ClearDATA Managed Health Cloud for Testing and Development Workloads

Service Description

1. ClearDATA Managed Health Cloud for Testing and Development Workloads

For customers requiring Managed Services along with their ClearDATA CyberHealth™ Platform subscription, ClearDATA has provided the following service description for Managed Services for Workloads for testing and development purposes and that do not transmit, process, or store Protected Health Information as defined by HIPAA (“Test/Dev”) (“Test/Dev Workloads”):

Workload means a collection and configuration of customer resources, services, and code that is required for discretely enabling the execution of an application or technology process.

PHI versus Test/Dev Workload(s) Service Descriptions

ClearDATA maintains different service descriptions for Workloads storing, transmitting or processing PHI versus Test/Dev Workloads which are not authorized to store, transmit or process PHI. A customer may have both types of Workloads. Each Workload is governed by its own agreement and Service Descriptions.

Customers may not transmit, process, or store PHI in a Test/Dev workload environment.

This Test/Dev Workload Service Description has three components:

Shared Responsibility Model: ClearDATA has developed a shared responsibility model that defines ClearDATA and customer responsibilities for infrastructure and application management.
Security Exceptions: Approval process for Public Cloud Provider Services or process that ClearDATA does not support as part of regular operations.
Service Level Agreements (SLAs): Response times adhered to by ClearDATA in support of cloud infrastructure & customer service requests.

1.1 ClearDATA Shared Responsibility Model

The ClearDATA Shared Responsibility Model defines Customer’s and ClearDATA’s responsibilities via two components:

The Managed Service RACI provides documents services supported by the ClearDATA Managed Health Cloud for Test/Dev Workloads and defines customer’s and ClearDATA’s responsibilities.
The Compliance Reference Architecture, or technical platform documentation, provides technical controls for each supported Public Cloud Provider Service detailed at:

1.2 Responsibilities

1.2.1 Required Shared Responsibility Participation

All customers participate in the ClearDATA shared Responsibility Model by:

Adhering to the RACI.
Adhering to the Compliance Reference Architecture guidance for each cloud provider service.
Assisting ClearDATA in activities as reasonably requested. Examples include data restoration and backup, TLS/SSL certificate management and availability monitoring.
Being responsible for anything not specifically listed as a ClearDATA responsibility in the RACI (e.g., application development, application migration, data migration, application maintenance, security incident forensics, etc.)

1.2.2 Encryption at Rest and Encryption in Motion

This section applies to customers with environments containing PHI:

Responsibilities.
- At Rest. ClearDATA will encrypt data at rest unless otherwise provided in the relevant RACI.
- In Motion. Customer responsibility for encryption of data in motion is defined in the technical Compliance Reference Architecture for each cloud service as listed in the links found in Section 1.1, “Shared Responsibility Model.”
Exceptions. Customer and ClearDATA may agree to a limited exception to the encryption requirements in this Section only in a written document signed by the ClearDATA Chief Privacy and Security Officer or designee. ClearDATA is not required to agree to an exception request and may impose conditions on any agreed upon exception.
- Additional information is found in the Service Exceptions section on this page in Section 1.3.
ClearDATA Remediation. If the customer fails to remediate a violation of this section within a reasonable time following notice, ClearDATA may take steps to protect the data. Steps may include encrypting data, deleting data from the production environment, or suspending normal access to the cloud environment.

1.2.3 Customer-Provided Cloud Environment

ClearDATA Managed Health Cloud customers rely on ClearDATA to perform actions within the cloud environment on their behalf. When the customer has contracted with the cloud provider directly, the customer agrees with the following:

Represent they have the necessary rights to the cloud environment to allow ClearDATA to provide the requested services
Ensure that ClearDATA has access to the account(s) as necessary to provide Managed Services and Software Support and to accurately invoice customer for Software and Services provided.

1.3 Security Exceptions

1.3.1 Automated Safeguard Exclusion Request

Customers may have cloud configurations that require access to cloud resource(s) that are not otherwise supported by ClearDATA. If the resource(s) does not transmit, process or store PHI and no documented compensating control for a ClearDATA CyberHealth™ Platform automated safeguard exists, ClearDATA managed service customers can request that the resource(s) be excluded from CyberHealth™ Platform Automated Safeguards remediation by submitting a request for technical assistance via the ClearDATA customer portal (https://cyberhealth.cleardata.com/).

Examples of excluded resources include:

An object store (e.g., AWS S3 bucket) that contains static marketing material or images for a public web site and therefore needs to be public.

A virtual machine, database or instance that is stateless and therefore does not store data requiring back up.

1.3.2 Security Exception

Customers may request an “exception” to the ClearDATA defined compliance configurations. If a security exception is required, the customer must accept all liability associated with the service to which the security exception applies.

When the need for an “exception” is identified, the customer can ask for a security exception by submitting a request via the ClearDATA customer portal at https://cyberhealth.cleardata.com/.

2. Safeguards

Customer is responsible for ensuring Public Cloud Provider Services never transmit, process, or store PHI.

If a particular service does not have a Compliance Reference Architecture published, please contact ClearDATA through the customer portal at https://cyberhealth.cleardata.com/.

2.1 Public Cloud Provider Services with Automated Safeguards

Customers can see the current list of Services with Automated Safeguards, including, documentation details in the Compliance Reference Architecture for each cloud service (link in Section 1.1 above).

These services are made available for self-service use and are also available for configuration by a ClearDATA engineer during the onboarding process or by engaging ClearDATA Managed Services.

Note that some safeguards may not be available with ClearDATA CyberHealth™ Platform without subscribing to Managed Services as further detailed in the relevant ClearDATA Compliance Reference Architecture at (link in Section 1.1 above).

2.2 Public Cloud Provider Services with Manual Safeguards

ClearDATA does not have Automated Safeguards available for all Public Cloud Provider Services. A Public Cloud Provider Service with Manual Safeguards (rather than Automated Safeguards) means that a ClearDATA engineer must enable and configure a Public Cloud Provider Service according to ClearDATA implementation of the regulatory standards and certifications before a customer can utilize the Public Cloud Provider Service.

ClearDATA engineers follow ClearDATA Compliance Reference Architecture and utilize purpose-built tooling to apply ClearDATA HITRUST-certified policies and procedures on top of cloud provider’s documented guidelines to help ensure our customers are consuming the services in a compliant manner. ClearDATA Compliance Reference Architecture outlines compliance responsibilities for ClearDATA, our customer, and the cloud provider.

These services are made available for self-service use in a subscription without Managed Services and are made available for configuration by a ClearDATA engineer during the onboarding process or using retained service hours with ClearDATA Managed Services.

2.3 Public Cloud Provider Services Without Automated Safeguards or Manual Safeguards

Some Public Cloud Provider Services have neither Automated Safeguards nor Manual Safeguards available. Certain services are basic in practice and can be used in accordance with the guidelines by the Public Cloud Provider or ClearDATA Compliance Reference Architecture. ClearDATA Compliance Reference Architecture outlines the appropriate use of these services that apply ClearDATA HITRUST-certified policies and procedures to help ensure our customers are consuming the services in a recommended manner. ClearDATA Compliance Reference Architecture guidance can be found at the links provided in Section 1.1 above.

If a Public Cloud Provider Service does not have a Compliance Reference Architecture published, please contact ClearDATA through the ClearDATA customer portal at https://cyberhealth.cleardata.com/.

3. Service Level Agreements (SLAs)

3.1 Service Level Agreements (SLAs)

Following are SLAs ClearDATA follows for Technical Support & Cloud Infrastructure (detailed by the Public Cloud Provider).

3.1.1 Technical Support

Customers may request product, compliance, and technical support by opening a support case on the ClearDATA customer portal: https://cyberhealth.cleardata.com

Severity Level	Definition	Response Time
1 – Urgent	Production Down: An incident or situation has occurred that is causing a total, critical service outage to client-facing cloud services. Client business operations cannot continue or are severely compromised. The incident affects critical path processing, and there is no workaround available. Includes suspected security events such as a software or operating system vulnerability; suspicious cloud, network, or host activity; a compromised workload or service; key or credential exposure; or performance degradation or outages caused by security tools.	1 Business Day
2 – High	Production Impaired: An incident or situation has occurred that is having a significant effect on the client’s ability to conduct primary business operations. Client business operations may be or are at a risk of being compromised. The incident may affect critical path processing, and an effective work-around may be available. Includes incidents or situations such as loss of redundancy, loss of access, or heightened resource utilization.	1 Business Day N/A
3 – Medium	Non-Production Down: An incident or situation has occurred that is causing a total, critical service outage to client-facing cloud services. Client business operations cannot continue or are severely compromised. The incident affects critical path processing, and there is no workaround available.	1 Business Day
4 – Low	General Inquiry: A service request has occurred that is having minimal or no immediate effect on client business processes. Includes inquiries such as product feedback, billing questions, and sales-related questions.	2 Business Days

ClearDATA will use reasonable commercial efforts to respond to your support requests 24x7x365.

3.2 SLA Managed Health Cloud for Test/Dev Workloads Response Time & Credits

The Managed Health Cloud for Test/Dev Workloads response time SLA is a policy governing ClearDATA’s initial response time.  ClearDATA will meet SLAs, at an aggregate level, in any given month 95% of the time.

Subject to the Service Exceptions (as defined in Section 3.3), ClearDATA will use commercially reasonable efforts to meet the Managed Health Cloud for Test/Dev

Workloads SLAs during any monthly billing cycle. In the event ClearDATA does not meet the SLA, Customer may be eligible to receive a Service Credit. “Service Credit” means (i) a credit of up to 10% of the recurring monthly ClearDATA Managed Health Cloud for Test/Dev Workloads fees for the specific Workload for the month in which the service fault was recognized.

Service Credits (i) will not entitle Customer to any refund or other form of compensation from ClearDATA, (ii) may not be transferred or applied to any other account or Workload, (iii) will be issued as a credit against future invoices for the affected Workload. Service Credits are ClearDATA’s sole and exclusive liability and the Customer’s sole and exclusive remedy for any failure by ClearDATA to reasonably satisfy the SLA.

3.3 Credits (Exclusions and Limitations)

The following restrictions apply notwithstanding anything above to the contrary.

3.3.1 Cumulative Dollar Amount. The maximum total aggregate credit for any calendar month under this SLA shall not exceed 10% of the customer’s monthly ClearDATA Managed Health Cloud for Test/Dev Workloads Fees for the affected Workload. Credits that would be available but for this limitation will not be carried forward to future months or applied to other Services.

3.3.2 Maintenance. Downtime, outages, or other service level failures resulting from Maintenance are not included in the measure of unavailability or response times. “Maintenance” means:

i. Public Cloud Provider maintenance.

ii. ClearDATA scheduled maintenance that is announced at least five (5) business days in advance.

iii. Customer-requested maintenance of the configuration that ClearDATA schedules in advance (either on a case-by-case basis, or based on standing instructions), such as manual patching, automated patching, or other similar event upgrades; or

iv. Critical unforeseen maintenance needed for security or performance, including emergency patching.

3.3.3 Capacity. The customer is not entitled to a credit for unavailability resulting from capacity restraints inherent in the Public Clod Provider services you have elected to purchase. ClearDATA will provide the ability to add capacity as agreed in the SOW.

3.3.4 Extraordinary Events. The customer is not entitled to a credit for downtime or outages resulting from force majeure events.

3.3.5 Your Breach of the Agreement. Customer is not entitled to a credit if it is in breach of its CCSA (including your payment obligations to ClearDATA) at the time of the occurrence of the event giving rise to the credit. Customer is not entitled to a credit if the event giving rise to the credit would not have occurred, but for Customer’s breach of the CCSA.

3.3.6 Disabling or Removing of Monitoring, Compliance, or Security Services, Interference with Services. The customer must notify ClearDATA in advance if the customer plans to disable, block, or remove any monitoring, compliance, or security element of the customer’s service(s). ClearDATA will not issue the customer credit for events that occur on Services that you have modified without our consent.

3.3.7 Unsupported Services. You are not entitled to a credit if the event giving rise to the credit would not have occurred but for the use of an Unsupported Service.

3.3.8 Logical Access. The SLA is contingent on ClearDATA having full logical access to your configuration. No credit will be due if the credit would not have accrued but for your restriction of our logical access to your configuration.

3.3.9 Measurement of Time Periods. To determine whether a credit is due, time periods will be measured from the time stamp generated by our ticket system, or the time an interruption is recorded in our monitoring system, as applicable. You may open a support ticket to document the start time for a support request or other incident, through the ClearDATA customer portal at https://cyberhealth.cleardata.com Requests. You must request a credit in writing no later than seven (7) days following the occurrence of the event giving rise to the credit. We will contact you within thirty days to approve or reject the claim or to request more information. If the claim is approved, the credit will appear on your monthly invoice following approval.

4. Offboarding or transition of accounts

If offboarding or transition is required, we can work with you to transition your account to a direct relationship with your current Cloud Provider. You would retain access to all your current Cloud Provider resources, but would lose access to ClearDATA’s proprietary tooling and all Managed Services expertise.