EEA personal data to Butterfly Network located in the United States. Please see "How does Butterfly Network comply with EU data export laws?" to find out what the recent decision of the Court of Justice of the European Union which invalidated the EU-US Privacy Shield means for Butterfly and our customers.
When medical professionals transmit Patient Data to Butterfly they (or the hospital they work for) are the controller, Butterfly is typically the processor, and the patient is the data subject. As a processor, Butterfly commits to process EEA and UK Patient Data in compliance with the requirements of Article 28 GDPR in its standard data processing addendum (DPA), a copy of which is annexed to its standard terms (available upon request).
Butterfly sometimes acts as a controller in its relationship with medical professionals, for example when Butterfly collects information about medical professionals for the purposes of marketing, sales and managing the relationship with the medical professional (or the hospital they work for).
Butterfly may, where permitted by applicable law and its customers, also act as a controller with respect to certain Patient Data in connection with its deep learning activities. You can find out more about this by reviewing the Butterfly Patient Privacy Notice, which explains how we use Patient Data for such purposes.
Butterfly is engaged in ongoing compliance initiatives with support from specialist external advisors to address GDPR compliance. Specific measures we have taken, in addition to those described above include:
Butterfly Network is committed to GDPR compliance and understands the importance of this to its customers.
EEA and UK data protection laws prohibit the export of personal information outside of the EEA and UK to non-EEA and non-UK recipients, unless certain safeguards are in place.
Butterfly Network is headquartered in the United States, though it offers its Services to customers around the world, including medical professionals located in the EEA, UK and Switzerland. Therefore, Butterfly will process personal information that originates from the EEA, UK and Switzerland on its servers and facilities in the United States and Europe by leveraging our Standard Contractual Clauses which include the technical and organizational measures we use to safeguard data.
Butterfly has put a number of measures in place to ensure that EEA and UK data remains protected when it is transferred outside of Europe.
We are also closely following the developments of the CJEU decision and subsequent guidance from the European data protection regulators to determine whether we need to make any additional changes to our privacy practices, including implementing any additional safeguards as a data importer.
Butterfly is committed to the security and privacy of the data our customers store in our cloud services. Butterfly believes that our customers should control their data. When government, law enforcement or other third-parties make a lawful request for customer data from Butterfly, it is our practice to redirect such requests to the customer where practical and legally permitted. If we are not able to redirect to the customer, Butterfly will limit such disclosure to the data specified in the request. We will also notify our customers of any government, law enforcement or third-party request for customer data to the extent legally permitted.
When Butterfly contracts with a third party that in any way interacts with Patient Data, Butterfly first requires that these third parties pass a security and risk assessment to ensure they uphold the same standards as Butterfly with respect to personal information. In addition, Butterfly ensures these companies are contractually obligated to implement and uphold equivalent security measures to protect Patient Data.
Our current list of sub-processors that process sensitive patient information is as follows, as our business grows and evolves, the sub-processors we engage may also change. Please check back frequently for updates.
Entity Name
Corporate: Amazon Web Services, Inc. (AWS) Location: USA
Corporate: Splunk Inc. (AWS) Location: USA
Corporate: New Relic Location: USA
The data protection and privacy laws in some countries (require that patients be provided with information about how their data will be used and disclosed (including information about intended recipients of their information, and information about the agency that holds their information). In some cases, this requires notice of the processing being undertaken by Butterfly. If this is a requirement in your jurisdiction, please provide patients with access to the Butterfly Patient Privacy Notice, to ensure that they understand how Butterfly may process and use their personal information in connection with the Butterfly Services.
Certain privacy laws (including GDPR) give patients the right to request a copy of the data that you hold about them. This might be called a "data subject access request". If a patient makes a data subject access request directly to Butterfly, we will in our capacity as a processor pass the request on to you as soon as practicable and, where Butterfly holds the data requested, Butterfly will provide you with the relevant patient data in accordance with our contract with you.
As well as the right to access data you hold about them, patients may also have other rights under applicable data protection and privacy laws (like GDPR in the EEA and UK). Such rights may include the right to have inaccurate or incomplete data rectified, have their data deleted or to ask that you stop processing their data. Patients may also be able to ask you to transfer the data that you hold about them to another medical professional. If a patient wishes to exercise any of their rights in relation to their Patient Data, we will provide you with reasonable assistance to facilitate your response to the patient's request. If a patient contacts us directly seeking to exercise such rights, we will pass the request on to you as soon as practicable.
Butterfly also collects personal information about customers/medical professionals in order to promote Butterfly products, set them up with a Butterfly account, process orders, and respond to inquiries. These data are protected by the same security measures. Our Privacy Notice contains details of how Butterfly processes a medical professional’s personal information and the rights that they have with respect to it.
For more information on the updated Standard Contractual Clauses, please visit our SCC FAQ.
If you have any general questions or require assistance, please contact support@butterflynetinc.com.
For any data privacy/security questions or assistance, please contact dpo@butterflynetinc.com