Butterfly Network ("Butterfly") Global Privacy FAQs
Last Updated: 13 October 2022
This FAQ is designed to answer frequently asked questions about Butterfly's approach to privacy, data protection and security, including how Butterfly addresses compliance with global data protection regulations such as the General Data Protection Regulation ("GDPR"), Australia and New Zealand’s Privacy Act. It also aims to better inform our customers, medical professionals (like you), regarding the patient data you provide to Butterfly.
We hope you find the FAQ useful. Please note however that this does not constitute legal advice nor is it intended to instruct your business on the necessary steps it should take to comply with your legal obligations.
Does Butterfly have a privacy program?
Yes, at Butterfly, we believe in privacy by design and have a privacy program in place.
We cannot advise you on what privacy compliance looks like for you, but we can tell you about how our Services work and the security controls we have built in. We work hard to ensure that our Services employ industry leading security controls but, ultimately, it is up to you to assess whether your use of our Services is right for your business. At Butterfly, we aim to make that assessment easy for you by:
- Having detailed data protection and security terms in our standard contracts, including a GDPR compliant Data Processing Addendum.
- Having technical and organizational security measures in place to protect personal information that you trust us with, including the measures described here.
- Appointing a data protection officer (DPO) to oversee the continued development of Butterfly's commitment to privacy and data protection. You can contact our DPO here firstname.lastname@example.org.
If you have any further questions about Butterfly's data protection compliance, please email our DPO by reaching out to email@example.com .
Does Butterfly have a dedicated security team?
Yes – information security is of paramount importance to us at Butterfly. We expect all of our people to play a role in maintaining the security of information that our customers entrust us with.
Our Security team is headed by our Chief Information Security Officer (CISO). Our CISO is supported by a dedicated information security team whose job it is to ensure that we have appropriate technical and organizational security measures in place, including the measures described here.
What personal information do we process?
In connection with our Services, medical professionals can upload and host within the Butterfly Platform certain patient data ("Patient Data"). Our customers determine what Patient Data is uploaded to the Platform, but it may include the patient's name, gender, DOB as well as the MRN scans captured through the iQ Device. It may also include the medical professional’s clinical notes on the patient and their scans.
All Patient Data processed by Butterfly within the Butterfly Platform is considered personal information. The European Economic Area (EEA), and many countries outside the EEA, such as Australia and New Zealand, have laws, which protect the collection, use, storage and transfer of the personal information of their residents. In fact, Patient Data is in many places treated as sensitive data (or "special category data") and is therefore subject to elevated protection and compliance requirements
Butterfly has taken a number of steps so that its customers can confidently and securely capture and store Patient Data within the Butterfly Platform. Butterfly is committed to processing all personal information that we receive in compliance with applicable data protection and privacy laws.
Where is Patient Data stored?
Where your data is stored depends on the geographic location of your organization. We currently use the following AWS data centers to store data:
- Europe: Your data is stored in the AWS eu-central-1 (Frankfurt) region.
- Australia and New Zealand: Your data is stored in the AWS ap-southeast-2 (Sydney) region
- Canada: Your data is stored in the AWS (Montreal, QC) region.
- North America and Rest of the World: Your data is stored in the AWS us-east-1 (Northern Virginia) and AWS us-west-2 (Oregon) region.
The regions do not limit customer access to Butterfly Network: they only dictate the geographic location where data is stored and where compute resources are provisioned. Note that while your data will be stored in the above regions, it may be accessed by Butterfly Network personnel located in the United States, but only to the extent necessary to support, secure and maintain the services in accordance with our contract with our customers. Data in pseudonymized or aggregated form may also be stored in our central storage and processing systems in the United States or Europe.
Is it true that public bodies in British Columbia and Nova Scotia must store all personal information they hold within Canada?
No, this is not the case. British Columbia’s Freedom of Information and Protection of Privacy Act (FOIPPA) and Nova Scotia’s Personal Information International Disclosure Protection Act (PIIDPA) contain exceptions whereby public bodies in those provinces can store personal information outside of Canada if the information has been identified to the individual and the individual who the information is about has consented to their information being accessed from or stored in another jurisdiction in accordance FOIPPA’s or PIIDPA’s regulations. PIIDPA provides further leeway to heads of Nova Scotian public bodies to allow the storage of personal information outside of Canada where the storage is to meet the necessary requirements of the public body's operation.
Does GDPR require EEA personal data to stay in the EEA?
No, GDPR does not require EEA personal data stay in the EEA. GDPR does restrict transfers of EEA personal data outside the EEA to countries like the United States, unless the recipient provides appropriate safeguards for such data. However, Butterfly Network's EEA data processing addendum, which includes our Standard Contractual Clauses, enables our customers to lawfully transfer EEA personal data to Butterfly Network located in the United States. Please see "How does Butterfly Network comply with EU data export laws?" to find out what the recent decision of the Court of Justice of the European Union which invalidated the EU-US Privacy Shield means for Butterfly and our customers.
What are the relevant roles of Butterfly, the patient, and medical professionals under GDPR?
When medical professionals transmit Patient Data to Butterfly they (or the hospital they work for) are the controller, Butterfly is typically the processor, and the patient is the data subject. As a processor, Butterfly commits to process EEA and UK Patient Data in compliance with the requirements of Article 28 GDPR in its standard data processing addendum (DPA), a copy of which is annexed to its standard terms (available upon request).
Butterfly sometimes acts as a controller in its relationship with medical professionals, for example when Butterfly collects information about medical professionals for the purposes of marketing, sales and managing the relationship with the medical professional (or the hospital they work for).
Butterfly may, where permitted by applicable law and its customers, also act as a controller with respect to certain Patient Data in connection with its deep learning activities. You can find out more about this by reviewing the Butterfly Patient Privacy Notice, which explains how we use Patient Data for such purposes.
What is Butterfly doing to comply with and help its customers comply with the GDPR?
Butterfly is engaged in ongoing compliance initiatives with support from specialist external advisors to address GDPR compliance. Specific measures we have taken, in addition to those described above include:
- Amending our contracts with vendors and customers to ensure the terms comply with the GDPR.
- Ensuring our privacy policies and notices clearly explain Butterfly's commitment to GDPR and the rights which individuals have with respect to their data. You can review the Butterfly Privacy Notice here.
- Formalizing our processes around data subject rights to ensure that we are able to more efficiently help our customers respond to data subject requests.
- Ensuring the use of robust and appropriate security measures to safeguard any data collected and processed on systems owned or managed by Butterfly.
- Carrying out Data Protection Impact Assessments to identify and minimize risks to Patient Data. We have also put together specific resources to help our customers conduct their own DPIAs (available on request).
- Maintaining accurate records of the personal information processing that we undertake.
Butterfly Network is committed to GDPR compliance and understands the importance of this to its customers.
How does Butterfly Network comply with EEA data export laws?
EEA and UK data protection laws prohibit the export of personal information outside of the EEA and UK to non-EEA and non-UK recipients, unless certain safeguards are in place.
Butterfly Network is headquartered in the United States, though it offers its Services to customers around the world, including medical professionals located in the EEA, UK and Switzerland. Therefore, Butterfly will process personal information that originates from the EEA, UK and Switzerland on its servers and facilities in the United States and Europe by leveraging our Standard Contractual Clauses which include the technical and organizational measures we use to safeguard data.
What measures has Butterfly implemented to protect EEA/UK data processed outside of the EEA/UK?
Butterfly has put a number of measures in place to ensure that EEA and UK data remains protected when it is transferred outside of Europe.
- Contractual commitments. In addition to incorporating the Standard Contractual Clauses, our EEA and UK Data Processing Addendum also sets out commitments to security, confidentiality of processing, limitations on international transfers of personal data, cooperation with data subject rights, notice of security incidents and more.
- Security measures. Protection of our customers' data and Patient Data is of paramount important to Butterfly. We maintain a robust security and privacy program that addresses the management of security and the security controls employed by Butterfly. Our security program is outlined in detail in our Security Overview.
- Responding to law enforcement requests. See more on this in the section below.
We are also closely following the developments of the CJEU decision and subsequent guidance from the European data protection regulators to determine whether we need to make any additional changes to our privacy practices, including implementing any additional safeguards as a data importer.
How does Butterfly respond to government law enforcement requests?
Butterfly is committed to the security and privacy of the data our customers store in our cloud services. Butterfly believes that our customers should control their data. When government, law enforcement or other third-parties make a lawful request for customer data from Butterfly, it is our practice to redirect such requests to the customer where practical and legally permitted. If we are not able to redirect to the customer, Butterfly will limit such disclosure to the data specified in the request. We will also notify our customers of any government, law enforcement or third-party request for customer data to the extent legally permitted.
What about third parties who work with Butterfly?
When Butterfly contracts with a third party that in any way interacts with Patient Data, Butterfly first requires that these third parties pass a security and risk assessment to ensure they uphold the same standards as Butterfly with respect to personal information. In addition, Butterfly ensures these companies are contractually obligated to implement and uphold equivalent security measures to protect Patient Data.
Our current list of sub-processors that process sensitive patient information is as follows, as our business grows and evolves, the sub-processors we engage may also change. Please check back frequently for updates.
Corporate: Amazon Web Services, Inc. (AWS) Location: USA
Corporate: Splunk Inc. (AWS) Location: USA
Do we need to provide notice to Patients about the processing Butterfly is doing?
The data protection and privacy laws in some countries (require that patients be provided with information about how their data will be used and disclosed (including information about intended recipients of their information, and information about the agency that holds their information). In some cases, this requires notice of the processing being undertaken by Butterfly. If this is a requirement in your jurisdiction, please provide patients with access to the Butterfly Patient Privacy Notice, to ensure that they understand how Butterfly may process and use their personal information in connection with the Butterfly Services.
What if one of my patients asks for their Patient Data?
Certain privacy laws (including GDPR) give patients the right to request a copy of the data that you hold about them. This might be called a "data subject access request". If a patient makes a data subject access request directly to Butterfly, we will in our capacity as a processor pass the request on to you as soon as practicable and, where Butterfly holds the data requested, Butterfly will provide you with the relevant patient data in accordance with our contract with you.
Can patients ask for anything else?
As well as the right to access data you hold about them, patients may also have other rights under applicable data protection and privacy laws (like GDPR in the EEA and UK). Such rights may include the right to have inaccurate or incomplete data rectified, have their data deleted or to ask that you stop processing their data. Patients may also be able to ask you to transfer the data that you hold about them to another medical professional. If a patient wishes to exercise any of their rights in relation to their Patient Data, we will provide you with reasonable assistance to facilitate your response to the patient's request. If a patient contacts us directly seeking to exercise such rights, we will pass the request on to you as soon as practicable.
What about the records Butterfly holds about medical professionals?
Butterfly also collects personal information about customers/medical professionals in order to promote Butterfly products, set them up with a Butterfly account, process orders, and respond to inquiries. These data are protected by the same security measures. Our Privacy Notice contains details of how Butterfly processes a medical professional’s personal information and the rights that they have with respect to it.
Where can I find more information on the updated Standard Contractual Clauses?
For more information on the updated Standard Contractual Clauses, please visit our SCC FAQ.
Where can I get more information?
If you have any questions or require assistance, please contact firstname.lastname@example.org.