Last Updated: 26 March 2020
This FAQ is designed to answer frequently asked questions about Butterfly's approach to privacy, data protection and security, including how Butterfly addresses compliance with global data protection regulations such as the European Union's General Data Protection Regulation ("GDPR"), Australia and New Zealand’s Privacy Act. It also aims to better inform our customers, medical professionals (like you), regarding the patient data you provide to Butterfly.
We hope you find the FAQ useful. Please note however that this does not constitute legal advice nor is it intended to instruct your business on the necessary steps it should take to comply with your legal obligations.
Yes, at Butterfly, we have a comprehensive privacy program in place.
We cannot advise you on what privacy compliance looks like for you, but we can tell you about how our Services work and the security controls we have built in. We work hard to ensure that our Services employ industry leading security controls but, ultimately, it is up to you to assess whether your use of our Services is right for your business. At Butterfly, we aim to make that assessment easy for you by:
If you have any further questions about Butterfly's data protection compliance, please email our DPO using the contact details above.
Yes – information security is of paramount importance to us at Butterfly. We expect all of our people to play a role in maintaining the security of information that our customers entrust us with.
Our Security team is headed by our Chief Information Security Officer (CISO). Our CISO is supported by a dedicated information security team whose job it is to ensure that we have appropriate technical and organizational security measures in place, including the measures described here.
In connection with our Services, medical professionals can upload and host within the Butterfly Platform certain patient data ("Patient Data"). Our customers determine what Patient Data is uploaded to the Platform, but it may include the patient's name, gender, DOB as well as the MRN scans captured through the iQ Device. It may also include the medical professional’s clinical notes on the patient and their scans.
All Patient Data processed by Butterfly within the Butterfly Platform is considered personal information and the EU, and many countries outside the EU such as Australia and New Zealand, have laws, which protect the collection, use, storage and transfer of the personal information of their residents. In fact, Patient Data is in many places treated as sensitive data (or "special category data") and is therefore subject to elevated protection and compliance requirements
Butterfly has taken a number of steps so that its customers can confidently and securely capture and store Patient Data within the Butterfly Platform. Butterfly is committed to processing all personal information that we receive in compliance with applicable data protection and privacy laws.
Where your data is stored depends on the geographic location of your organization. We currently use the following AWS data centers to store data:
The regions do not limit customer access to Butterfly Network: they only dictate the geographic location where data is stored and where compute resources are provisioned. Note that while your data will be stored in the above regions, it may be accessed by Butterfly Network personnel located in the United States, but only to the extent necessary to support, secure and maintain the services in accordance with our contract with our customers. Data in pseudonymized or aggregated form may also be stored in our central storage and processing systems in the United States.
No, this is not the case. British Columbia’s Freedom of Information and Protection of Privacy Act (FOIPPA) and Nova Scotia’s Personal Information International Disclosure Protection Act (PIIDPA) contain exceptions whereby public bodies in those provinces can store personal information outside of Canada if the information has been identified to the individual and the individual who the information is about has consented to their information being accessed from or stored in another jurisdiction in accordance FOIPPA’s or PIIDPA’s regulations. PIIDPA provides further leeway to heads of Nova Scotian public bodies to allow the storage of personal information outside of Canada where the storage is to meet the necessary requirements of the public body's operation.
No, GDPR does not require EU personal data stay in the EU. GDPR does restrict transfers of EU personal data outside the EU to countries like the United States, unless the recipient provides appropriate safeguards for such data. However, Butterfly Network's EU data processing addendum, which references our Privacy Shield certification, and the European Commission’s model clauses, enables our customers to lawfully transfer EU personal data to Butterfly Network located in the United States. You can find details of our Privacy Shield certification here.
When medical professionals transmit Patient Data to Butterfly they (or the hospital they work for) are the controller, Butterfly is typically the processor, and the patient is the data subject. As a processor, Butterfly commits to process EU Patient Data in compliance with the requirements of Article 28 GDPR in its standard data processing addendum (DPA), a copy of which is annexed to its standard terms (available upon request).
Butterfly sometimes acts as a controller in its relationship with medical professionals, for example when Butterfly collects information about medical professionals for the purposes of marketing, sales and managing the relationship with the medical professional (or the hospital they work for).
Butterfly may, where permitted by applicable law and its customers, also act as a controller with respect to certain Patient Data in connection with its deep learning activities. You can find out more about this by reviewing the Butterfly Patient Privacy Notice, which explains how we use Patient Data for such purposes.
Butterfly has embarked on a compliance project with support from specialist external advisors to address GDPR compliance. Specific measures we have taken, in addition to those described above include:
Butterfly Network is committed to GDPR compliance and understands the importance of this to its customers.
EU data protection law prohibits the export of personal information outside of the European Economic Area ("EEA") to non-EEA recipients, unless certain safeguards are in place.
Butterfly Network is headquartered in the United States, though it offers its Services to customers around the world, including medical professionals located in the EEA and Switzerland. Therefore, Butterfly will process personal information that originates from the EEA and Switzerland on its servers and facilities in the United States.
To ensure compliance with EU data export laws, Butterfly has self-certified to the EU-US and Swiss-US Privacy Shield to facilitate the lawful transfer of data from the EEA and Switzerland to Butterfly for processing in the United States. To find out more about the Privacy Shield, see www.privacyshield.gov, or to view our Certification, see https://www.privacyshield.gov/participant?id=a2zt00000008hnlAAA&status=Active.
In addition, where the transfer is not covered by Butterfly's Privacy Shield certification, Butterfly agrees to process EEA and Swiss data in compliance with the EU Standard Contractual Clauses (also sometimes called "Model Clauses"). These are standard form data export terms that have been pre-approved by the European Commission, and by signing them Butterfly commits to protect personal information (including Patient Data) it receives from its EU customers to EU data protection standards.
When Butterfly contracts with a third party that in any way interacts with Patient Data, Butterfly first requires that these third parties pass a security and risk assessment to ensure they uphold the same standards as Butterfly with respect to personal information. In addition, Butterfly ensures these companies are contractually obligated to implement and uphold equivalent security measures to protect Patient Data.
Our current list of sub-processors is as follows, as our business grows and evolves, the subprocessors we engage may also change. Please check back frequently for updates.