Frequently Asked Questions

What is hema.to CellStudio(RUO)?

CellStudio(RUO) is a browser-based, AI-supported application for flow cytometry analysis. It processes anonymized hematology cases, automatically identifies relevant cell populations, supports rule-based case prioritization, and enables automated reporting - while maintaining full expert control.

How does CellStudio(RUO) differ from other softwares?

Unlike traditional manual softwares that require installation and maintenance on individual computers, hema.to CellStudio(RUO) is an AI-based software hosted on the cloud, offering easier access, automatic updates, and scalability without the need for hardware investment.

What training resources are available for hema.to?

We currently offer a free trial account where you can explore the features and capabilities of hema.to CellStudio(RUO). We also provide training videos where one of our experts demonstrates all details on how you can interact with our interface. We additionally offer a Live Webinar Training service.

What kind of support does hema.to offer?

Besides email support users can schedule a meeting with us to ensure they receive the assistance they need from the most suitable expert.

Can I adjust the results after the automated data analysis?

Yes, you can easily correct the AI's suggestions with just a few clicks. Among other functions, we provide a simple way to relabel cell types.

Do I have to use a specific cytometer / panel / workflow?

You can use your current cytometer / panel / workflow without changing anything. We use AI that is trained under your specific setup. This enables our software to be completely agnostic and used by any customer.

How many files per disease do the algorithms need in order to be trained?

hema.to CellStudio(RUO) requires ~20 fcs/lmd files per panel to train and validate expert-level AI models.

How does hema.to protect against data breaches?

hema.to does not expose sensitive internal assets to public networks and is making use of security tooling provided by the google cloud platform. In addition, we use log and event-based intrusion detection systems for detecting unauthorised access or tampering.

In addition, we use:
- DDoS protection (rate limiting prevents service disruption)
- We've done independent penetration testing
- Access for you and your lab is secured using 2FA, role-based access.
- Data is encrypted using end-to-end TLS encryption and encryption of data at rest.

Is using hema.to less safe than on-premise software?

That depends on your security, but hema.to is likely as safe or safer.

There are several security and operational advantages over on-promise systems:
- Professional security management: Dedicated cybersecurity team vs. laboratory IT generalists
- Automatic security updates: Immediate patch deployment without laboratory overhead
- Built-in disaster recovery: Cloud redundancy protects against hardware failures
- Remote collaboration: Secure multi-site access without VPN complexity
- AI processing isolation: Computational workloads separated from laboratory networks

Do you receive patient data?

No.

We use client-side anonymization to remove identifiable information before cloud transmission. Our servers only receive the fluorescence data, which does not contain personal identifiable information. A data privacy lawyer attested to this with an appraisal, which we can provide for your internal documentation upon request.

This makes usage of hema.to GDPR-compliant by default.

Does data ever leave the EU?

No.

All encrypted data stored within EU boundaries.

(How) is my data encrypted?

End-to-end TLS encryption: Validated by automated security testing.

In addition, encrypted cloud storage: All data artifacts protected at rest (AES 256-bit).

Data is encrypted in-transit via SSL encryption

How secure is log-in to hema.to?

Very secure.

We have multiple layers of security to prevent unauthorized access and/or accidental errors:
- two-factor authentication (email OTP for all accounts)
- role-based access control (granular permissions by laboratory workflow)
- complete audit trail (every analysis tracked with user attribution)

Which trusted third parties have assessed the security of hema.to?

Independent penetration testing. We've completed penetration testing by external cybersecurity professionals and will continue to do these regularly going forward.

How does hema.to handle security vulnerabilities?

We have protocols in place to monitor and address supply chain vulnerabilities (CVEs) frequently and promptly after guidance is published. We create, analyse and address automated security reports before publishing new versions of our software.

How are security incidents reported and resolved in hema.to?

We have a dedicated internal process for incidents and incident reporting; It covers security incidents amongst other incidents. The process consists of immediate incident investigation, reporting, user notification, and resolution steps.

Does hema.to have a disaster recovery plan?

Yes, we have a comprehensive disaster recovery plan that includes regular data backups, continuous monitoring and emergency response procedures.

How is user access managed in hema.to?

User access is managed through a secure login system with support for two-factor authentication. We apply role based permissions that control the scope of access granted to a user.

What measures are in place to ensure the security of mobile or remote access?

hema.to supports the latest security features in supported browsers. Any integration into LIS or other laboratory management systems uses SSL encryption and a VPN where necessary.

What is the GDPR and is hema.to compliant with it?

The General Data Protection Regulation (GDPR) is the data protection law in the European Union (EU). The law is designed to give EU citizens more control over how internet services and companies collect and process their personal data. It applies to all organisations who are located in the EU and who process personal data, as well as any organisations who process data of EU citizens.
‍
hema.to operates in compliance with the GDPR. CellStudio (RUO) does not collect or process patient-identifiable information. Only user-related information required for account setup and platform access is processed.

Is hema.to complying with the evolving regulatory requirements?

Yes. As of today, hema.to B-NHL is CE-IVD under IVDD and hema.to CellStudio is RUO.

Do you have a Quality Management System in place to ensure compliance with relevant healthcare regulations?

hema.to maintains a Quality Management System (QMS).

In addition, we are actively working towards a full IVDR compliant product.

Do you provide training and support?

Yes, there is training video library free-of-charge. We additionally, offer a Live Webinar Training Service.

Have you conducted clinical evaluations or performance studies for your software?

hema.to has conducted multiple evaluations for hema.to BNHL (CE-IVD), as well as concordance studies for hema.to CellStudio(RUO) across multiple laboratories.

Is your product CE-marked?

- hema.to B-NHL is CE-marked under the IVDD.
- hema.to CellStudio is RUO (research-use-only), available to cytometry users (including CROs). As an RUO device, it cannot be used for patient management.
- We are actively working towards an IVDR compliant product

What types of businesses benefit most from using hema.to?

All users of cytometry relying on workflows (as opposed to experimental research).

Can hema.to scale with my business?

Absolutely. hema.to is designed to grow with your business. It offers scalable features and plans to accommodate your evolving needs.