Safety, compliance and trust

How does hema.to protect against data breaches?

hema.to does not expose sensitive internal assets to public networks and is making use of security tooling provided by the google cloud platform. In addition, we use log and event-based intrusion detection systems for detecting unauthorised access or tampering.

In addition, we use:
- DDoS protection (rate limiting prevents service disruption)
- We've done independent penetration testing
- Access for you and your lab is secured using 2FA, role-based access.
- Data is encrypted using end-to-end TLS encryption and encryption of data at rest.

Is using hema.to less safe than on-premise software?

That depends on your security, but hema.to is likely as safe or safer.

There are several security and operational advantages over on-premise systems:
- Professional security management: Dedicated cybersecurity team vs. laboratory IT generalists
- Automatic security updates: Immediate patch deployment without laboratory overhead
- Built-in disaster recovery: Cloud redundancy protects against hardware failures
- Remote collaboration: Secure multi-site access without VPN complexity
- AI processing isolation: Computational workloads separated from laboratory networks

Do you receive patient data?

No.

We use client-side anonymization to remove identifiable information before cloud transmission. Our servers only receive the fluorescence data, which does not contain personal identifiable information. A data privacy lawyer attested to this with an appraisal, which we can provide for your internal documentation upon request.

This makes usage of hema.to GDPR-compliant by default.

Does data ever leave the EU?

No.

All encrypted data stored within EU boundaries.

(How) is my data encrypted?

End-to-end TLS encryption: Validated by automated security testing.

In addition, encrypted cloud storage: All data artifacts protected at rest (AES 256-bit).

Data is encrypted in-transit via SSL encryption

How secure is log-in to hema.to?

Very secure.

We have multiple layers of security to prevent unauthorized access and/or accidental errors:
- two-factor authentication (email OTP for all accounts)
- role-based access control (granular permissions by laboratory workflow)
- complete audit trail (every analysis tracked with user attribution)

Which trusted third parties have assessed the security of hema.to?

Independent penetration testing. We've completed penetration testing by external cybersecurity professionals and will continue to do these regularly going forward.

How does hema.to handle security vulnerabilities?

We have protocols in place to monitor and address supply chain vulnerabilities (CVEs) frequently and promptly after guidance is published. We create, analyse and address automated security reports before publishing new versions of our software.

How are security incidents reported and resolved in hema.to?

We have a dedicated internal process for incidents and incident reporting; It covers security incidents amongst other incidents. The process consists of immediate incident investigation, reporting, user notification, and resolution steps.

Does hema.to have a disaster recovery plan?

Yes, we have a comprehensive disaster recovery plan that includes regular data backups, continuous monitoring and emergency response procedures.

How is user access managed in hema.to?

User access is managed through a secure login system with support for two-factor authentication. We apply role based permissions that control the scope of access granted to a user.

What measures are in place to ensure the security of mobile or remote access?

hema.to supports the latest security features in supported browsers. Any integration into LIS or other laboratory management systems uses SSL encryption and a VPN where necessary.

What is the GDPR and is hema.to compliant with it?

The General Data Protection Regulation (GDPR) is the data protection law in the European Union (EU). The law is designed to give EU citizens more control over how internet services and companies collect and process their personal data. It applies to all organisations who are located in the EU and who process personal data, as well as any organisations who process data of EU citizens. hema.to complies with the GDPR. It does not acquire any patient information nor personal relatable information.

What is the model quality?

This depends on the specific cell population:
- Concordance studies (some of which will be published soon) have shown very high agreement with traditional methods for common/major cell populations in multi-site settings, with a very low, single-digit disconcordance.
- For small cell populations, the AI model may perform worse than human analysis. For small cell populations, we provide a phenotyping workflow using context-aware thresholds or manual annotation.

What is my data used for?

We use your data to calibrate and validate our AI on your specific workflow. Because instruments, panels, and SOPs differ between labs, local calibration is essential.

For EU IVDR compliance, model performance must also be demonstrated on end-user data, not synthetic or third-party datasets. This process—calibration followed by validation—ensures a model with validated performance on your panels.

Will a competitor receive my data?

No, data is not shared with third parties and is transmitted, stored and processed using highly secure processes (see questions on "safety and data security").

We can provide a list of sub-processors, such as our cloud provider, for your internal documentation.

Do you rely on AI models provided by OpenAI or other foundational model providers?

No.

We have built custom architectures tailored to cytometry using transformers and attention-based approaches that run on our own cloud (hosted in Goocle Cloud Platform with EU data residency).

As such, providers of 'foundational models' such as OpenAI, Microsoft, etc. do not receive your data.

For GDPR reasons, who is the data processor?

We (hema.to GmbH) are the data processor.

See our Imprint for more info.

Is hema.to complying with the evolving regulatory requirements?

Yes. As of today, hema.to B-NHL is CE-IVD under IVDD and hema.to Workflow Studio is RUO.

Do you have a Quality Management System in place to ensure compliance with relevant healthcare regulations?

hema.to maintains a Quality Management System (QMS) for hema.to B-NHL in accordance with the ISO 13485 standard.

In addition, we will work towards full IVDR compliance of hema.to Workflow Studio.

Do you provide training and support?

Yes, all training and support as of now is free-of-charge.

Have you conducted clinical evaluations or performance studies for your software?

hema.to has conducted multiple evaluations, including concordance studies across European laboratories.

Is your product CE-marked?

- hema.to B-NHL is CE-marked under the IVDD.
- hema.to Workflow Studio (beta) is RUO (research-use-only), available to cytometry users (including CROs). As an RUO device, it cannot be used for patient management.
- Under Article 5.5 IVDR, laboratories may validate an RUO tool as part of their own in-house device. In that case, it is legally a distinct laboratory device, not marketed, sold, produced, or distributed by hema.to. Under the IVDR, hema.to is not permitted to assist with this in-house validation; the sole responsibility rests with the laboratory.
- We are actively preparing IVDR compliance for Workflow Studio on our roadmap.