1. ClearDATA Managed Services
For customers requiring managed services along with their ClearDATA Comply software subscription, ClearDATA has defined separate healthcare-specific shared responsibility model and a managed service plan for regulated and non-regulated environments.
Differences between Regulated and Non-Regulated Environments
ClearDATA manages both regulated and non-regulated environments for its customers. A non-regulated environment is defined as one that does not transmit, process or store PHI/PII. Because of this, non-regulated environments do not have restrictions on use.
ClearDATA maintains separate service descriptions for regulated environments and non-regulated environments. A customer may have both regulated and non-regulated environments. Each environment is bound by the contractual agreement put in place during purchase. Customers agree that they will not place PHI inside a non-regulated environment.
1.1 Healthcare-Specific Shared Responsibility Model
ClearDATA has developed a shared responsibility model that defines ClearDATA and customer responsibilities from an infrastructure and application perspective. Utilizing this shared responsibility model and ClearDATA’s HITRUST-certified processes and controls, customers can focus on building their applications while knowing the underlying operating systems, infrastructure and eligible cloud services are installed, configured, and maintained at the appropriate level of security and compliance for their environment.
The ClearDATA responsibility matrix, also known as the RACI, captures the details of customer responsibilities and ClearDATA responsibilities. ClearDATA manages a single RACI for all managed services and a single RACI for each service covered by a ClearDATA Comply safeguard (a dedicated RACI for each supported cloud service).
- Managed Service RACI information is located at https://docs.cleardata.com under “ClearDATA Managed Services”.
- Comply service RACI information is located at https://docs.cleardata.com under “Compliance Reference Architecture” on a per-cloud, per-service basis.
1.2 Customer Responsibilities
1.2.1 Shared Responsibility Model Participation
All customers will participate in the ClearDATA shared responsibility model:
- By adhering to the responsibility matrix (RACI) for each cloud service as documented in the ClearDATA Technical RACI.
- By adhering to the responsibility matrix (RACI) for managed service activities.
Customers with environments containing protected health information (PHI) also participate:
- By ensuring protected health information (PHI) or sensitive data is processed, transmitted and stored within certain cloud services (these services are identified as suitable to transmit, process or store PHI/PII and referenced in this document as “Covered Services) in accordance with the relevant ClearDATA Compliance Reference Architecture, including configuring encryption in motion when applicable
- By ensuring PHI or sensitive data is not processed, transmitted or stored in non-Covered Services
In addition, all Customers will:
- Assist ClearDATA in activities as appropriate. Examples of these activities include data restoration and backup, TLS/SSL certificate management and availability monitoring.
- Be responsible for anything not specifically listed as ClearDATA responsibility (e.g., application development, application migration, data migration, application maintenance, security incident forensics, etc.)
1.2.2 Encryption at Rest and Encryption in Motion
This section applies to customers with environments containing protected health information (PHI):
- Responsibilities. Unless ClearDATA has signed a written exception as described in Section 3.6.2, customer’s PHI Data, as defined in HIPAA, to the extent permitted under the Agreement, must be encrypted at all times while at rest and in motion within the cloud environment.
- At Rest. ClearDATA will encrypt data at rest unless otherwise provided in the relevant RACI or if the relevant Public Cloud Provider Service is not a Covered Service.
- In Motion. Customer responsibility for encryption of data in motion is defined in the technical RACI for each service (found at https://docs.cleardata.com under “Compliance Reference Documentation”), where applicable.
- Exceptions. Customer and ClearDATA may agree to a limited exception to the encryption requirements in this Section only in a written document signed by the ClearDATA Chief Privacy and Security Officer or designee. ClearDATA is not required to agree to an exception request and may impose conditions on any agreed upon exception. Even when approved, Services used to process unencrypted PHI are “Unsupported Services,” as defined in the ClearDATA Cloud Computing Service Agreement (CCSA) located at http://cleardata.local/legal/.
- Additional information is found in the Service Exceptions section on this page.
- ClearDATA Remediation. If customer fails to remediate a violation of this section within a reasonable time following notice, ClearDATA may take steps to protect the data. Steps may include encrypting data, deleting data from the production environment, or suspending normal access to the cloud environment.
1.2.3 Customer-Provided Cloud Environment
ClearDATA managed services customers rely on ClearDATA to perform actions within the cloud environment on their behalf. When the customer has contracted with the cloud provider directly, the customer agrees with the following:
- Represent and warrant they have the necessary rights to the cloud environment to allow ClearDATA to provide the requested services
- Ensure that ClearDATA has access to the account(s)
Customers with environments containing protected health information (PHI):
- Ensure that login access is restricted so that no user logs in as the account owner or as any user having privileges that allow bypassing ClearDATA Automated Safeguards
- Assist ClearDATA with cloud service provider escalations required to maintain compliance on the environment
- ClearDATA response time for service issues will depend on Cloud support contract procured by customer
- If customer is not available for an escalation, customer is responsible for resulting compliance drift
- Environments that are in violation of this section will result in a reclassification of the cloud environment as Unsupported as defined in the CCSA until the violation is remediated as determined by ClearDATA in its sole and reasonable discretion.
1.3 Managed Service Plan – Regulated Environments
The services within the ClearDATA managed service plan provide value on top of ClearDATA software. ClearDATA managed services are delivered in discrete categories as described in the managed service RACI found at https://docs.cleardata.com under “ClearDATA Managed Services”.
Customers must refer to their order agreement to view the service categories that apply to their environment.
Customers of ClearDATA security and compliance services may also obtain the ClearDATA Business Associate Agreement (BAA).
1.4 Retained Service Hours
As part of their contracts, customers can include a monthly number of service hours for tasks outside of the RACI. The hours are considered retained service hours and do not accrue or roll-over month-to-month.
1.4.1 Typical Use Cases and Applicability
Retained service hours can be used for tasks outside of the RACI, such as
- Networking
- g., cloud-native site-to-site VPN configuration, route table optimization, DNS configuration
- Cloud configuration
- g., configure a supported cloud service that is available for self-service
- DevOps automation guidance
- g., assist in tuning a deployment template to ensure resources are deployed in a healthcare-compliant manner
- Backup restoration assistance
- Advanced security event analysis
Retained service hours are not a substitute for ClearDATA professional services and cannot be used for project-oriented tasks that have specific time constraints. Examples of professional service activities are:
- Data or application migration
- DevOps automation
- Cloud standards and policy development
ClearDATA Professional Services will engage with the customer to assess objectives, scope, schedule, and budget prior to conducting a project. Access to professional services can be obtained through the ClearDATA Customer Success Manager or ClearDATA Account Executive.
1.4.2 Additional Service Hours
A contract amendment can increase the number of retained service hours available for the duration of the contract with 15 days’ notice, to take effect at the next regular billing cycle.
1.4.3 After-hour surcharge
Work required to be performed outside of normal business hours as defined in the Service Level Agreement is subject to an “after-hours” rate surcharge.
1.5 Service Exceptions
This section applies to customers with environments containing protected health information (PHI):
1.5.1 Compliance Exclusion Request
Customers may have cloud configurations that require access to cloud resource(s) that do not otherwise qualify for use in accordance with the ClearDATA compliance requirements.
If the resource(s) does not transmit, process or store PHI or no documented compensating control for an ClearDATA Comply automated safeguard exists, ClearDATA managed service customers can ask that the resource(s) be excluded from Comply Automated Safeguards remediation by submitting a request for technical assistance via the ClearDATA customer portal (https://foundation.cleardata.com).
Examples of excluded resources include:
- An object store (e.g., AWS S3 bucket) that contains static marketing material or images for a public web site and therefore needs to be public
- A virtual machine, database or instance that is stateless and therefore does not store data requiring back up
1.5.2 Security Exception Request
Customers may require an “exception” to the ClearDATA defined compliance configurations. This is a rare occurrence. If a security exception is required, the customer must acknowledge accepting all liability associated with the security exception.
ClearDATA defines a security exception as an approved agreement between customer and ClearDATA assigning the customer responsibility and liability for the use of a non-supported service.
When such an “exception” is identified, the customer can ask for a security exception by submitting a request via the ClearDATA customer portal (https://foundation.cleardata.com).
1.5.3 Encryption Exception Request
Customers may have an extenuating circumstance regarding encrypting data at rest or in motion that requires the development of an encryption exception request.
The customer and ClearDATA may agree to a limited exception to the encryption requirements only in a written document signed by the ClearDATA Chief Privacy and Security Officer or designee. ClearDATA is not required to agree to an exception request and may impose conditions on any agreed upon exception. Even when approved, Services used to process unencrypted PHI are “Unsupported Services,” as defined in the CCSA (http://cleardata.local/legal/).
1.6 Service Level Agreements
ClearDATA managed services and software support follow the response times and other commitments as described in the Service Level Agreements, Service Descriptions and applicable RACI.
1.6.1 Cloud Infrastructure
ClearDATA does not independently guarantee the performance of the Cloud Infrastructure but agrees that if the Cloud Infrastructure provider issues a service credit to ClearDATA under a Service Level Agreement applicable to customer’s Services, ClearDATA will pass the credit through to the customer, to the extent any are available, when ClearDATA is providing the cloud environment. As of the Effective Date, the applicable Cloud Infrastructure provider SLA’s may be found at:
AWS: https://aws.amazon.com/legal/service-level-agreements/
Azure: https://azure.microsoft.com/en-us/support/legal/sla/
GCP: https://cloud.google.com/compute/sla
To receive a pass-through credit collected from the Could Infrastructure provider the customer must request a credit from ClearDATA at least five (5) business days before the deadline for ClearDATA to request a credit from the Cloud Infrastructure provider under the corresponding Public Cloud Provider SLA. ClearDATA will use reasonable commercial efforts to obtain the requested credit from the Cloud Infrastructure provider but has no obligation to pursue legal remedies against Cloud Infrastructure provider for its failure to issue a credit as described in its SLA.
1.6.2 Exclusions and Limitations on Credits
The following restrictions apply notwithstanding anything above to the contrary.
- Cumulative Dollar Amount. The maximum total aggregate credit for any calendar month under this SLA shall not exceed 100% of the customer’s monthly ClearDATA fees for the affected Cloud Environment. Credits that would be available but for this limitation will not be carried forward to future months or applied to other Services.
- Downtime, outages or other service level failures resulting from Maintenance are not included in the measure of unavailability or response times. “Maintenance” means:
- Cloud Infrastructure provider maintenance as defined in the SLAs;
- ClearDATA software scheduled maintenance that is announced at least five (5) business days in advance;
- Customer-requested maintenance of the configuration that ClearDATA schedules in advance (either on a case-by-case basis, or based on standing instructions), such as manual patching, automated patching or other similar event upgrades; or
- Critical unforeseen maintenance needed for security or performance, including emergency patching.
- The customer is not entitled to a credit for unavailability resulting from capacity restraints inherent in the Services you have elected to purchase. ClearDATA will provide the ability to add capacity as agreed in the Order.
- Extraordinary Events. The customer is not entitled to a credit for downtime or outages resulting from force majeure events.
- Your Breach of the Agreement. The customer is not entitled to a credit if the customer is in breach of your cloud services agreement (including your payment obligations to ClearDATA) at the time of the occurrence of the event giving rise to the credit. The customer is not entitled to a credit if the event giving rise to the credit would not have occurred but for the customer’s breach of the cloud services agreement.
- Disabling or Removing of Monitoring, Compliance, or Security Services, Interference with Services. The customer must notify ClearDATA in advance if the customer plans to disable, block, or remove any monitoring, compliance, or security element of the customer’s service(s). ClearDATA will not issue the customer credit for events that occur on services that you have modified without our consent.
- Unsupported Services. You are not entitled to a credit if the event giving rise to the credit would not have occurred but for the use of an “Unsupported” service element as defined in the services agreement between the customer and ClearDATA.
- Logical Access. The SLA is contingent on ClearDATA having full logical access to your configuration. No credit will be due if the credit would not have accrued but for your restriction of our logical access to your configuration.
- Measurement of Time Periods. For the purpose of determining whether a credit is due, time periods will be measured from the time stamp generated by our ticket system, or the time an interruption is recorded in our monitoring system, as applicable. You may open a support ticket to document the start time for a support request or other incident, through the ClearDATA customer portal (https://foundation.cleardata.com).
- You must request a credit in writing no later than seven (7) days following the occurrence of the event giving rise to the credit. We will contact you within thirty days to approve or reject the claim or to request more information. If the claim is approved, the credit will appear on your monthly invoice following approval.
- Credits are Sole and Exclusive Remedy. The credit remedies provided in this SLA are your sole and exclusive remedy for damages arising from ClearDATA violation of a service level for which credit is provided.
2. Supported Cloud Services
This section applies to customers with environments containing protected health information (PHI).
ClearDATA has determined that certain cloud services are suitable to transmit, process or store PHI/PII (“Covered Services”). ClearDATA has also determined certain services are supportable by ClearDATA (“Supported Services”). These services are permitted to be used by our customers as further detailed below.
2.1 Covered Services
To facilitate architecture and delivery of solutions that can transmit, process, or store PHI/PII, the supported cloud providers have developed a set of rules that ClearDATA integrates and augments in solutions covered by our BAA. In addition to requiring that PHI/PII is always encrypted when at rest or in transit, our supported clouds have a subset of services that are eligible to transmit, process or store PHI/PII. These services are known as the Covered Services.
The current list of Covered Services can be viewed at https://docs.cleardata.com. As described below, these services can further be broken down into Covered Services with Automated Safeguards, Covered Services with Manual Safeguards, and Covered Services that are eligible to transmit, process or store PHI/PII without Automated Safeguards or Manual Safeguards.
2.1.1 Covered Services with Automated Safeguards
ClearDATA Automated Safeguards provide automated remediation technology to allow a healthcare customer to use native public cloud tooling to develop their application while helping maintain compliance against GDPR, HIPAA, ISO 27001, NIST SP-800, and other regulatory standards and certifications.
ClearDATA Automated Safeguards interrogate and automatically remediate newly created or updated non-compliant resources for Covered Services in accordance with the ClearDATA documentation at https://docs.cleardata.com.
ClearDATA expands Automated Safeguards for additional cloud provider services over time. Customers can see current Covered Services with Automated Safeguards, including documentation details and a responsibility matrix for each service, at https://docs.cleardata.com. These services are available for self-service use. These services are also available for configuration by a ClearDATA engineer during the onboarding process or using retained service hours with ClearDATA managed services. Some Automated Safeguards may not be available without subscribing to managed services as further detailed in the ClearDATA Reference Architectures (found under “compliance documentations” on https://docs.cleardata.com).
2.1.2 Covered Services with Manual Safeguards
ClearDATA does not have Automated Safeguards available for all Covered Services. A covered service with Manual Safeguards (rather than Automated Safeguards) means that a ClearDATA engineer must enable and configure a covered service according to the ClearDATA implementation of the regulatory standards and certifications before a customer can utilize the covered service. ClearDATA engineers follow the ClearDATA Compliance Reference Architecture and utilize purpose-built tooling to apply ClearDATA HITRUST-certified policies and procedures on top of the cloud provider’s documented guidelines to help ensure customers consume services in a compliant manner. The ClearDATA Compliance Reference Architecture also provides a RACI that outlines compliance responsibilities for each of ClearDATA, the customer, and the cloud provider.
Documentation for ClearDATA Compliance Reference Architectures can be found online at https://docs.cleardata.com. If a particular service does not have a Compliance Reference Architecture published, please contact ClearDATA through the customer portal (https://foundation.cleardata.com).
In addition, many services are made available for self-service use. Details are provided in the ClearDATA managed services documentation available online (https://docs.cleardata.com).
2.1.3 Covered Services Without Automated Safeguards or Manual Safeguards
Some Covered Services have neither Automated Safeguards nor manual safeguards but due to their simple nature can be used by the customer in accordance with guidelines provided by the Cloud provider or within ClearDATA Compliance Reference Architecture. ClearDATA Compliance Reference Architecture outlines the compliant usage of these services that apply our HITRUST certified policies and procedures on top of the cloud provider’s documented guidelines to help ensure our customers are consuming the services in a compliant manner. ClearDATA Compliance Reference Architectures can be found https://docs.cleardata.com. If a particular service does not have a Compliance Reference Architecture published, please contact ClearDATA through the customer portal (https://foundation.cleardata.com).
These services are made available for self-service use with all support levels and are available for configuration by a ClearDATA engineer during the onboarding process or using retained service hours with ClearDATA managed services.
2.2 Non-Covered Services
Certain services are not eligible to transmit, process, or store PHI/PII. These services are known as the Non-Covered Services. The customer is responsible for ensuring Non-Covered Services never transmit, process, or store PHI/PII. The current list of Non-Covered Services can be viewed at https://docs.cleardata.com. As described more fully below, these services can further be broken down into Non-Covered Services with Automated Safeguards, Non-Covered Services with Manual Safeguards, and Non-Covered Services without Automated Safeguards or Manual Safeguards.
2.2.1 Non-Covered Services With Automated Safeguards
Customers can see the current list of Non-Covered Services with Automated Safeguards, including, documentation details and a responsibility matrix for each service, at https://docs.cleardata.com.
These services are made available for self-service use and are also available for configuration by a ClearDATA engineer during the onboarding process or using retained service hours with ClearDATA managed services.
Some safeguards may not be available with ClearDATA Comply without subscribing to managed services as further detailed in the relevant ClearDATA Compliance Reference Architecture. ClearDATA Compliance Reference Architectures can be found at https://docs.cleardata.com.
2.2.2 Non-Covered Services With Manual Safeguards
ClearDATA does not have Automated Safeguards available for all Non-Covered Services. A Non-covered service with Manual Safeguards (rather than Automated Safeguards) means that a ClearDATA engineer must enable and configure a Non-Covered Service according to ClearDATA implementation of the regulatory standards and certifications before a customer can utilize the covered service. ClearDATA engineers follow ClearDATA Compliance Reference Architecture and utilize purpose-built tooling to apply ClearDATA HITRUST-certified policies and procedures on top of cloud provider’s documented guidelines to help ensure our customers are consuming the services in a compliant manner. ClearDATA Compliance Reference Architecture also includes a responsibility matrix (RACI) that outlines compliance responsibilities for each of ClearDATA, our customer, and the cloud provider. This is known as a shared responsibility model to ensure compliance; where all customers that have control over PHI & PII take some responsibility in ensuring an overall compliant posture for our customers. Documentation of the ClearDATA Compliance Reference Architecture guidance can be found at https://docs.cleardata.com. If a particular service does not have a Compliance Reference Architecture published, please contact ClearDATA through the customer portal (https://foundation.cleardata.com).
These services are made available for self-service use in a subscription without managed services and are made available for configuration by a ClearDATA engineer during the onboarding process or using retained service hours with ClearDATA managed services.
2.2.3 Non-Covered Services Without Automated Safeguards or Manual Safeguards
Some non-Covered Services have neither Automated Safeguards nor Manual Safeguards available. Certain services are operationally basic in practice and can be used in accordance with the guidelines laid out in by the Cloud provider or ClearDATA Compliance Reference Architecture. ClearDATA Compliance Reference Architecture outlines the compliant usage of these services that apply ClearDATA HITRUST-certified policies and procedures on top of the cloud provider’s documented guidelines to help ensure our customers are consuming the services in a compliant manner. Documentation of the ClearDATA Compliance Reference Architecture guidance can be found at https://docs.cleardata.com. If a service does not have a Compliance Reference Architecture published, please contact ClearDATA through the ClearDATA customer portal (https://foundation.cleardata.com).
These services are made available for self-service use and are made available for configuration by a ClearDATA engineer during the onboarding process or using retained service hours with ClearDATA managed services.
3. Unsupported Services
This section applies to customers with environments containing protected health information (PHI).
ClearDATA has not determined whether certain services are covered or non-covered. It has also determined certain services are unsupported by ClearDATA. These services are not permitted to be used by our customers in any fashion. Any service not listed at https://docs.cleardata.com as Covered or Non-Covered is considered Unsupported and not eligible for use by customers.
Please contact ClearDATA through the customer portal to make a request that an Unsupported Service be Supported. Unsupported services are only available for self-service use in ClearDATA Comply subscriptions without managed services.
© ClearDATA Networks, Inc. 2021
Revision Date June 2021