Trust & Security
Enterprise-grade security
by design.
ClearStars is built from the ground up to meet the most demanding healthcare compliance and security requirements. Security is not a feature we added. It is the foundation everything else is built on.
Compliance
Certified and audited.
SOC 2 Type II
Independently audited annually across all five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Audit reports are available to clients and qualified prospects under NDA.
HIPAA Compliant
ClearStars operates as a HIPAA Business Associate with executed BAAs for all clients. We implement administrative, physical, and technical safeguards in accordance with the HIPAA Security Rule and comply with all applicable Privacy Rule requirements.
HITRUST CSF
Our security program aligns with the HITRUST Common Security Framework, harmonizing requirements from HIPAA, NIST 800-53, ISO 27001, and other healthcare-specific standards into a unified control framework.
Architecture
Built for healthcare data.
Our infrastructure is designed to protect PHI at every layer, from network ingress to database storage to AI processing outputs.
Multi-Tenant Isolation
Row-Level Security (RLS) policies enforced at the database level ensure that each client's data is logically separated and inaccessible to other tenants. Role-Based Access Control (RBAC) provides granular permissions within each client environment.
Encryption Everywhere
All data in transit is protected with TLS 1.2 or higher. All data at rest is encrypted with AES-256. Database connections are encrypted, and all API communications use HTTPS exclusively. Encryption keys are managed through hardware security modules.
US-Only Azure Hosting
All data is hosted on Microsoft Azure infrastructure located exclusively within the United States. We do not transfer data to international data centers. Development, staging, and production environments are fully isolated from each other.
Tailscale VPN Access
Administrative access to production infrastructure is secured through Tailscale VPN with zero-trust networking principles. All administrative sessions are authenticated, authorized, and fully logged.
Access Controls
Zero-trust by default.
- ✓ Multi-factor authentication (MFA) required for all users
- ✓ Just-in-time privileged access with automatic expiration
- ✓ Background checks and HIPAA training for all personnel with PHI access
- ✓ Need-to-know access principle enforced at every system layer
- ✓ Regular access reviews and automated deprovisioning
- ✓ All US-based workforce with no international data access
TLS 1.2+
In-transit encryption
AES-256
At-rest encryption
7 yr
Audit log retention
4
Audit layers
Audit System
Four layers of immutable audit trails.
Every action, every access, every AI decision is logged, tamper-evident, and retained for a minimum of seven years.
Layer 1
Infrastructure
Azure Activity Logs, network flow logs, and resource access monitoring
Layer 2
Application
User actions, data access events, report generation, and feature usage tracking
Layer 3
Database
Query logs, schema changes, data modifications, and connection monitoring
Layer 4
AI/ML
Model inputs, outputs, decision rationale, version tracking, and reproducibility logs
Insurance
Backed by comprehensive coverage.
ClearStars maintains insurance coverage appropriate for a healthcare technology provider handling PHI. Certificates of insurance are available to clients upon request.
$2M
Professional Liability
Errors & Omissions
$2M
Cyber Liability
Breach response & regulatory
Security questions? Let's talk.
Our security team is available to discuss our compliance posture, share audit reports under NDA, and answer your due diligence questions.