// Trust & Security Report

    Flatiron Health, Inc. (Roche subsidiary) logo

    Flatiron Health, Inc. (Roche subsidiary)

    Oncology and hematology AI-powered real-world evidence platform and EHR software, including OncoEMR (clinical EHR), OncoAnalytics (insights engine), and Outcomes Database (research datasets)

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    HITRUST CSF Certified
    HELD

    Three Flatiron Health systems – OncoAnalytics, OncoEMR and Outcomes Database – have earned Certified status for information security by the Health Information Trust (HITRUST) Alliance.

    Verify on resources.flatiron.com
    SOC 2 Type II
    HELD

    Flatiron Health has achieved SOC 2 Type II security audit certification. Additionally, Flatiron provides strict security, process, and administrative controls to meet SOC-2 and HITRUST CSF requirements.

    Verify on flatironhealth.legal
    GDPR Compliant
    HELD

    Flatiron Health provides specific disclosures and rights to users in the European Union, EEA, and UK under the General Data Protection Regulation (GDPR). When transferring personal data outside the EU/EEA and UK, Flatiron implements appropriate safeguards and has established international data transfer agreements based on EU and UK Standard Contractual Clauses.

    Verify on flatironhealth.legal
    HIPAA Compliant
    HELD

    Datasets shared with third parties for research purposes are de-identified in accordance with HIPAA standards and never contain personally identifiable information. De-identified datasets may include Protected Health Information that has been de-identified under the HIPAA expert determination method.

    Verify on flatironhealth.legal
    Cyber Essentials Plus (UK)
    HELD

    Flatiron Health UK is Cyber Essentials Plus certified and completes the annual NHS Data Security & Protection Toolkit (DSPT), having met or exceeded DSPT requirements each time.

    Verify on flatironhealth.legal
    NHS Data Security & Protection Toolkit (UK)
    HELD

    Flatiron Health UK completes the annual NHS Data Security and Protection Toolkit, having met or exceeded requirements each time.

    Verify on flatironhealth.legal
    > Show 1 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on vendor's domain or official sources.

    source: flatironhealth.legal

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    US (default), with UK data residency for UK operations. Data can cross borders under EU/UK Standard Contractual Clauses. Multinational data available via Trusted Research Environment with regional compliance.

    Flatiron Health explicitly trains machine learning systems and large language models on customer data. They curate ground truth data from clinical records and use it to train and validate their ML/LLM systems. Patients can opt-out of research participation by emailing patientprivacy@flatiron.com. Data is de-identified in accordance with HIPAA standards before being used for research or shared with third parties.

    // Security controls

    Encryption in Transit

    Implied via SOC 2 Type II and HITRUST CSF certification; specific cipher details not publicly disclosed.

    resources.flatiron.com

    Data De-identification

    HIPAA expert determination method used for de-identifying datasets shared with researchers. Direct identifiers (name, SSN) removed; includes demographics, tumor type, diagnosis date, stage, treatment.

    flatironhealth.legal

    Annual Penetration Testing (UK)

    External accredited supplier conducts annual penetration testing of UK systems.

    flatironhealth.legal

    Data Protection Officer

    UK operations have appointed a Data Protection Officer to monitor compliance with UK data protection law.

    flatironhealth.legal

    Subprocessor Management

    Flatiron maintains a Subprocessors List and discloses third parties handling data.

    flatironhealth.legal

    // Products & data scope

    OncoEMRElectronic Health Record (EHR) Software

    data: Patient clinical data, oncology-specific: diagnosis, treatment, outcomes, demographics, tumor characteristics. Used for point-of-care and research.

    HITRUST CSF Certified (2024). 2.1 million active patient records. Integrated oncology EHR with data extraction and AI-powered insights.

    OncoAnalyticsAnalytics & Insights Engine

    data: Aggregated, de-identified oncology datasets from OncoEMR. Used to generate real-world evidence for research and clinical insights.

    HITRUST CSF Certified (2024). Powered by AI/ML trained on historical oncology data.

    Outcomes DatabaseResearch Data Product

    data: De-identified, longitudinal patient outcome data. Tumor-specific and pan-tumor datasets spanning 5+ million patient records with 1.5+ billion data points.

    HITRUST CSF Certified (2024). Available for licensed research use; de-identified per HIPAA.

    Flatiron TelescopeAI Platform

    data: Real-world evidence aggregation and AI-powered analysis for oncology insights. Uses LLMs trained on curated clinical data.

    Recent launch (2026). Delivers oncology insights in minutes using AI.

    Multinational Data ProductsGlobal Real-World Evidence

    data: International patient-level data from oncology practices across multiple countries. De-identified with pseudonymization, obfuscation, and redaction for compliance.

    Data residency: UK data stays in UK; other regions subject to Standard Contractual Clauses. Accessed via Trusted Research Environment.

    // What to watch

    • AI TRAINING ON CUSTOMER DATA: Flatiron Health explicitly trains machine learning and LLM systems on customer clinical data. Patients can opt-out via email, but the default is opt-in. Organizations using OncoEMR should be aware their anonymized data contributes to model training.
    • PARENT COMPANY: Flatiron Health is a fully owned subsidiary of Roche (acquired 2018 for $1.9B). Compliance and security posture are influenced by Roche's governance.
    • ISO 27001 NOT FOUND: While HITRUST CSF and SOC 2 Type II are held, ISO 27001 certification is not publicly documented. HITRUST CSF encompasses many ISO 27001 controls, but standalone ISO 27001 certification is not claimed.
    • HITRUST CSF RENEWAL: Most recent certification is March 2024. HITRUST CSF certifications typically require renewal every 2 years; next renewal likely due Q1 2026. Verify current status in procurement agreements.
    • DATA RESEARCH USAGE: Flatiron licenses de-identified datasets to pharmaceutical and research organizations. Customers should understand that their aggregated data (de-identified) may be sold or licensed for research purposes.
    • PARTIAL DIVESTITURE: In December 2025, Paradigm Health announced acquisition of Flatiron's Clinical Research Business. Roche retains overall ownership. Verify which products/services are affected by this transaction.

    // At a glance

    Pricing model

    Not disclosed publicly; likely subscription-based (SaaS for OncoEMR) and data-licensing for research products.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Flatiron Health, Inc. (Roche subsidiary)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    flatironhealth.legal

    > Browse all vendor trust reports