// Trust & Security Report

    Butterfly Network, Inc. logo

    Butterfly Network, Inc.

    Point-of-care ultrasound (POCUS) hardware and software: Butterfly iQ3 and iQ+ handheld probes, iQ+ Bladder, Compass AI workflow software, ScanLab educational app, TeleGuidance remote guidance feature

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Butterfly holds a SOC 2 Type 2 attestation report issued by an independent third-party auditor, the scope of which encompasses the iQ+ ecosystem across the entire organization. On annual basis, the auditor evaluates Butterfly's security, availability, and confidentiality categories.

    Verify on butterflynetwork.com
    ISO 27001
    HELD

    Butterfly Network Strengthens Global Information Security Posture with ISO 27001, SOC-2 Type 2, C5 Germany, and NHS DSPT Accreditations — assessed by A-LIGN (third-party assessment organization), announced October 27, 2025.

    Verify on butterflynetwork.com
    HIPAA
    HELD

    Butterfly's cybersecurity team enforces and monitors cybersecurity operations...including...Health Insurance Portability and Accountability Act (HIPAA), and Health Information Technology for Economic and Clinical Health (HITECH). A Business Associate Agreement (BAA) is included as Exhibit F to Butterfly's standard Master Terms and Conditions.

    Verify on butterflynetwork.com
    GDPR (compliance posture)
    HELD

    Butterfly also has a global privacy program that meets the requirements of data protection regulations such as the EU General Data Protection Regulation (GDPR). Our standard agreements include a compliant Data Processing Addendum (DPA). A Data Protection Officer (DPO) oversees our privacy commitments.

    Verify on butterflynetwork.com
    C5 Germany (BSI Cloud Computing Compliance Criteria Catalogue)
    HELD

    Butterfly Network Strengthens Global Information Security Posture with ISO 27001, SOC-2 Type 2, C5 Germany, and NHS DSPT Accreditations — announced October 27, 2025, assessed by A-LIGN.

    Verify on butterflynetwork.com
    NHS DSPT (Data Security and Protection Toolkit)
    HELD

    Butterfly Network Strengthens Global Information Security Posture with ISO 27001, SOC-2 Type 2, C5 Germany, and NHS DSPT Accreditations — the National Health Service (NHS) Data Security and Protection Toolkit, announced October 27, 2025.

    Verify on butterflynetwork.com
    GovRAMP
    HELD

    Butterfly Achieves GovRAMP and TX-RAMP Information Security Certifications — GovRAMP Authorization authorizes sale of cloud services to all state and local government agencies; products: Butterfly iQ+/iQ3 and Compass AI; assessed by A-LIGN; announced February 10, 2026.

    Verify on butterflynetwork.com
    TX-RAMP
    HELD

    Butterfly Achieves GovRAMP and TX-RAMP Information Security Certifications — TX-RAMP is the only domestic state requiring a standalone authorization; announced February 10, 2026.

    Verify on butterflynetwork.com
    > Show 7 unconfirmed / not-held certifications
    FedRAMP
    NOT CONFIRMED

    FedRAMP certification is anticipated in 2026; currently in pursuit stage. No authorization has been granted as of the assessment date.

    source: butterflynetwork.com
    HITRUST CSF r2
    NOT CONFIRMED

    HITRUST CSF r2 is currently being pursued — a NIST 800-53 (Rev-5) framework that unifies standards like HIPAA and GDPR. Not yet achieved as of the assessment date.

    source: butterflynetwork.com
    ISO 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found on vendor domain.

    source: butterflynetwork.com
    ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found on vendor domain.

    source: butterflynetwork.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification found on vendor domain.

    source: butterflynetwork.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on vendor domain. Payment processing for device purchases is handled through third-party provider Affirm.

    source: butterflynetwork.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification found on vendor domain.

    source: butterflynetwork.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    EU: AWS Frankfurt (eu-central-1); Australia/NZ: AWS Sydney (ap-southeast-2); Canada: AWS Montreal; US and rest of world: AWS Northern Virginia (us-east-1) and Oregon (us-west-2). US personnel may access EU/non-US data for support and maintenance.

    Butterfly's privacy notice explicitly states: 'we may leverage de-identified patient data to train our models and algorithms to improve the functionality of our Services.' Training is performed only on de-identified (PHI-stripped) patient data. The policy also notes 'Our analysis may include the use of technology like machine learning and large language models, which may include training these models or sharing with third parties for model training.' No explicit opt-out mechanism is provided to healthcare providers for this use. The Master T&C (2026-01-15) is silent on AI training while Butterfly retains ownership of all de-identified/anonymized data under Section 3.1. This gap between the privacy policy allowance and the ToS silence warrants review.

    // Security controls

    Encryption

    Encryption in transit and at rest applied to customer data in Butterfly Cloud; specific cipher suites not publicly disclosed.

    butterflynetwork.com

    SIEM and intrusion detection

    Security Information and Event Management (SIEM) tool with continuous network monitoring; intrusion detection system for early breach identification.

    butterflynetwork.com

    Logical access controls

    Formal procedures for provisioning, modifying, reviewing, and revoking access; all servers, workstations, applications, and infrastructure assets monitored with dedicated security tools.

    butterflynetwork.com

    Secure Development Lifecycle (SDLC)

    Formal SDLC methodology governing development, acquisition, implementation, and maintenance; change management requires authorization, testing, and documentation.

    butterflynetwork.com

    Incident response

    Formal incident response program; HIPAA breach notifications to customers within 10 business days per 45 C.F.R. § 164.410.

    store.butterflynetwork.com

    Backup and disaster recovery

    Periodic backups of all system data; disaster recovery and business continuity policy with documented procedures.

    butterflynetwork.com

    Third-party risk management

    Security and risk assessments on all sub-processors that interact with patient data or PII; sub-processors contractually bound to equivalent security standards. Primary sub-processors: AWS (hosting), Splunk (monitoring), New Relic (performance).

    butterflynetwork.com

    Leadership

    Chief Information Security Officer (CISO) leads the security program; Data Protection Officer (DPO) oversees privacy commitments.

    butterflynetwork.com

    FDA clearance

    Butterfly iQ3 and iQ+ are FDA-cleared medical devices for external ultrasound imaging. Compass AI is FDA cleared for gestational age assessment (first blind-sweep gestational age tool).

    butterflynetwork.com

    // Products & data scope

    Butterfly iQ3Medical imaging hardware (handheld POCUS probe)

    data: Clinical ultrasound images and studies stored in Butterfly Cloud; patient identifiers (name, DOB, gender, MRN) when uploaded by healthcare provider; data stored in region-appropriate AWS data centers.

    FDA cleared; current-generation whole-body handheld ultrasound probe. Requires subscription for cloud archiving and advanced AI features.

    Butterfly iQ+Medical imaging hardware (handheld POCUS probe)

    data: Same as iQ3 — clinical images and patient identifiers in Butterfly Cloud.

    Previous-generation probe; SOC 2 Type 2 audit scope explicitly covers the iQ+ ecosystem.

    Butterfly iQ+ BladderMedical imaging hardware (specialized probe)

    data: Bladder volume measurement data; non-invasive; patient identifiers if linked to Butterfly Cloud.

    Available for purchase individually; designed specifically for noninvasive urinary volume measurement.

    Compass AI SoftwareAI-powered clinical workflow software

    data: Imaging studies, workflow metadata, clinical notes; processed in Butterfly Cloud.

    FDA cleared for gestational age assessment. Explicitly not intended for diagnostic decision-making per product labeling. Covered under GovRAMP and TX-RAMP authorizations.

    ScanLabMedical education app

    data: Educational use only; no diagnostic data intended.

    Separately downloadable educational app; included with Butterfly membership. Not for diagnostic use.

    TeleGuidanceRemote guidance feature

    data: Live ultrasound stream and associated patient session data.

    Available only on compatible iOS devices.

    // What to watch

    • AI training on de-identified patient data: Butterfly's privacy notice explicitly permits training models on de-identified patient data with no opt-out mechanism available to healthcare providers or patients. Quote: 'we may leverage de-identified patient data to train our models and algorithms to improve the functionality of our Services.'
    • Third-party model training: Privacy policy also states Butterfly may share de-identified data 'with third parties for model training' beyond the listed sub-processors (AWS, Splunk, New Relic). Specific third-party AI partners are not disclosed.
    • ToS/privacy policy gap: The Master Terms and Conditions (2026-01-15) are silent on AI training while Butterfly retains ownership of all de-identified/anonymized data under Section 3.1 — yet the privacy notice explicitly allows training on that data. Procurement teams should seek contractual clarification.
    • FedRAMP in progress: Butterfly's marketing implies imminent FedRAMP authorization (anticipated 2026) but authorization is not yet granted. Government procurement teams should not treat GovRAMP as equivalent to FedRAMP.
    • HITRUST CSF r2 in progress: Being pursued but not yet achieved. The security page references NIST and HIPAA frameworks but HITRUST certification is not yet held.

    // At a glance

    Pricing model

    Hardware purchase (one-time) plus tiered subscription for cloud features (Basic, Advanced); device financing available through Affirm. Enterprise/health system pricing via sales.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Butterfly Network, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    butterflynetwork.com

    > Browse all vendor trust reports