1. ClearDATA Managed Services – Regulated Environments

For customers requiring Managed Services along with their ClearDATA CyberHealth™ Platform subscription, ClearDATA has provided the following information regarding support and services for regulated and non-regulated environments:

• Shared Responsibility Model: ClearDATA has developed a shared responsibility model that defines ClearDATA and customer responsibilities from an infrastructure and application perspective.
• Security Exceptions: Any exceptions of services that ClearDATA does not support along with the process for review.
• Service Level Agreements (SLAs): Response times adhered to by ClearDATA in support of cloud infrastructure & service customer requests.

Differences between Regulated and Non-Regulated Environments

ClearDATA manages both regulated and non-regulated environments for its customers. A non-regulated environment is defined as one that does not transmit, process, or store Regulated Data. Because of this, non-regulated environments do not have restrictions on use.

ClearDATA maintains separate service descriptions for regulated environments and non-regulated environments. A customer may have both regulated and non-regulated environments. Each environment is governed by the contractual agreement. Customers agree that they will not place PII or PHI in a non-regulated cloud environment.

1.1  Shared Responsibility Model

By utilizing the ClearDATA Shared Responsibility Model and ClearDATA’s HITRUST-certified processes and controls, the Customer can focus on building applications while knowing the underlying operating systems, infrastructure and eligible cloud services are installed, configured, and maintained at the appropriate level of security and compliance for their environment.

The ClearDATA Shared Responsibility Model defines the details of Customer responsibilities and ClearDATA responsibilities to include two components:

• The Managed Service RACI providing information on services supported by Managed Services and outlining customer and ClearDATA responsibilities.  The RACI is located online via the following link at ClearDATA Managed Services RACI under “RACI.”
• The Compliance Reference Architecture, or technical platform documentation, showing technical controls on a per service basis for each cloud.  Additional details on the technical documentation on each of the supported cloud platforms and services can be found at:
  • AWS:  AWS Compliance Reference – ClearDATA AWS Platform Documentation – ClearDATA Learning and Sharing Platform
  • Azure:  Azure Compliance Reference – ClearDATA Azure Platform Documentation – ClearDATA Learning and Sharing Platform
  • GCP:  GCP Compliance Reference – ClearDATA GCP Platform Documentation – ClearDATA Learning and Sharing Platform

1.2  Managed Services Customer Responsibilities

1.2.1  Shared Responsibility Model Participation

All customers participate in the  ClearDATA shared Responsibility Model:

• By adhering to the RACI for Managed Service activities.
• By adhering to the Compliance Reference Architecture guidance for each cloud service.

Customers with environments that store, process, or transmit PHI) also participate:

• By ensuring protected health information (PHI) or sensitive data is processed, transmitted, and stored within certain cloud services suitable to transmit, process, or store Regulated Data (hereafter referenced as “HIPAA Compliant Services”)
• By ensuring Regulated data is not processed, transmitted, or stored in non-HIPAA Compliant Services.

In addition, all Customers must:

• Assist ClearDATA in activities as appropriate. Examples of these activities include data restoration and backup, TLS/SSL certificate management and availability monitoring.
• Be responsible for anything not specifically listed as ClearDATA responsibility (e.g., application development, application migration, data migration, application maintenance, security incident forensics, etc.)

1.2.2  Encryption at Rest and Encryption in Motion

This section applies to customers with environments containing PHI:

• Responsibilities. Unless ClearDATA has signed a written Security Exception as described in Section 1.3.2, customer’s PHI Data, as defined in HIPAA, to the extent permitted under the Agreement, must be encrypted at all times while at rest and in motion within the cloud environment.
  • At Rest. ClearDATA will encrypt data at rest unless otherwise provided in the relevant RACI or if the relevant Public Cloud Provider Service is not a HIPAA Compliant Service.
  • In Motion. Customer responsibility for encryption of data in motion is defined in the technical Compliance Reference Architecture for each cloud service as listed in the links found in Section 1.1, “Shared Responsibility Model.”
• Exceptions. Customer and ClearDATA may agree to a limited exception to the encryption requirements in this Section only in a written document signed by the ClearDATA Chief Privacy and Security Officer or designee. ClearDATA is not required to agree to an exception request and may impose conditions on any agreed upon exception. Even when approved, Services used to process unencrypted PHI are “Unsupported Services,” as defined in the ClearDATA Cloud Computing Service Agreement (CCSA) located at http://cleardata.local/legal/.
  • Additional information is found in the Service Exceptions section on this page in Section 1.3.
• ClearDATA Remediation. If the customer fails to remediate a violation of this section within a reasonable time following notice, ClearDATA may take steps to protect the data. Steps may include encrypting data, deleting data from the production environment, or suspending normal access to the cloud environment.

1.2.3  Customer-Provided Cloud Environment

ClearDATA Managed Services customers rely on ClearDATA to perform actions within the cloud environment on their behalf. When the customer has contracted with the cloud provider directly, the customer agrees with the following:

• Represent they have the necessary rights to the cloud environment to allow ClearDATA to provide the requested services
• Ensure that ClearDATA has access to the account(s)

Customers with environments containing PHI:

• Ensure that login access is restricted so that no user logs in as the account owner or as any user having privileges that allow bypassing ClearDATA Automated Safeguards
• Assist ClearDATA with cloud service provider escalations required to maintain compliance on the environment
• ClearDATA response time for service issues will depend on Cloud support contract procured by customer
• If customer is not available for an escalation, customer is responsible for resulting compliance drift
• Environments that are in violation of this section will result in a reclassification of the cloud environment as Unsupported as defined in the CCSA until the violation is remediated as determined by ClearDATA in its sole and reasonable discretion.

1.3  Security Exceptions

This section applies to customers with environments containing PHI:

1.3.1  Automated Safeguard Exclusion Request

Customers may have cloud configurations that require access to cloud resource(s) that do not otherwise supported by ClearDATA If the resource(s) does not transmit, process or store PHI and no documented compensating control for a ClearDATA CyberHealth™ Platform automated safeguard exists, ClearDATA managed service customers can request that the resource(s) be excluded from CyberHealth™ Platform Automated Safeguards remediation by submitting a request for technical assistance via the ClearDATA customer portal (https://cyberhealth.cleardata.com).

Examples of excluded resources include:

• An object store (e.g., AWS S3 bucket) that contains static marketing material or images for a public web site and therefore needs to be public.
• A virtual machine, database or instance that is stateless and therefore does not store data requiring back up.

1.3.2  Security Exception

Customers may request an “exception” to the ClearDATA defined compliance configurations. If a security exception is required, the customer must accept all liability associated with the service to which the security exception applies.

When the need for an “exception” is identified, the customer can ask for a security exception by submitting a request via the ClearDATA customer portal at https://cyberhealth.cleardata.com.

1.3.3  Exclusions and Limitations on Credits

The following restrictions apply notwithstanding anything above to the contrary.

1. Cumulative Dollar Amount. The maximum total aggregate credit for any calendar month under this SLA shall not exceed 100% of the customer’s monthly ClearDATA fees for the affected Cloud Environment. Credits that would be available but for this limitation will not be carried forward to future months or applied to other Services.
2. Maintenance. Downtime, outages or other service level failures resulting from Maintenance are not included in the measure of unavailability or response times. “Maintenance” means:
   1. Cloud Infrastructure provider maintenance as defined in the SLAs;
   2. ClearDATA software scheduled maintenance that is announced at least five (5) business days in advance;
   3. Customer-requested maintenance of the configuration that ClearDATA schedules in advance (either on a case-by-case basis, or based on standing instructions), such as manual patching, automated patching or other similar event upgrades; or
   4. Critical unforeseen maintenance needed for security or performance, including emergency patching.
3. Capacity. The customer is not entitled to a credit for unavailability resulting from capacity restraints inherent in the Services you have elected to purchase. ClearDATA will provide the ability to add capacity as agreed in the Order.
4. Extraordinary Events. The customer is not entitled to a credit for downtime or outages resulting from force majeure events.
5. Your Breach of the Agreement. The customer is not entitled to a credit if the customer is in breach of your cloud services agreement (including your payment obligations to ClearDATA) at the time of the occurrence of the event giving rise to the credit. The customer is not entitled to a credit if the event giving rise to the credit would not have occurred, but for the customer’s breach of the cloud services agreement.
6. Disabling or Removing of Monitoring, Compliance, or Security Services, Interference with Services. The customer must notify ClearDATA in advance if the customer plans to disable, block, or remove any monitoring, compliance, or security element of the customer’s service(s). ClearDATA will not issue the customer credit for events that occur on services that you have modified without our consent.
7. Unsupported Services. You are not entitled to a credit if the event giving rise to the credit would not have occurred but for the use of an “Unsupported” service element as defined in the services agreement between the customer and ClearDATA.
8. Logical Access. The SLA is contingent on ClearDATA having full logical access to your configuration. No credit will be due if the credit would not have accrued but for your restriction of our logical access to your configuration.
9. Measurement of Time Periods. For the purpose of determining whether a credit is due, time periods will be measured from the time stamp generated by our ticket system, or the time an interruption is recorded in our monitoring system, as applicable. You may open a support ticket to document the start time for a support request or other incident, through the ClearDATA customer portal at https://cyberhealth.cleardata.com.
10. Requests. You must request a credit in writing no later than seven (7) days following the occurrence of the event giving rise to the credit. We will contact you within thirty days to approve or reject the claim or to request more information. If the claim is approved, the credit will appear on your monthly invoice following approval.
11. Credits are Sole and Exclusive Remedy. The credit remedies provided in this SLA are your sole and exclusive remedy for damages arising from ClearDATA violation of a service level for which credit is provided.

2. Supported Cloud Services

This section applies to customers with environments containing Protected Health Information (PHI) and Personally Identifiable Information (PII) as defined in the CCSA. ClearDATA defines PHI and PII as “Regulated Data” but for the ease of use refers to each or both as “HIPAA Eligible” or “HIPAA Compliant.”

The Public Cloud Provider has determined that certain cloud services are suitable to transmit, process or store PHI (“HIPAA Eligible Services”). ClearDATA has also determined it will only support certain services that process, transmit or store Regulated Data (“HIPAA Compliant Services”). These services are permitted to be used by our customers as further detailed below.

2.1  HIPAA Compliant Services

To facilitate architecture and delivery of solutions that can transmit, process, or store Regulated Data, the supported cloud providers have developed a set of rules that ClearDATA integrates and augments in solutions that are configured to be HIPAA compliant. In addition to requiring that Regulated Data is always encrypted when at rest or in transit, our supported clouds have a subset of services that are eligible to transmit, process or store Regulated Data. These services are known as HIPAA Compliant Services.

The current list of HIPAA Compliant Services for each cloud service can be viewed at:

• AWS:  AWS Compliance Reference – ClearDATA AWS Platform Documentation – ClearDATA Learning and Sharing Platform
• Azure:  Azure Compliance Reference – ClearDATA Azure Platform Documentation – ClearDATA Learning and Sharing Platform
• GCP:  GCP Compliance Reference – ClearDATA GCP Platform Documentation – ClearDATA Learning and Sharing Platform

As described below, these services can further be as HIPAA Compliant Services with Automated Safeguards, HIPAA Compliant Services with Manual Safeguards, and HIPAA Compliant Services that are eligible to transmit, process or store Regulated Data without Automated Safeguards or Manual Safeguards.

If a particular service does not have a Compliance Reference Architecture published in the links referenced in Section 2.1, “HIPAA Compliant Services, please contact ClearDATA through the customer portal at https://cyberhealth.cleardata.com.

2.1.1 HIPAA Compliant Services with Automated Safeguards

ClearDATA Automated Safeguards provide automated remediation technology to allow a healthcare customer to use native public cloud tooling to develop their application while helping maintain compliance with the HIPAA Security Rule and the HITECH Act.

ClearDATA Automated Safeguards interrogate and automatically remediate newly created or updated non-compliant resources for HIPAA Compliant Services in accordance with the ClearDATA documentation for each cloud service Compliance Reference Architecture included in Section 2.1. ClearDATA expands Automated Safeguards for additional cloud provider services over time. Customers can see current HIPAA Compliant Services with Automated Safeguards, including documentation details for each cloud service, in the Compliance Reference Architecture documentation.  These services are made available for self-service use with all support levels and are available for configuration by a ClearDATA engineer during the onboarding process or by engaging  ClearDATA Managed Services.  Note that some safeguards may not be available with ClearDATA CyberHealth™ Platform without subscribing to Managed Services as further detailed in the relevant ClearDATA Compliance Reference Architecture.

2.1.2  HIPAA Compliant Services with Manual Safeguards

ClearDATA does not have Automated Safeguards available for all HIPAA Eligible Services. A HIPAA Eligible Service with Manual Safeguards (rather than Automated Safeguards) means that a ClearDATA engineer must enable and configure a HIPAA Eligible Service according to the ClearDATA implementation of the regulatory standards and certifications before a customer can utilize the HIPAA Eligible Service with PHI. ClearDATA engineers follow the ClearDATA Compliance Reference Architecture and utilize purpose-built tooling to apply ClearDATA HITRUST-certified policies and procedures beyond the cloud provider’s documented guidelines to help ensure customers consume services in a compliant manner. The ClearDATA Compliance Reference Architecture also outlines compliance responsibilities for ClearDATA, the customer, and the cloud provider.

In addition, many services are made available for self-service on the customer portal at https://cyberhealth.cleardata.com.

2.1.3  HIPAA Eligible Services without Automated Safeguards or Manual Safeguards

Some HIPAA Eligible Services have neither Automated Safeguards nor manual safeguards but due to their simple nature can be used by the customer in accordance with guidelines provided by the Public Cloud Provider or within ClearDATA Compliance Reference Architecture. ClearDATA Compliance Reference Architecture outlines the compliant usage of these services that apply our HITRUST certified policies and procedures in addition to the Public Cloud Provider’s documented guidelines to help ensure our customers are consuming the services in compliance with the HIPAA Security Rule and the HITECH Act. ClearDATA Compliance Reference Architectures can be found the link included in Section 2.1If a particular service does not have a Compliance Reference Architecture published, please contact ClearDATA through the customer portal at https://cyberhealth.cleardata.com.

These services are made available for self-service use with all support levels and are available for configuration by a ClearDATA engineer during the onboarding process or by engaging  ClearDATA Managed Services.

2.2  Non-HIPAA Eligible Services

Certain services are not eligible to transmit, process, or store Regulated Data. These services are known as the Non-HIPAA Eligible Services. The customer is responsible for ensuring Non-HIPAA Eligible Services never transmit, process, or store Regulated Data. The current list of Non-HIPAA Eligible Services for each cloud service can be viewed at:

• AWS:  AWS Compliance Reference – ClearDATA AWS Platform Documentation – ClearDATA Learning and Sharing Platform
• Azure:  Azure Compliance Reference – ClearDATA Azure Platform Documentation – ClearDATA Learning and Sharing Platform
• GCP:  GCP Compliance Reference – ClearDATA GCP Platform Documentation – ClearDATA Learning and Sharing Platform

As described more fully below, these services can further be categorized as Non-HIPAA Eligible Services with Automated Safeguards, Non-HIPAA Eligible Services with Manual Safeguards, and Non-HIPAA Eligible Services without Automated Safeguards or Manual Safeguards.

If a particular service does not have a Compliance Reference Architecture published, please contact ClearDATA through the customer portal at https://cyberhealth.cleardata.com.

2.2.1  Non-HIPAA Eligible Services with Automated Safeguards

Customers can see the current list of Non-HIPAA Eligible Services with Automated Safeguards, including, documentation details in the Compliance Reference Architecture for each cloud service included in Section 2.2, “Non-HIPAA Eligible Services.”

These services are made available for self-service use and are also available for configuration by a ClearDATA engineer during the onboarding process or by engaging ClearDATA Managed Services.

Note that some safeguards may not be available with ClearDATA CyberHealth™ Platform without subscribing to Managed Services as further detailed in the relevant ClearDATA Compliance Reference Architecture.

2.2.2  Non-HIPAA Eligible Services with Manual Safeguards

ClearDATA does not have Automated Safeguards available for all Non-HIPAA Eligible Services. A Non-HIPAA Eligible Service with Manual Safeguards (rather than Automated Safeguards) means that a ClearDATA engineer must enable and configure a Non-HIPAA Eligible Service according to ClearDATA implementation of the regulatory standards and certifications before a customer can utilize the HIPAA Eligible Service. ClearDATA engineers follow ClearDATA Compliance Reference Architecture and utilize purpose-built tooling to apply ClearDATA HITRUST-certified policies and procedures on top of cloud provider’s documented guidelines to help ensure our customers are consuming the services in a compliant manner. ClearDATA Compliance Reference Architecture outlines compliance responsibilities for ClearDATA, our customer, and the cloud provider. This is known as a shared responsibility model to ensure compliance; where all customers that have control over PHI & PII take some responsibility in ensuring an overall compliant posture for our customers.

These services are made available for self-service use in a subscription without Managed Services and are made available for configuration by a ClearDATA engineer during the onboarding process or using retained service hours with ClearDATA Managed Services.

2.2.3  Non-HIPAA Eligible Services Without Automated Safeguards or Manual Safeguards

Some non-HIPAA Eligible Services have neither Automated Safeguards nor Manual Safeguards available. Certain services are operationally basic in practice and can be used in accordance with the guidelines by the Cloud provider or ClearDATA Compliance Reference Architecture. ClearDATA Compliance Reference Architecture outlines the compliant usage of these services that apply ClearDATA HITRUST-certified policies and procedures beyond the cloud provider’s documented guidelines to help ensure our customers are consuming the services in a compliant manner. Documentation of the ClearDATA Compliance Reference Architecture guidance for each cloud service can be found at the links provided in Section 2.2.

If a service does not have a Compliance Reference Architecture published, please contact ClearDATA through the ClearDATA customer portal at https://cyberhealth.cleardata.com.

These services are made available for self-service use and are made available for configuration by a ClearDATA engineer during the onboarding process or by engaging ClearDATA Managed Services.

3. Unsupported Services

This section applies to customers with environments containing PHI.

In cases where ClearDATA has not determined whether certain services are HIPAA Compliant or HIPAA Eligible or if a service is unsupported they may not be used without a Security Exception signed by ClearDATA. Any service not listed under the Cloud Reference Architecture for each cloud service as HIPAA Compliant or HIPAA Eligible is considered Unsupported and not eligible for use by customers.

Please contact ClearDATA through the customer portal to make a request that an Unsupported Service be Supported. Unsupported services are only available for self-service use in ClearDATA CyberHealth™ Platform subscriptions without Managed Services.

4. Service Level Agreements (SLAs)

Following are SLAs ClearDATA follows for Technical Support & Cloud Infrastructure (detailed by the Cloud Service Providers).

4.1 Technical Support

Customers may request product, compliance, and technical support by opening a support case on the ClearDATA customer portal:  https://cyberhealth.cleardata.com

Table 1: SLAs

Severity Level	Definition	Response Time
1 – Urgent	Production Down:  An incident or situation has occurred that is causing a total, critical service outage to client-facing cloud services. Client business operations cannot continue or are severely compromised. The incident affects critical path processing, and there is no workaround available. Includes suspected security events such as active malware; suspicious cloud service or user activity; key or credential exposure; or performance degradation or outages caused by security tools.	15 minutes
2 – High	Production Impaired: An incident or situation has occurred that is having a significant effect on the client’s ability to conduct primary business operations. Client business operations may be or are at a risk of being compromised. The incident may affect critical path processing, and an effective work-around may be available. Includes incidents or situations such as loss of redundancy, loss of access, or heightened resource utilization.	1 hour
3 – Medium	Non-Production Down:  An incident or situation has occurred that is having a moderate effect on Client business processes. Client’s service is being affected, but not to the degree that the Client cannot continue normal business operations. Includes incidents or situations such as compliance issues, identity management, access issues, or cloud infrastructure issues.	1 Business Day
4 – Low	General Inquiry: A service request has occurred that is having minimal or no immediate effect on client business processes. Includes inquiries such as product feedback, billing questions, and sales-related questions.	2 Business Days

ClearDATA will use reasonable commercial efforts to respond to your support requests 24x7x365.

4.2 SLA Managed Services Response Time & Credits

The Managed Services response time SLA is a policy governing ClearDATA’s initial response time.  ClearDATA will meet SLAs, at an aggregate level, in any given month 95% of the time.

Subject to the Service Exceptions (as defined in Section 4.3), ClearDATA will use commercially reasonable efforts to meet the Managed Services SLAs during any monthly billing cycle. In the event ClearDATA does not meet the SLA, Customer may be eligible to receive a Service Credit. “Service Credit” means (i) a credit of 10% of the recurring monthly ClearDATA Managed Services fees (as defined in Section 4.1 (Table 1)) for the specific Workload for the month in which the service fault was recognized.

Service Credits (i) will not entitle Customer to any refund or other form of compensation from ClearDATA, (ii) may not be transferred or applied to any other account, (iii) will be issued as a credit against future invoices for ClearDATA Managed Services fees. Service Credits are ClearDATA’s sole and exclusive liability and the Customer’s sole and exclusive remedy for any failure by ClearDATA to reasonably satisfy the SLA.

4.3 Credits (Exclusions and Limitations)

The following restrictions apply notwithstanding anything above to the contrary.

• Cumulative Dollar Amount. The maximum total aggregate credit for any calendar month under this SLA shall not exceed 10% of the customer’s monthly ClearDATA Managed Services Fees for the affected cloud environment. Credits that would be available but for this limitation will not be carried forward to future months or applied to other Services.
• Maintenance. Downtime, outages, or other service level failures resulting from Maintenance are not included in the measure of response times. “Maintenance” means:
  • Public Cloud Provider maintenance.
  • ClearDATA scheduled maintenance that is announced at least five (5) business days in advance.
  • Customer-requested maintenance of the configuration that ClearDATA schedules in advance (either on a case-by-case basis, or based on standing instructions), such as manual patching, automated patching, or other similar event upgrades; or
  • Critical unforeseen maintenance needed for security or performance, including emergency patching.

• Extraordinary Events. The customer is not entitled to a credit for downtime or outages resulting from force majeure events.
• Your Breach of the Agreement. Customer is not entitled to a credit if it is in breach of its CCSA (including your payment obligations to ClearDATA) at the time of the occurrence of the event giving rise to the credit. Customer is not entitled to a credit if the event giving rise to the credit would not have occurred, but for Customer’s breach of the CCSA.
• Disabling or Removing of Monitoring, Compliance, or Security Services, Interference with Services. The customer must notify ClearDATA in advance if the customer plans to disable, block, or remove any monitoring, compliance, or security element of the customer’s service(s). ClearDATA will not issue the customer credit for events that occur on Services that you have modified without our consent.
• Unsupported Services. You are not entitled to a credit if the event giving rise to the credit would not have occurred but for the use of an Unsupported Service.
• Logical Access. The SLA is contingent on ClearDATA having full logical access to your configuration. No credit will be due if the credit would not have accrued but for your restriction of our logical access to your configuration.
• Measurement of Time Periods. To determine whether a credit is due, time periods will be measured from the time stamp generated by our ticket system, or the time an interruption is recorded in our monitoring system, as applicable. You may open a support ticket to document the start time for a support request or other incident, through the ClearDATA customer portal at https://cyberhealth.cleardata.com You must request a credit in writing no later than seven (7) days following the occurrence of the event giving rise to the credit. We will contact you within thirty days to approve or reject the claim or to request more information. If the claim is approved, the credit will appear on your monthly invoice following approval.
• Credits are Sole and Exclusive Remedy. The credit remedies provided in this SLA are your sole and exclusive remedy for damages arising from ClearDATA violation of a service level for which credit is provided.

 

 

© ClearDATA Networks, Inc. 2023

Revision Date June 2023