Our Approach to Security
At Butterfly Network, we believe it is our responsibility to design devices and software that are secure by design and prioritize the security and privacy of the user and patient.
Security and Compliance
Butterfly’s cybersecurity team enforces and monitors cybersecurity operations within the company and its third-party business partners using globally recognized, industry standard, risk-based frameworks, including National Institute for Standards and Technology (NIST), System and Organization Controls 2 (SOC 2), Health Insurance Portability and Accountability Act (HIPAA), and Health Information Technology for Economic and Clinical Health (HITECH). Butterfly also has a global privacy program that meets the requirements of data protection regulations such as the EU General Data Protection Regulation (GDPR). If you have questions about our comprehensive privacy program, please visit our Global Privacy FAQ.
Butterfly holds a SOC 2 Type 2 attestation report issued by an independent third-party auditor, the scope of which encompasses the iQ+ ecosystem across the entire organization. On annual basis, the auditor evaluates Butterfly's security, availability, and confidentiality categories by testing design and operating effectiveness utilizing multiple controls across domains including:
- Governance, Risk and Compliance
- Threat and Vulnerability Management
- Change Management and Software Development Life Cycle
- Logical Access
- Policies and Procedures
- Incident Response
- Internal and External Communications
- Personnel Security
- Endpoint Security
- Data Retention and Disposal
- Disaster Recovery, Backup, and Restore
- Third-Party Risk Management
Software
The primary software included in the Butterfly iQ+ system is developed in-house. Butterfly Network is responsible for managing the development and operation of the Butterfly iQ+ system including development and maintenance of infrastructure components such as servers, databases, and storage systems. Third-party applications are used for change management of application source code and to provide rollback capabilities when necessary.
People
Butterfly Network’s organizational structure provides a framework for planning, executing, and controlling business operations. Executive and senior leadership play important roles in establishing the Company’s tone and core values. The Company follows a structured on-boarding process to familiarize new employees with Butterfly’s tools, processes, systems, security practices, policies and procedures. Internal assessments are performed so that employees understand and follow established policies.
Data
Customer data is managed, processed, and stored in accordance with the relevant data protection and other regulations, with specific requirements formally established in customer contracts. Customer data is captured, which is utilized by Butterfly Network in delivering its mobile and cloud systems. Customer data in Butterfly Cloud is further secured through security measures such as encryption, monitoring and logging, vulnerability management and system hardening.
Security Program and Organization
Butterfly’s Security Program utilizes industry leading, risk-based, frameworks and standards. Butterfly has a security team led by a Chief Information Security Officer (CISO) who is responsible for the development and maintenance of security policies, enforcing security operations, and monitoring technical security within the company and associated third parties.
Security Policies and Procedures
Butterfly Network created and implemented security policies and procedures which provide organizational and technical baselines and repeatable processes and meet regulatory requirements. Security policies address the requirement to protect information from disclosure, unauthorized access, loss, corruption and interference and are relevant to information in both electronic and physical formats.
Secure Development Lifecycle (SDLC) and Change Management
Butterfly has adopted a formal secure development lifecycle methodology (SDLC) that governs the development, acquisition, implementation and maintenance of information systems and technology requirements. Butterfly's change management process requires that changes are authorized, tested (where applicable), and documented.
Logical Access Controls
Butterfly Network has formal procedures for providing, modifying, reviewing and revoking access to Butterfly's systems. Butterfly Network's Security Information and Event Management (SIEM) tool generates and correlates security event logs to identify risks impacting application, infrastructure, and operational security. Butterfly’s intrusion detection system provides continuous monitoring of the organization’s network and early identification of potential security breaches. All servers, workstations, applications, and infrastructure assets are monitored and tracked with dedicated security tools.
Availability
Butterfly Network monitors system capacity of critical systems to ensure processing requirements are within optimum time range. Backups of all Butterfly Network system data are performed periodically. Butterfly Network’s disaster recovery and business continuity policy details procedures Butterfly Network personnel follow in the event of a disaster to ensure continued business operations and availability of services and data.
Confidentiality
Butterfly Network data is used solely for the purposes described in its contractual arrangements. Butterfly Network’s data retention policy reflects regulatory requirements. All customer data can be deleted upon request from the customer.
Conclusion
For more details on our security program, please contact us at security@butterflynetinc.com. Our security controls are constantly evolving to keep up with the dynamic threat landscape, so please come back to check out our latest updates.
More information about who we are, how we collect, and use personal information about you and how you can exercise your privacy rights can be found in our Privacy Notice. Similarly, if you have questions about our comprehensive privacy program, please visit our Global Privacy FAQ. And our Patient Privacy Notice explains how we collect and use patient data following the use, by our Customers, of the Butterfly iQ+ device and beyond.