// Trust & Security Report
Butterfly Network, Inc.
Point-of-care ultrasound (POCUS) hardware and software: Butterfly iQ3 and iQ+ handheld probes, iQ+ Bladder, Compass AI workflow software, ScanLab educational app, TeleGuidance remote guidance feature
Certifications held
8
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on butterflynetwork.com“Butterfly holds a SOC 2 Type 2 attestation report issued by an independent third-party auditor, the scope of which encompasses the iQ+ ecosystem across the entire organization. On annual basis, the auditor evaluates Butterfly's security, availability, and confidentiality categories.”
Verify on butterflynetwork.com“Butterfly Network Strengthens Global Information Security Posture with ISO 27001, SOC-2 Type 2, C5 Germany, and NHS DSPT Accreditations — assessed by A-LIGN (third-party assessment organization), announced October 27, 2025.”
Verify on butterflynetwork.com“Butterfly's cybersecurity team enforces and monitors cybersecurity operations...including...Health Insurance Portability and Accountability Act (HIPAA), and Health Information Technology for Economic and Clinical Health (HITECH). A Business Associate Agreement (BAA) is included as Exhibit F to Butterfly's standard Master Terms and Conditions.”
Verify on butterflynetwork.com“Butterfly also has a global privacy program that meets the requirements of data protection regulations such as the EU General Data Protection Regulation (GDPR). Our standard agreements include a compliant Data Processing Addendum (DPA). A Data Protection Officer (DPO) oversees our privacy commitments.”
Verify on butterflynetwork.com“Butterfly Network Strengthens Global Information Security Posture with ISO 27001, SOC-2 Type 2, C5 Germany, and NHS DSPT Accreditations — announced October 27, 2025, assessed by A-LIGN.”
Verify on butterflynetwork.com“Butterfly Network Strengthens Global Information Security Posture with ISO 27001, SOC-2 Type 2, C5 Germany, and NHS DSPT Accreditations — the National Health Service (NHS) Data Security and Protection Toolkit, announced October 27, 2025.”
Verify on butterflynetwork.com“Butterfly Achieves GovRAMP and TX-RAMP Information Security Certifications — GovRAMP Authorization authorizes sale of cloud services to all state and local government agencies; products: Butterfly iQ+/iQ3 and Compass AI; assessed by A-LIGN; announced February 10, 2026.”
Verify on butterflynetwork.com“Butterfly Achieves GovRAMP and TX-RAMP Information Security Certifications — TX-RAMP is the only domestic state requiring a standalone authorization; announced February 10, 2026.”
> Show 7 unconfirmed / not-held certifications
source: butterflynetwork.comFedRAMP certification is anticipated in 2026; currently in pursuit stage. No authorization has been granted as of the assessment date.
source: butterflynetwork.comHITRUST CSF r2 is currently being pursued — a NIST 800-53 (Rev-5) framework that unifies standards like HIPAA and GDPR. Not yet achieved as of the assessment date.
source: butterflynetwork.comNo public evidence of ISO 27017 certification found on vendor domain.
source: butterflynetwork.comNo public evidence of ISO 27018 certification found on vendor domain.
source: butterflynetwork.comNo public evidence of ISO/IEC 42001 certification found on vendor domain.
source: butterflynetwork.comNo public evidence of PCI DSS certification found on vendor domain. Payment processing for device purchases is handled through third-party provider Affirm.
source: butterflynetwork.comNo public evidence of CSA STAR certification found on vendor domain.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
EU: AWS Frankfurt (eu-central-1); Australia/NZ: AWS Sydney (ap-southeast-2); Canada: AWS Montreal; US and rest of world: AWS Northern Virginia (us-east-1) and Oregon (us-west-2). US personnel may access EU/non-US data for support and maintenance.
Butterfly's privacy notice explicitly states: 'we may leverage de-identified patient data to train our models and algorithms to improve the functionality of our Services.' Training is performed only on de-identified (PHI-stripped) patient data. The policy also notes 'Our analysis may include the use of technology like machine learning and large language models, which may include training these models or sharing with third parties for model training.' No explicit opt-out mechanism is provided to healthcare providers for this use. The Master T&C (2026-01-15) is silent on AI training while Butterfly retains ownership of all de-identified/anonymized data under Section 3.1. This gap between the privacy policy allowance and the ToS silence warrants review.
// Security controls
Encryption
Encryption in transit and at rest applied to customer data in Butterfly Cloud; specific cipher suites not publicly disclosed.
butterflynetwork.comSIEM and intrusion detection
Security Information and Event Management (SIEM) tool with continuous network monitoring; intrusion detection system for early breach identification.
butterflynetwork.comLogical access controls
Formal procedures for provisioning, modifying, reviewing, and revoking access; all servers, workstations, applications, and infrastructure assets monitored with dedicated security tools.
butterflynetwork.comSecure Development Lifecycle (SDLC)
Formal SDLC methodology governing development, acquisition, implementation, and maintenance; change management requires authorization, testing, and documentation.
butterflynetwork.comIncident response
Formal incident response program; HIPAA breach notifications to customers within 10 business days per 45 C.F.R. § 164.410.
store.butterflynetwork.comBackup and disaster recovery
Periodic backups of all system data; disaster recovery and business continuity policy with documented procedures.
butterflynetwork.comThird-party risk management
Security and risk assessments on all sub-processors that interact with patient data or PII; sub-processors contractually bound to equivalent security standards. Primary sub-processors: AWS (hosting), Splunk (monitoring), New Relic (performance).
butterflynetwork.comLeadership
Chief Information Security Officer (CISO) leads the security program; Data Protection Officer (DPO) oversees privacy commitments.
butterflynetwork.comFDA clearance
Butterfly iQ3 and iQ+ are FDA-cleared medical devices for external ultrasound imaging. Compass AI is FDA cleared for gestational age assessment (first blind-sweep gestational age tool).
butterflynetwork.com// Products & data scope
data: Clinical ultrasound images and studies stored in Butterfly Cloud; patient identifiers (name, DOB, gender, MRN) when uploaded by healthcare provider; data stored in region-appropriate AWS data centers.
FDA cleared; current-generation whole-body handheld ultrasound probe. Requires subscription for cloud archiving and advanced AI features.
data: Same as iQ3 — clinical images and patient identifiers in Butterfly Cloud.
Previous-generation probe; SOC 2 Type 2 audit scope explicitly covers the iQ+ ecosystem.
data: Bladder volume measurement data; non-invasive; patient identifiers if linked to Butterfly Cloud.
Available for purchase individually; designed specifically for noninvasive urinary volume measurement.
data: Imaging studies, workflow metadata, clinical notes; processed in Butterfly Cloud.
FDA cleared for gestational age assessment. Explicitly not intended for diagnostic decision-making per product labeling. Covered under GovRAMP and TX-RAMP authorizations.
data: Educational use only; no diagnostic data intended.
Separately downloadable educational app; included with Butterfly membership. Not for diagnostic use.
data: Live ultrasound stream and associated patient session data.
Available only on compatible iOS devices.
// What to watch
- AI training on de-identified patient data: Butterfly's privacy notice explicitly permits training models on de-identified patient data with no opt-out mechanism available to healthcare providers or patients. Quote: 'we may leverage de-identified patient data to train our models and algorithms to improve the functionality of our Services.'
- Third-party model training: Privacy policy also states Butterfly may share de-identified data 'with third parties for model training' beyond the listed sub-processors (AWS, Splunk, New Relic). Specific third-party AI partners are not disclosed.
- ToS/privacy policy gap: The Master Terms and Conditions (2026-01-15) are silent on AI training while Butterfly retains ownership of all de-identified/anonymized data under Section 3.1 — yet the privacy notice explicitly allows training on that data. Procurement teams should seek contractual clarification.
- FedRAMP in progress: Butterfly's marketing implies imminent FedRAMP authorization (anticipated 2026) but authorization is not yet granted. Government procurement teams should not treat GovRAMP as equivalent to FedRAMP.
- HITRUST CSF r2 in progress: Being pursued but not yet achieved. The security page references NIST and HIPAA frameworks but HITRUST certification is not yet held.
// At a glance
Pricing model
Hardware purchase (one-time) plus tiered subscription for cloud features (Basic, Advanced); device financing available through Affirm. Enterprise/health system pricing via sales.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Butterfly Network, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
butterflynetwork.com