Data Classification and Information Labelling

1. How Saphetor Classifies Your Data

VarSome Clinical processes patient genomic data on behalf of clinical laboratories and healthcare organisations. This data includes personally identifiable information (PII) and, specifically, special category personal data under GDPR Article 9, which attracts the highest level of legal protection.

Saphetor applies an information classification scheme to all data processed within the platform to ensure it is handled, stored and transmitted with appropriate security controls. The table below sets out the classification applied to each category of data.

Data Category

Classification

Controls Applied

Regulatory Basis

Patient genomic data

(VCF, FASTQ, variant calls)

CONFIDENTIAL

(Special Category)

Encryption at rest and in transit (AES-256 / TLS 1.2+)

Access restricted to authorised users only

No processing beyond contracted purpose

Retained per DPA retention schedule

GDPR Art. 9

ISO 27018 A.5

IVDR Art. 10

Patient identifiers

(pseudonymised IDs, case references)

CONFIDENTIAL

Encryption at rest and in transit

Access restricted to laboratory users

Pseudonymisation applied by default

GDPR Art. 5(1)(f)

ISO 27018 A.4

Clinical interpretation reports

(generated by platform)

CONFIDENTIAL

Labelled Confidential — For Clinical Use Only on export

Distribution restricted to authorised clinical personnel

Retained per DPA retention schedule

IVDR Annex I §20

GDPR Art. 9

User account data

(names, email addresses, login records)

RESTRICTED

Access restricted to account holder and organisation administrators

Retained per DPA retention schedule

GDPR Art. 6(1)(b)

ISO 27001 A.5.12

Usage and session logs

(IP addresses, API calls, timestamps)

INTERNAL

Access restricted to Saphetor technical and security staff

Retained for 12 months for security monitoring purposes

ISO 27001 A.8.15

ISO 27018 A.10

Aggregate / anonymised analytics

(de-identified statistical outputs)

INTERNAL

Not subject to PII protection controls once anonymised

Used for platform performance monitoring only

GDPR Recital 26

2. Classification Labels on Exported Reports and Data

All clinical reports and data exports generated by VarSome Clinical are labelled to reflect their classification. The following labels are applied automatically:

Output type	Classification label applied
Clinical interpretation reports (PDF)	CONFIDENTIAL — For Clinical Use Only. This report contains patient-specific genomic data and is intended solely for use by authorised clinical personnel.
Variant data exports (VCF, CSV, TSV)	CONFIDENTIAL — For Clinical Use Only. Variant data exports contain patient-specific genomic data and is intended solely for use by authorised clinical personnel.
API responses	CONFIDENTIAL — For Clinical Use Only. API responses contain patient-specific genomic data and is intended solely for use by authorised clinical personnel.
Batch export packages	CONFIDENTIAL — For Clinical Use Only. Batch export packages contain patient-specific genomic data and is intended solely for use by authorised clinical personnel.

3. Your Responsibilities as Data Controller

VarSome Clinical is provided to clinical laboratories and healthcare organisations acting as data controllers for their patient data. While Saphetor applies the security controls described above, the following responsibilities remain with your organisation:

Ensuring that patient data is appropriately classified within your organisation before uploading to VarSome Clinical.
Applying access controls within VarSome Clinical to ensure only authorised staff can access patient cases and reports. See the User Management section of the User Manual.
Ensuring that exported clinical reports are handled in accordance with your organisation’s confidentiality policy and applicable clinical governance requirements.
Not uploading data at a higher sensitivity level than the contracted service supports without prior agreement with Saphetor.
Notifying Saphetor if you believe data sensitivity requirements for your deployment have changed since initial contract.

Patient genomic data — special category data under GDPR

Patient genomic data processed through VarSome Clinical constitutes special category personal data under Article 9 of the General Data Protection Regulation (GDPR) and equivalent provisions of the Swiss Federal Act on Data Protection (nDSG).

This data is subject to the highest level of legal protection and additional processing conditions. Your organisation, as the data controller, is responsible for ensuring you have a valid legal basis and — where required — explicit consent for the processing of patient genomic data.

Saphetor processes this data solely on your documented instructions as set out in the Data Processing Agreement (DPA).

4. Transparency — How We Use Your Data

In accordance with ISO/IEC 27018:2019 (Code of Practice for Protection of PII in Public Clouds), Saphetor commits to the following:

Your data is processed solely for the purposes specified in your contract and Data Processing Agreement. It is never used for Saphetor’s own research, product development, or marketing without your explicit written consent.
The complete list of sub-processors to whom your data may be disclosed is maintained in Saphetor’s Sub-processor Register (document reference: ISMS-REG-07). You may request a copy at any time by contacting your account manager or the DPO at dpo@saphetor.com.
The countries in which your data may be stored and processed are disclosed in the sub-processor register. All cross-border transfers are governed by appropriate legal transfer mechanisms (Standard Contractual Clauses or adequacy decisions).
Your organisation’s data is subject to strict logical separation from other customers’ data within our cloud environments. No access is permitted between customer tenants.
You will be notified of any material changes to sub-processors or data processing countries with a minimum of 30 days’ advance notice.