Frequently Asked Questions

What is hema.to?

hema.to is a cloud-based SaaS platform designed to provide diagnostic support for hematological malignancies by analysing raw FCS/LMD files.

How does hema.to differ from traditional softwares?

Unlike traditional manual softwares that require installation and maintenance on individual computers, hema.to is an AI-based software hosted on the cloud, offering easier access, automatic updates, and scalability without the need for hardware investment.

What training resources are available for hema.to?

We currently offer a free demonstration account where you can explore the features and capabilities of hema.to. We also provide a training video where one of our experts demonstrates all details on how you can interact with our interface. Scheduling in-person sessions is also possible. You will have the opportunity to discuss your questions and needs and maybe find more suitable solutions for your laboratory.

What kind of support does hema.to offer?

Besides email support users can schedule a meeting with us to ensure they receive the assistance they need from the most suitable expert.

Can I adjust the results after the automated data analysis?

Yes, you can easily correct the AI's suggestions with just a few clicks. Among other functions, we provide a simply way to relabel cell types.

Do I have to use a specific cytometer / panel / workflow?

You can use your current cytometer / panel / workflow without changing anything. We use AI that is trained under your specific setup. This enables our software to be used by any customer.

How many files per disease do the algorithms need in order to be trained?

We currently have 2 products. Our hema.to BASE product (currently in development) only requires some 10 files per disease and automates single cell classification for your flow cytometry analysis. Our hema.to BNHL product (CE marked under IVDD) additionally provides a diagnostic recommendation and thus requires 1000 files per disease.

How does hema.to protect against data breaches?

hema.to does not expose sensitive internal assets to public networks and is making use of security tooling provided by the google cloud platform. In addition, we use log and event-based intrusion detection systems for detecting unauthorised access or tampering.

In addition, we use:
- DDoS protection (rate limiting prevents service disruption)
- We've done independent penetration testing
- Access for you and your lab is secured using 2FA, role-based access.
- Data is encrypted using end-to-end TLS encryption and encryption of data at rest.

Is using hema.to less safe than on-premise software?

That depends on your security, but hema.to is likely as safe or safer.

There are several security and operational advantages over on-promise systems:
- Professional security management: Dedicated cybersecurity team vs. laboratory IT generalists
- Automatic security updates: Immediate patch deployment without laboratory overhead
- Built-in disaster recovery: Cloud redundancy protects against hardware failures
- Remote collaboration: Secure multi-site access without VPN complexity
- AI processing isolation: Computational workloads separated from laboratory networks

Do you receive patient data?

No.

We use client-side anonymization to remove identifiable information before cloud transmission. Our servers only receive the fluorescence data, which does not contain personal identifiable information. A data privacy lawyer attested to this with an appraisal, which we can provide for your internal documentation upon request.

This makes usage of hema.to GDPR-compliant by default.

Does data ever leave the EU?

No.

All encrypted data stored within EU boundaries.

(How) is my data encrypted?

End-to-end TLS encryption: Validated by automated security testing.

In addition, encrypted cloud storage: All data artifacts protected at rest (AES 256-bit).

Data is encrypted in-transit via SSL encryption

How secure is log-in to hema.to?

Very secure.

We have multiple layers of security to prevent unauthorized access and/or accidental errors:
- two-factor authentication (email OTP for all accounts)
- role-based access control (granular permissions by laboratory workflow)
- complete audit trail (every analysis tracked with user attribution)

Which trusted third parties have assessed the security of hema.to?

Independent penetration testing. We've completed penetration testing by external cybersecurity professionals and will continue to do these regularly going forward.

How does hema.to handle security vulnerabilities?

We have protocols in place to monitor and address supply chain vulnerabilities (CVEs) frequently and promptly after guidance is published. We create, analyse and address automated security reports before publishing new versions of our software.

How are security incidents reported and resolved in hema.to?

We have a dedicated internal process for incidents and incident reporting; It covers security incidents amongst other incidents. The process consists of immediate incident investigation, reporting, user notification, and resolution steps.

Does hema.to have a disaster recovery plan?

Yes, we have a comprehensive disaster recovery plan that includes regular data backups, continuous monitoring and emergency response procedures.

How is user access managed in hema.to?

User access is managed through a secure login system with support for two-factor authentication. We apply role based permissions that control the scope of access granted to a user.

What measures are in place to ensure the security of mobile or remote access?

hema.to supports the latest security features in supported browsers. Any integration into LIS or other laboratory management systems uses SSL encryption and a VPN where necessary.

What is the GDPR and is hema.to compliant with it?

The General Data Protection Regulation (GDPR) is the data protection law in the European Union (EU). The law is designed to give EU citizens more control over how internet services and companies collect and process their personal data. It applies to all organisations who are located in the EU and who process personal data, as well as any organisations who process data of EU citizens. hema.to complies with the GDPR. It does not acquire any patient information nor personal relatable information.

Is hema.to complying with the evolving regulatory requirements?

Yes. As of today, hema.to B-NHL is CE-IVD under IVDD and hema.to Workflow Studio is RUO.

Do you have a Quality Management System in place to ensure compliance with relevant healthcare regulations?

hema.to maintains a Quality Management System (QMS) for hema.to B-NHL.

In addition, we are actively work towards a full IVDR compliant product.

Do you provide training and support?

Yes, all training and support as of now is free-of-charge.

Have you conducted clinical evaluations or performance studies for your software?

hema.to has conducted multiple evaluations for hema.to BNHL (CD-IVD), including concordance studies across European laboratories.

Is your product CE-marked?

- hema.to B-NHL is CE-marked under the IVDD.
- hema.to Workflow Studio (beta) is RUO (research-use-only), available to cytometry users (including CROs). As an RUO device, it cannot be used for patient management.
- We are actively working towards an IVDR compliant product

What types of businesses benefit most from using hema.to?

All users of cytometry relying on workflows (as opposed to experimental research).

Can hema.to scale with my business?

Absolutely. hema.to is designed to grow with your business. It offers scalable features and plans to accommodate your evolving needs.