Security

Last Updated: January 29, 2026 Scope: ClearCoverCheck (CCC) Services

CCC is designed for healthcare workflows where confidentiality and integrity matter. This page summarizes safeguards we use to protect customer and patient data.

This is a high-level overview and may change as we improve controls. Customers may request additional documentation under NDA.

1) Identity & Access Management

Authentication: Managed identity provider (e.g., AWS Cognito) with secure password policies and optional MFA.
Role-based access: Least-privilege roles for platform admins, client admins, staff users, and patient-link access.
Short-lived links/tokens: Patient upload access uses time-limited tokens; tokens are stored as hashes server-side.
Session controls: Expiration and revocation patterns to reduce exposure from stolen tokens.

2) Data Protection

Encryption in transit: TLS for data sent between clients and our APIs.
Encryption at rest: Encrypted storage for documents and databases (cloud-managed encryption where supported).
Scoped storage keys: Uploads are segregated by tenant/request identifiers and protected by access policies.
Presigned uploads: Direct-to-storage uploads using presigned POST policies with file size/type controls where feasible.

3) Application Security

Input validation: Validation and allowlists for document types, content types, and workflow transitions.
Rate limiting: Throttling and abuse protection for public endpoints (especially token exchange/upload flows).
Secure defaults: Minimal exposure of identifiers; no sensitive data in URLs beyond what’s required for routing.
Dependency hygiene: Regular patching and vulnerability review for dependencies and base images.

4) Logging, Monitoring & Audit

Audit logs: Track security-relevant events (logins, token exchanges, access attempts, workflow state changes).
Monitoring: Alerts for anomalies (spikes, repeated failures, suspicious IP patterns).
Traceability: Request IDs / trace IDs for incident investigation and support debugging.

5) Data Minimization & Retention

Minimization: Collect only what’s needed for pre-visit readiness workflows.
Retention controls: Customers can define retention policies; we support lifecycle deletion patterns where applicable.
Backups: Regular backups and tested restore procedures (scope and frequency may vary by environment).

6) Incident Response

Response process: Triage, containment, remediation, and post-incident review.
Customer notification: We notify impacted Customers consistent with contractual and legal requirements.

7) Compliance

CCC supports HIPAA-aligned workflows for Customers and can enter into a Business Associate Agreement (BAA) where required. Customers remain responsible for their own compliance obligations and configurations.

8) Reporting Security Issues

If you believe you’ve found a security vulnerability, please email security@clearcovercheck.com with details and reproduction steps.

Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and remediate.