Data Management Policy

2025.04.16

This policy outlines the requirements and controls/procedures ClearHealth has implemented to manage the end-to-end data lifecycle, from data creation/acquisition to retention and deletion.

Additionally, this policy outlines requirements and procedures to create and maintain retrievable exact copies of electronic protected health information (ePHI), PII, and other critical customer/business data.

Data backup is an important part of the day-to-day operations of ClearHealth. To protect the confidentiality, integrity, and availability of sensitive and critical data, both for ClearHealth and ClearHealth customers, complete backups are done daily to assure that data remains available when it is needed and in case of a disaster.

Policy Statements

ClearHealth policy requires that:

(a) Data should be classified at the time of creation or acquisition according to the ClearHealth data classification model, by labeling or tagging the data.

(b) Maintain an up-to-date inventory and data flows mapping of all critical data.

(c) All business data should be stored or replicated to a company controlled repository, including data on end-user computing systems.

(d) Data must be backed up according to its level defined in ClearHealth data classification.

(e) Data backup must be validated for integrity.

(f) Data retention period must be defined and comply with any and all applicable regulatory and contractual requirements. More specifically:

• Data and records belonging to ClearHealth platform customers must be retained per ClearHealth product terms and conditions and/or specific contractual agreements.

(g) By default, all security documentation and audit trails are kept for a minimum of seven years, unless otherwise specified by ClearHealth data classification, specific regulations or contractual agreement.