1. ClearDATA Healthcare Managed Services
  2. Supported Cloud Services
  3. Unsupported Services
  4. Identity & Access Management (IAM)
  5. ClearDATA Customer Portal
  6. ClearDATA Access Model for Automated Safeguards
  7. ClearDATA’s Access Model for Support

1. ClearDATA Healthcare Managed Services

For customers requiring managed security and compliance services along with their ClearDATA Comply software subscription, ClearDATA has defined a healthcare specific shared responsibility model and two managed service plans for ClearDATA Comply as follows:

1.1 Healthcare Specific Shared Responsibility Model

ClearDATA has developed a shared responsibility model that clearly defines ClearDATA and customer responsibilities from an infrastructure and application perspective at the Gold and Platinum Plans. Utilizing this shared responsibility model and our HITRUST certified processes and controls, customers can focus on building their applications while knowing the underlying operating systems and infrastructure are installed, configured, and maintained in an appropriately secure and compliant manner.

1.2 Customer Responsibilities

1.2.1 Shared Responsibility Model Participation

Customer will participate in the shared responsibility model:

  • By adhering to the responsibility matrix for each cloud service as documented in the Compliance Reference for the corresponding cloud found at https://docs.cleardata.com
  • By ensuring PHI or sensitive data is processed, transmitted or stored in covered services in accordance with the Compliance Reference, including configuring encryption in motion when applicable
  • By ensuring no PHI or sensitive data is processed, transmitted or stored in non-covered services

In addition, Customer will:

  • Assist ClearDATA to resolve identified compliance and security issues
  • Restore data from snapshots when required
  • Ensure that application or database aware backups are performed to ensure data integrity of any data where snapshots are not sufficient.
  • Create, manage, and maintain performance and availability monitoring and alerting for systems, applications and databases
  • Procure and install all SSL certificates unless specified otherwise in a given service Compliance Reference
  • Be responsible for application and data migration
  • Be responsible for anything else that is not specifically listed as ClearDATA responsibilities (e.g., application development, application maintenance, security incident forensics, etc.)

1.2.2 Encryption Responsibilities

  • Encryption at Rest, In Motion. Unless ClearDATA has signed a written exception as described in Section 3.6.2. Your PHI Data, as defined in HIPAA, to the extent permitted under the Agreement, must be encrypted at all times while at rest and in motion within your cloud environment.
    • At Rest. ClearDATA will encrypt data at rest unless otherwise provided in the relevant RACI or if the relevant Public Cloud Provider Service is not a Covered Service (HIPAA BAA).
    • In Motion. Responsibility for encryption of data in motion is defined in the RACI for each service, in the Compliance Reference, where applicable.
  • Exceptions. You and ClearDATA may agree to a limited exception to the encryption requirements in this Section only in a written document signed by ClearDATA’s Chief Privacy and Security Officer or designee. ClearDATA is not required to agree to an exception request and may impose conditions on any agreed upon exception.  Even when approved, Services used to process unencrypted PHI are “Unsupported Services,” as defined in the CCSA.
  • Remedies. If you fail to cure a violation of this section within a reasonable time following notice, ClearDATA may take steps to protect your Data, including encryption, deleting it from the production environment, or suspending normal access to the cloud environment.

1.2.3 Customer-Provided Cloud Environment

When the customer has contracted with the cloud provider directly, customer agrees with the following:

  • Represent and warrant they have the necessary rights to the cloud environment to allow ClearDATA to provide the requested services.
  • Ensure that ClearDATA’s access to the account is not blocked
  • Ensure that no user logs in as the account owner or any user having privileges that allow bypassing the ClearDATA Automated Safeguards
  • Ensure that configurations set by ClearDATA are not changed in a way that creates interoperability or security risks
  • Assist ClearDATA with any Cloud provider escalation required to maintain compliance on the environment
    • Cloud issues response time will depend on Cloud support contract procured by customer
    • If customer is not available for an escalation, customer is responsible for any resulting compliance drift
    • ClearDATA’s ability to respond might be limited by the customer support contract

Any violation of this section will reclassify the cloud environment as Unsupported as defined in the CCSA until the violation is remediated as determined by ClearDATA in its sole and reasonable discretion.

1.3 Gold Plan

The Gold Plan allows leveraging standardized Healthcare Managed Services in conjunction with ClearDATA ComplyClearDATA will provide Healthcare Managed Services and Software Support in accordance with the response times and other commitments as described in the Service Level Agreements, Service Descriptions and applicable RACI, to any user registered in the ClearDATA Customer Portal.

The user guide for ClearDATA Comply can be found at https://docs.cleardata.com .

In addition to the benefits of ClearDATA Comply such as enabling native self-service access to selected Supported Services provided by the Public Cloud Provider, ClearDATA Gold Managed Services provides:

1.3.1 ClearDATA BAA

  • Standard BAA and Responsibility Matrix (RACI) designed to reflect the healthcare specific shared responsibility model and the workloads being configured if PHI/ PII is present in the cloud environment

1.3.2 Cloud Compliance

  • Access to healthcare specific compliance and architecture guidance
  • Standardized network design and implementation that allows leveraging cloud-native site to site Virtual Private Networks (VPN)
  • If applicable, access to the ClearDATA single-user VPN solution that allows for secure access to the healthcare data and supporting systems in the cloud environment
  • Ongoing identity and access management
  • Automated logging for cloud events
  • Automated Safeguards for selected cloud services, including Kubernetes
  • Compliance events notification
  • Compliance Reporting

1.3.3 Operating System Compliance

  • Access to CIS hardened Operating System Images, updated monthly
  • Access to CIS hardened images if an emergency patch is issued for a zero-day exploit
  • Intrusion Detection configuration and notification of any detected event
  • Agent based vulnerability scanning on a pre-defined quarterly schedule
  • Anti-virus configuration and notification of any detected malware
  • Incident response and assistance with a dedicated contact available to provide necessary telemetry such as logs
  • Patching of operating systems during monthly pre-defined maintenance windows
  • Emergency patching of all operating systems when a patch is made available for a zero-day exploit

1.3.4 Troubleshooting

  • Assistance in troubleshooting Cloud infrastructure and availability issues
  • Secure connectivity troubleshooting
  • Escalation to underlying Public Cloud Provider as warranted
  • Analysis of incidents and outages for the ClearDATA Supported cloud services
  • Technical assistance via phone, email or the ClearDATA Customer Portal

1.3.5 Audit support

  • Built-in compliance reporting
  • Access to ClearDATA SOC II and HITRUST reports

1.3.6 Cloud optimization

  • Periodic Review led by a ClearDATA Customer Success Manager (CSM)

1.4 Platinum Support Level

The Platinum support level allows leveraging customizable Healthcare Managed Services in conjunction with ClearDATA Comply. ClearDATA will provide technical assistance for Healthcare Managed Services and Software Support in accordance with the response times and other commitments described in the Service Level Agreements, Service Descriptions and applicable RACI to any user registered in the ClearDATA Customer Portal.

The user guide for ClearDATA Comply can be found at https://docs.cleardata.com .

In addition to enabling native access to the Supported Services provided by the Public Cloud Providers, ClearDATA provides:

1.4.1 ClearDATA BAA

  • Negotiable BAA, Responsibility Matrix (RACI), liability and indemnification limits designed to reflect the shared responsibility model and the workloads being configured if PHI/PII is present in the cloud environment

1.4.2 Cloud Compliance

  • Access to customizable healthcare specific compliance and architecture guidance
  • Optional configuration of all Supported cloud services that are available in self-service
  • Customizable network design and implementation that allows leveraging cloud-native and third-party site to site Virtual Private Networks (VPN)
  • If applicable, access to the ClearDATA single-user VPN solution that allows for secure access to the healthcare data and supporting systems in the cloud environment
  • Ongoing Identity and Access Management, including customization of access policies
  • Automated logging for all cloud events
  • Automated Safeguards for selected cloud services, including Kubernetes
  • Manual safeguards for additional cloud services
  • Compliance events notification
  • Compliance reporting
  • Access to negotiable Security Exceptions

1.4.3 Operating System Compliance

  • Access to CIS hardened Operating System Images, updated monthly
  • Access to CIS hardened images if an emergency patch is issued for a zero-day exploit
  • Intrusion Detection configuration and analysis of any detected event, including evaluation of the potential attack purpose and identification of protection options
  • Agent-based vulnerability scanning on a customizable schedule
  • Network-based vulnerability scanning without credentials on a customizable schedule
  • Network-based vulnerability scanning with credentials on a customizable schedule
  • Anti-virus configuration and analysis of any detected malware, including malware detonation, impact assessment and next step recommendation
  • Customizable notification contact list for intrusion detection, vulnerability scanning, anti-malware or other detected events
  • Incident response and co-investigation with the formation of a Cyber Incident Response Team to provide and analyze necessary telemetry such as logs
  • Patching of operating systems during customizable maintenance windows
  • Emergency Patching of all operating systems when a patch is made available for a zero-day exploit

1.4.4 Troubleshooting

  • Assistance in troubleshooting Cloud infrastructure and availability issues
  • Secure connectivity troubleshooting
  • Escalation to an underlying Public Cloud Provider as warranted
  • Analysis of incidents and outages for the ClearDATA Supported cloud services
  • Technical assistance via phone, email or the ClearDATA Customer Portal

1.4.5 Audit support

  • Built-in compliance reporting
  • Access to ClearDATA SOC II and HITRUST reports
  • Access to HITRUST inheritance services
  • Customer audit support

1.4.6 Cloud optimization

  • Customizable account review led by a named ClearDATA Customer Success Manager (CSM) including applicable engineer consultation
  • Quarterly cost optimization and architecture review

1.5 Service Hours

  • As part of their contracts, customers can include a monthly number of Service Hours.  The hours do not accrue or roll-over month-to-month and are known as Retained Service Hours.

1.5.1 Typical Use Cases and Applicability

Retained Service Hours can be used for routine tasks such as

  • Networking
    • g., configure a cloud native site to site VPN, route table optimization, DNS configuration
  • Cloud configuration
    • g, configure a Supported Cloud Service that is available for Self-service
  • Operating System administration
    • g., performance review, configuration while ensuring healthcare compliance
  • DevOps Automation guidance
    • g., assistance in tuning a deployment template to ensure resources are deployed in a healthcare compliant manner
  • Backup restoration assistance
  • Security event analysis (Gold support level)

Service Hours are not a substitute for ClearDATA Professional Services and cannot be used for project-oriented tasks that have specific time constraints such as

  • Data or application migration
  • Application development
  • DevOps Automation

The best way to ensure success with projects that must balance scope, schedule, budget is to engage with ClearDATA Professional Services.

1.5.2 Additional Service Hours

A contract amendment can increase the number of Retained Service hours available for the duration of the contract with 15 days notice, to take effect at the next regular billing cycle.

1.5.3 After-hour surcharge

Work required to be performed outside of normal business hours as defined in the Service Level Agreement is subject to an “after-hours” rate surcharge.

1.6 Compliance Exception

1.6.1 Compliance Exclusion Request

When subscribing to the Gold or Platinum support level, there are configurations that require use of a cloud resource that does not otherwise qualify  for use in accordance with the ClearDATA compliance requirements as either it will not process, transmit or store PHI, or no documented compensating control for an Automated Safeguard exists. When such a resource is identified, the customer can ask that the resource be excluded from Automated Safeguards remediation by submitting a request for technical assistance via the ClearDATA Customer Portal.

Example of such resources are:

  • An object store (e.g., AWS S3 bucket) that contains static marketing material or images for a public web site and therefore needs to be public
  • A virtual machine, database or instance that is stateless and therefore does not store any data that needs backing up

1.6.2 Security Exception Request

When subscribing to the Gold or Platinum support level, there are times a customer requires an “exception” to the ClearDATA defined compliance configurations and is ready to accept all liability associated with the “exception”.  When such an “exception” is identified, the customer can ask for a “Security Exception” by submitting a request  via the ClearDATA Customer Portal.

1.7 Cloud Resell

When leveraging the ClearDATA Healthcare Managed services, the customer can use a Cloud Environment provided by ClearDATA as opposed to a customer-owned Cloud Environment. This is known as “Cloud Resell.”

1.8 Service Level Agreements

1.8.1 Technical Support Request

You may request support by opening a support ticket on the customer portal or by calling ClearDATA support at (512) 640-0903 or (844) 265-9625. We will use reasonable commercial efforts to respond to your support requests made via ticket or telephone within the following time frames:

Severity Level Definition Gold – Response Times Platinum – Response Times
1 – Emergency ·      Production System down 

·      Customer discovered security event

60 minute 15 minute
2 – Urgent ·      Non-Production System down 

·      Account or Credentials lock out

4 business hour 60 minute
3 – Request or Question ·      IAM user or role creation 

·      Custom IAM policy (Platinum support level only)

·      Compliance Exception request

·      Security Exception request (Platinum Support Level only)

·      Compliance and architecture guidance

·      Other responsible services as agreed upon

2 business day 24 hour
  • ClearDATA Business Hours: Monday – Friday, 8:00 AM – 5:00 PM US CST/CDT, excluding US Holidays
  • Credits are calculated based on the recurring ClearDATA fee for the calendar month in which a response time failure occurs. If we fail to meet a response time stated above, then you are entitled to a credit of 1% of ClearDATA the fee for the affected Cloud Environment, and an additional .5% (one half of one percent) for each additional applicable time increment by which we fail to meet the response time, up to a maximum of 100% of the ClearDATA fee for the affected Cloud Environment for the month in which the failure occurs.

1.8.2 Cloud Infrastructure

ClearDATA does not independently guaranty the performance of the Cloud Infrastructure but agrees that if the Cloud Infrastructure provider issues a service credit to ClearDATA under a Service Level Agreement applicable to your Services, ClearDATA will pass the credit through to you, to the extent any are available, when ClearDATA is providing the cloud environment.  As of the Effective Date, the applicable Cloud Infrastructure provider SLA’s may be found at:

AWS:  https://aws.amazon.com/legal/service-level-agreements/

Azure:  https://azure.microsoft.com/en-us/support/legal/sla/

GCP:  https://cloud.google.com/compute/sla

To receive a pass-through credit collected from the Could Infrastructure provider you must request a credit from ClearDATA at least five (5) business days before the deadline for ClearDATA to request a credit from the Cloud Infrastructure provider under the corresponding Public Cloud Provider SLA.  ClearDATA will use reasonable commercial efforts to obtain the requested credit from the Cloud Infrastructure provider but has no obligation to pursue legal remedies against Cloud Infrastructure provider for its failure to issue a credit as described in its SLA.

1.8.3 ClearDATA Customer Portal

If your ClearDATA customer portal is unavailable for more than 30 consecutive minutes, excluding Maintenance, you are entitled to a credit of 2% of the ClearDATA fee for the affected Cloud Environment, and an additional 1% for each additional full increment of 30 minutes that the element remains unavailable, up to a maximum of 100% of the ClearDATA fee for the affected Cloud Environment for the month in which the unavailability occurs.   The portal is “unavailable” if you are unable to open tickets, receive compliance alerts, or use any other material feature or function of the portal and ClearDATA is unable to complete these changes for you via some other means.

1.8.4 Exclusions and Limitations on Credits

The following restrictions apply notwithstanding anything above to the contrary.

  1. Cumulative Dollar Amount. The maximum total aggregate credit for any calendar month under this SLA shall not exceed 100% of your recurring monthly ClearDATA fees for the affected Cloud Environment. Credits that would be available but for this limitation will not be carried forward to future months or applied to other Services.
  2. Downtime, outages or other service level failures resulting from Maintenance are not included in the measure of unavailability or response times. “Maintenance” means:
    • Cloud Infrastructure provider maintenance as defined in the SLAs;
    • ClearDATA software scheduled maintenance that is announced at least 5 business days in advance;
    • Maintenance of your configuration that you request and that we schedule with you in advance (either on a case by case basis, or based on standing instructions), such as manual patching, automated patching or other similar event upgrades; or
    • Critical unforeseen maintenance needed for the security or performance of your configuration or our network, including emergency patching.
  3. You are not entitled to a credit for unavailability resulting from capacity restraints inherent in the Services you have elected to purchase.  ClearDATA will provide the ability to add capacity as agreed in the Order.
  4. Extraordinary Events. You are not entitled to a credit for downtime or outages resulting from force majeure events.
  5. Your Breach of the Agreement. You are not entitled to a credit if you are in breach of your cloud services agreement (including your payment obligations to us) at the time of the occurrence of the event giving rise to the credit.  You are not entitled to a credit if the event giving rise to the credit would not have occurred but for your breach of the cloud services agreement.
  6. Disabling or Removing of Monitoring, Compliance, or Security Services, Interference with Services. You must notify us in advance if you plan to disable, block, or remove any monitoring, compliance, or security element of your service(s).  We will not issue you any credit for events that occur on services that you have modified without our consent.
  7. Unsupported Services. You are not entitled to a credit if the event giving rise to the credit would not have occurred but for the use of an “Unsupported” service element as defined in the services agreement between us.
  8. Logical Access. The SLA is contingent on ClearDATA having full logical access to your configuration. No credit will be due if the credit would not have accrued but for your restriction of our logical access to your configuration.
  9. Measurement of Time Periods For the purpose of determining whether a credit is due, time periods will be measured from the time stamp generated by our ticket system, or the time an interruption is recorded in our monitoring system, as applicable. You may open a support ticket to document the start time for a support request or other incident, or, if you contact us by telephone to request support, we will open a ticket. If you contact us by phone, there may be a delay between the time of the call and the time we open a ticket.
  10. Requests You must request a credit in writing no later than seven days following the occurrence of the event giving rise to the credit. We will contact you within thirty days to approve or reject the claim or to request more information. If the claim is approved, the credit will appear on your monthly invoice following approval.
  11. Credits are Sole and Exclusive Remedy The credit remedies provided in this SLA are your sole and exclusive remedy for damages arising from ClearDATA violation of a service level for which credit is provided.

2. Supported Cloud Services

ClearDATA has determined that certain cloud services are suitable to transmit, process or store PHI (“Covered Services”) . ClearDATA has also determined certain services are supportable by our Customer Success team (“Supported Services”).  These services are permitted to be used by our customers as further detailed below.

2.1 Covered Services

To facilitate architecture and delivery of solutions that can transmit, process, or store PHI/PII, the supported cloud providers have developed a set of rules that ClearDATA integrates and augments in solutions covered by our BAA. In addition to requiring that PHI/PII is always encrypted when at rest or in transit, our supported clouds have a subset of services that are eligible to process, transmit or store PHI/PII. These services are known as the Covered Services. The current list of Covered Services can be viewed at https://docs.cleardata.com . As described more fully below, these services can further be broken down into Covered Services with Automated Safeguards, Covered Services with Manual Safeguards, and Covered Services that are eligible to process, transmit or store PHI/PII without Automated Safeguards or Manual Safeguards.

2.1.1 Covered Services with Automated Safeguards

ClearDATA’s Automated Safeguards provide automated remediation technology to allow a healthcare customer to use native public cloud tooling to develop their application while helping keep them compliant against GDPR, HIPAA, ISO 27001, NIST SP-800, and other regulatory standards and certifications.

ClearDATA’s Automated Safeguards interrogate and automatically remediate newly created or updated non-compliant resources for Covered Services in accordance with the ClearDATA documentation at https://docs.cleardata.com.

ClearDATA will continue to add Automated Safeguards for additional cloud provider services over time. Customers can see current Covered Services with Automated Safeguards, including, documentation details and a responsibility matrix for each service, at https://docs.cleardata.com.  These services are available for self-service use with all support levels. These services are also available for configuration by a ClearDATA engineer during the onboarding process or using SysAdmin Hours with the Gold or Platinum Healthcare Managed Services. Some automated Safeguards may not be available without subscribing to Healthcare Managed Services as further detailed in the Reference Architectures for the services.

2.1.2 Covered Services with Manual Safeguards

ClearDATA does not have Automated Safeguards available for all Covered Services. A covered service with Manual Safeguards (rather than Automated Safeguards) means that a ClearDATA engineer must enable and configure a Covered Service according to ClearDATA‘s implementation of the regulatory standards and certifications before a customer can utilize the covered service. ClearDATA engineers follow ClearDATA‘s healthcare Compliance Reference Architecture and utilize purpose-built tooling to apply our HITRUST certified policies and procedures on top of cloud provider’s documented guidelines to help ensure customers consume services in a compliant manner. ClearDATA‘s Healthcare Compliance Reference Architecture also lays out a RACI that outlines compliance responsibilities for each of ClearDATA, our customer, and the cloud provider. Documentation for ClearDATA Compliance Reference Architectures can be found https://docs.cleardata.com. If a particular service does not have a Compliance Reference Architecture published, please contact ClearDATA Support for details. These services are made available for self-service use in a subscription without Healthcare Managed Services and are available for configuration by a ClearDATA engineer at the Platinum Managed Services level. In addition, some networking and IAM services are made available for configuration by a ClearDATA engineer at the Gold support level.

2.1.3 Covered Services Without Automated Safeguards or Manual Safeguards

Some Covered Services have neither Automated Safeguards nor Manual Safeguards but due to their simply nature can be used by customer in accordance with guidelines laid out in by the Cloud provider or ClearDATA‘s Compliance Reference Architecture.  ClearDATA‘s Compliance Reference Architecture outlines the compliant usage of these services that apply our HITRUST certified policies and procedures on top of the cloud provider’s documented guidelines to help ensure our customers are consuming the services in a compliant manner. Documentation of the ClearDATA Compliance Reference Architecture guidance can be found https://docs.cleardata.com .  If a particular service does not have a Compliance Reference Architecture published, please contact ClearDATA Support for details.

These services are made available for self-service use with all support levels and are available for configuration with the Gold or Platinum support level by a ClearDATA engineer during the onboarding process or using SysAdmin Hours.

2.2 Non-Covered Services

Certain services are not eligible to transmit, process, or store PHI/PII. The responsibility for ensuring that the non-covered service never transmits, processes, or stores PHI/PII belongs to our customers. These services are known as the Non-Covered Services. The current list of Non-Covered Services can be viewed at https://docs.cleardata.com . As described more fully below, these services can further be broken down into Non-Covered Services with Automated Safeguards, Non-Covered Services with Manual Safeguards, and Non-Covered Services without Automated Safeguards or Manual Safeguards.

2.2.1 Non-Covered Services with Automated Safeguards

ClearDATA‘s Automated Safeguards provide automated remediation technology to allow a healthcare customer to use native public cloud tooling to develop their application while keeping them compliant against GDPR, ISO 27001, NIST SP-800, and other regulatory standards and certifications.

ClearDATA‘s Automated Safeguards interrogate and automatically remediate newly created or updated non-compliant resources for Non-Covered Services in accordance with the ClearDATA Documentation.

ClearDATA will continue to add Automated Safeguards for additional cloud provider services. Customers can see the current list of Non-Covered Services with Automated Safeguards, including, documentation details and a responsibility matrix for each service, at http://docs.cleardata.com

These services are made available for self-service use with all support levels. These services are also available for configuration with the Gold or Platinum support level by a ClearDATA engineer during the onboarding process or using SysAdmin Hours.

Some safeguards may not be available with ClearDATA Comply without subscribing to the Healthcare Managed Services as further detailed in the Reference Architectures for the services.

2.2.2 Non-Covered Services with Manual Safeguards

ClearDATA does not have Automated Safeguards available for all Non-Covered Services. A Non-covered service with Manual Safeguards (rather than Automated Safeguards) means that a ClearDATA engineer must enable and configure a Non-Covered Service according to ClearDATA‘s implementation of the regulatory standards and certifications before a customer can utilize the covered service. ClearDATA engineers follow ClearDATA‘s Compliance Reference Architecture and utilize purpose-built tooling to apply our HITRUST certified policies and procedures on top of cloud provider’s documented guidelines to help ensure our customers are consuming the services in a compliant manner. ClearDATA‘s Compliance Reference Architecture also lays out a RACI that outlines compliance responsibilities for each of ClearDATA, our customer, and the cloud provider. This is known as a shared responsibility model to ensure compliance; where all business associates that have control over PHI & PII take some responsibility in ensuring an overall compliant posture for our customers. Documentation of the ClearDATA Compliance Reference Architecture guidance can be found https://docs.cleardata.com. If a particular service does not have a Compliance Reference Architecture published, please contact ClearDATA Support for details.

These services are made available for self-service use in a subscription without Healthcare Managed Services, and are made available for configuration by a ClearDATA engineer at the Platinum support level. In addition, some networking and IAM services are made available for configuration by a ClearDATA engineer at the Gold support level.

2.2.3 Non-Covered Services Without Automated Safeguards or Manual Safeguards

Some non-covered services have neither Automated Safeguards nor Manual Safeguards available. Certain services are operationally basic in practice and can be used in accordance with the guidelines laid out in by the Cloud provider or ClearDATA‘s Compliance Reference Architecture. ClearDATA‘s Compliance Reference Architecture outlines the compliant usage of these services that apply our HITRUST certified policies and procedures on top of the cloud provider’s documented guidelines to help ensure our customers are consuming the services in a compliant manner. Documentation of the ClearDATA Compliance Reference Architecture guidance can be found https://docs.cleardata.com .  If a particular service does not have a Compliance Reference Architecture published, please contact ClearDATA Support for details.

These services are made available for self-service use with all support levels and are made available for configuration with the Gold or Platinum support level by a ClearDATA engineer during the onboarding process or using SysAdmin Hours.

3. Unsupported Services

ClearDATA has not determined whether certain services are covered or non-covered. It has also determined certain services are unsupported by our Customer Success teams. These services are not permitted to be used by our customers in any fashion. Any Service not listed https://docs.cleardata.com  as Covered or Non-Covered is considered Unsupported and not eligible for use by our customers.  Please contact ClearDATA Support to make a request that an Unsupported Service be Supported. Unsupported services are only available for self-service use in ClearDATA Comply subscriptions without Healthcare Managed Services.

4. Identity & Access Management (IAM)

4.1 Customer Owned & Managed IAM for GCP

ClearDATA customers maintain control of their Google Cloud Platform (“GCP”) organizations and thus the management of their users and those user’s permissions. ClearDATA‘s access model for automation and support (described below) requires a ClearDATA service account to which an administrator of our customer’s organization grants ownership permissions during onboarding.  See ClearDATA GCP Access Model for details.

4.2 AWS IAM

By default, customers on Amazon Web Services (“AWS”) that subscribe to ClearDATA’s Gold or Platinum Support Levels are granted certain permissions to allow them to take direct advantage of services in their AWS account. To help enforce compliance and in order to maintain a secure environment, ClearDATA has developed a set of permission roles to allow customers the access they require to access Services with Automated Safeguards and Services without Manual Safeguards or Automated Safeguards. Access to services with Manual Safeguards can be enabled if subscribing to the Platinum support level following engineering and architecture consultation to ensure compliance is maintained. Customers have the option to designate an Administrator that can create and map users to specific groups, each group having a limited set of capabilities, therefore allowing for granular role-based access control to AWS. Another option is to configure federated authentication so that all user access rights can be managed using their existing user directory.  See Automated Safeguards for IAM for details

Customers who have selected the ClearDATA Comply™ Software-only support level for a given account can fully access all services in such an account.

4.3 Azure IAM

By default, customers on Azure are granted certain permissions to allow them to take direct advantage of services in their Azure account. To help enforce compliance and to maintain a secure environment, ClearDATA has developed a set of permission roles to allow customers the access they require to access covered services. Access to other services can be enabled following engineering and architecture consultation to ensure compliance is maintained. Customers have the option to designate an Administrator that can create and map users to specific groups, each group having a limited set of capabilities, therefore allowing for granular role-based access control to Azure. See the Azure Identity and Access documentation for details.

5. ClearDATA Customer Portal

The ClearDATA Cloud Platform user interface or Customer Portal is accessible at https://foundation.cleardata.com. The ClearDATA Customer Portal allows access to ClearDATA Comply™ and user interfaces for administrative tasks such as user management, billing and ticketing.

6. ClearDATA Access Model for Automated Safeguards

6.1 GCP

All ClearDATA access to your GCP project originates in a ClearDATA-owned service account. This service account is created when your project is first onboarded, and it is dedicated to that project. Even if you have multiple projects with the same services from ClearDATA, we will use different service accounts to access each.

When our tools need access to your project, they begin by requesting a key for your project’s service account. Key issuance is subject to several important rules that increase your security and compliance.

  1. Every issued key is tracked and automatically deleted and by default, they are valid for one hour or less. This way, if a key is ever compromised, it will quickly become worthless.
  2. Each key issued can only access a single project. This means that our automation cannot gain access to multiple projects simultaneously, thus reducing the possibility for data leakage and limiting the damage in case of a bug.
  3. All of ClearDATA‘s access happens in a uniform fashion, from a centralized service. This greatly simplifies auditing.

6.2 AWS

ClearDATA utilizes a number of prebuilt IAM roles to access customer environments to execute Automated Safeguard evaluation and remediation. Customers are restricted from using or modifying ClearDATA IAM roles and policies when subscribing to the Gold or Platinum support levels. ClearDATA uses the AWS Secure Token Service and short-lived credentials for all access, and all activity is logged via AWS CloudTrail.

When subscribing to the Software-only support level, these IAM roles and policies are configured so that ClearDATA IAM roles and policies are restricted to only access the underlying cloud control plane.

6.3 Azure

ClearDATA utilizes a number of prebuilt IAM roles to access customer environments to execute Automated Safeguard evaluation and remediation. Customers are restricted from using or modifying ClearDATA IAM roles and policies.

7. ClearDATA’s Access Model for Support

7.1 GCP

Service account keys provide ClearDATA the ability to securely access your project with automation. In the case of support, an internal tool allows ClearDATA representatives to request temporary membership in your project. The credentials management service adds the ClearDATA user to the appropriate IAM role. This access is tracked and automatically removed after an hour. The credentials management service modifies your projects IAM policy by first using itself to request a temporary service account key with access to modify your project.

7.2 AWS

ClearDATA utilizes prebuilt IAM roles to access customer environments to provide support for our customers that have subscribed to the Gold or Platinum support level. Customers are restricted from using or modifying all ClearDATA IAM roles and policies. ClearDATA uses the AWS Secure Token Service and short-lived credentials for all access, and all activity is logged via AWS CloudTrail for AWS activity, and CloudWatch Logs for EC2 access.

Support for our customers that have subscribed to the Software-only support level will be limited to supporting the software itself and our Customer Success team does not have access to any Cloud Environment registered with Self-service.

7.3 Azure

ClearDATA utilizes prebuilt IAM roles to access customer environments to provide support for our customers.  Customers are restricted from using or modifying all ClearDATA IAM roles and policies.

 

© ClearDATA Networks, Inc. 2020

Revision Date June 8, 2020