Secure by Design –
Our Approach to Security
Last Updated: October 28, 2019
At Butterfly Network, we believe that it is our responsibility to design devices and software that are secure by design and prioritize patient privacy. We know our customers care deeply about patient data, and that’s why leveraging the Butterfly Cloud allows you to inherit our security and regulatory compliance controls like data localization, while still maintaining ownership of patient data.
This page will provide a high-level overview of how we secure the key layers of our infrastructure, our cloud, and our hosted data centers. More information about who we are, how we collect, and use personal information about you and how you can exercise your privacy rights can be found in our Privacy Notice. Similarly, if you have questions about our comprehensive privacy program, please visit our Global Privacy FAQ. And our Patient Privacy Notice explains how we collect and use patient data following the use, by our Customers, of the Butterfly iQ Device and beyond.
Security Program and Organization
Butterfly’s Security Program utilizes industry leading, risk-based, frameworks and standards. Butterfly has a security team led by a Chief Information Security Officer (CISO) who is responsible for the development and maintenance of security policies, enforcing security operations and monitoring technical security within the company and associated third parties.
Security Policies, Processes, and Procedures
At Butterfly, we understand that fostering a healthy security culture begins by providing our employees with security policies, processes, and procedures to help make good decisions when building our products and managing sensitive customer data
Secure Development Lifecycle (SDLC)
Butterfly follows a “secure by design” approach whereby security is treated as a top priority at all stages of product and application development. We implement controls such as threat modeling for new features, code review, regression testing, deployment controls, vulnerability scanning and penetration testing.
The Butterfly iOS and Web applications enforce strict user authentication. The Butterfly iOS app requires that hardware device encryption is enabled before log-in and scanning is allowed.
All data is encrypted in transit and at rest. Administrators of a Butterfly Cloud team subscription maintain full control over which users have access to their private data.
For our enterprise customers, Butterfly has developed three additional layers of enhanced, defensive security: Single Sign On, Enterprise Mobility Management Restrictions, and Custom Inactivity Timeout.
Butterfly Cloud is a multi-tenant distributed system, built with a highly redundant architecture. Leveraging Amazon Web Services (AWS) infrastructure, Butterfly Cloud incorporates multiple layers of physical, policy, and technical safeguards.
Data Protection Controls
Customer data in Butterfly Cloud is further secured by a container orchestration platform (Aptible Enclave) that implements security best practices and controls for the deployment of healthcare applications such as AES 256-bit encryption for data at rest, monitoring and logging, vulnerability management and system hardening.
Disaster Recovery and Business Continuity
Butterfly Network conducts daily backups to Amazon’s East and West USA data centers to ensure customer data is easily recoverable in the event of a disaster. Backup plans and disaster plans are in place and tested quarterly.
Compliance and Certifications
Butterfly Network is SOC 2 (Type 1) certified, which attests to our compliance with Privacy, Security, Confidentiality and Availability criteria as well as HIPAA and HITECH regulations. Butterfly also has a global privacy program that meets the requirements of data protection regulations such as the EU General Data Protection Regulation (GDPR).
For more details on our security program, please contact us at firstname.lastname@example.org for a copy of our detailed security whitepaper.
Our security controls are constantly evolving to keep up with the dynamic threat landscape, so we may update this page from time to time to reflect these technical or administrative changes. Please check this page often to view our latest controls.