ClearBAA is purpose-built for law firms that handle Protected Health Information. We treat the data those firms entrust to us with the seriousness that mission requires. This statement explains what data we collect, what we do with it, where it lives, who else touches it, and what commitments we make about how we handle it.
This Privacy Statement applies to information ClearBAA collects through:
It does not apply to third-party services, websites, or applications that may be linked from ClearBAA properties. Those services are governed by their own privacy notices.
We separate the data we handle into two categories because the obligations attached to each are meaningfully different.
Customer Data is the information our law firm customers and their authorized users upload, generate, or otherwise process through the ClearBAA platform in the course of using the Services. This includes:
Some Customer Data may constitute Protected Health Information ("ePHI") within the meaning of HIPAA. Where it does, ClearBAA is a Business Associate of the customer firm, and our handling is governed by the ClearBAA Customer Business Associate Agreement (the "Customer BAA") and the ClearBAA Data Processing Agreement (the "DPA").
ClearBAA processes Customer Data only as necessary to provide the Services to the customer firm. ClearBAA does not sell, rent, or commercially exploit Customer Data. We do not use Customer Data to train artificial-intelligence models or to improve the Services for other customers. Customer Data is logically isolated by tenant and is not commingled across customers.
Marketing-Site Data is information collected when prospective customers and other visitors interact with the clearbaa.com website. This includes:
We use Marketing-Site Data to respond to your inquiry, to discuss the Services with you, and to keep records of our communications. We do not sell Marketing-Site Data, and we do not share it with third parties for their marketing purposes.
The ClearBAA platform is hosted on Microsoft Azure in United States Azure regions. Customer Data is processed and stored in the United States. ClearBAA does not transfer Customer Data outside the United States in the ordinary course of providing the Services.
If a future Processing arrangement would involve a transfer outside the United States, ClearBAA will implement the appropriate transfer mechanisms — which may include the European Commission's Standard Contractual Clauses and any supplementary measures required by applicable law — and will give customers advance notice of the change in accordance with the DPA.
ClearBAA's security program is summarized below. The full set of controls is described in the ClearBAA Security Whitepaper, available to customers and prospective customers under appropriate confidentiality terms.
No security program eliminates all risk. ClearBAA continually updates its security controls in response to changes in the threat landscape and applicable best practices.
ClearBAA engages a small number of third-party Sub-Processors to provide infrastructure that the Services rely on. The current Sub-Processor list is published as the ClearBAA Sub-Processor List and identifies, for each Sub-Processor, the function it performs, the data category it touches, the region in which it operates, its certifications, and the contractual data-protection terms in place between ClearBAA and that Sub-Processor.
The core Sub-Processors that handle Customer Data are Microsoft Corporation (for Azure infrastructure: SQL Database, App Service, Blob Storage, Key Vault, Communication Services, Service Bus, Cosmos DB, and Entra External ID) and DocuSign Inc. (for the eSignature workflow that handles BAA signing). Each of these vendors has signed a Business Associate Agreement with ClearBAA covering ePHI handling where applicable.
ClearBAA gives customers at least thirty (30) days' advance notice of any addition, replacement, or other material change to the Sub-Processor List, in accordance with the DPA. Customers may object to a new Sub-Processor on reasonable data-protection grounds during the notice period.
ClearBAA retains Customer Data for the duration of the customer's active subscription. Following termination of the subscription:
ClearBAA maintains a documented Incident Response Plan that governs how we detect, contain, investigate, and communicate about security incidents affecting Customer Data. Where an incident affects a customer's Customer Data, ClearBAA's notification commitments to that customer are tiered:
This tiered structure is deliberately more protective than a single flat-window commitment. It commits us to early contact (24 hours) when we may not yet have all the facts, then to a substantive preliminary update (72 hours) once investigation has progressed, then to formal notification timed to support your own regulatory obligations rather than collapsed into an arbitrary internal deadline that could force premature notification.
Suspected security incidents involving the Services should be reported to security@clearbaa.com. We acknowledge such reports promptly and respond per the Incident Response Plan.
ClearBAA's relationship with the individuals whose Personal Data is processed through the platform is generally an indirect one — the platform processes that data on behalf of our customer firms, and the customer firm is the controller of the data. Where ClearBAA receives a request directly from an individual exercising rights under applicable data-protection law (such as a request for access, correction, deletion, or portability), ClearBAA will:
If you are an individual whose data is processed through the ClearBAA platform on behalf of a law firm and you wish to exercise rights under applicable data-protection law, please contact that law firm directly. ClearBAA cannot grant or deny such requests on the firm's behalf.
The Services are intended for use by U.S. law firms and their authorized personnel. ClearBAA does not knowingly collect personal information from children under the age of 13. If a parent or guardian believes their child has provided personal information to ClearBAA, they may contact us at security@clearbaa.com and we will investigate and, where appropriate, delete the information.
ClearBAA currently serves U.S.-based law firms. The platform is not marketed to or designed for the EU or UK consumer market, and does not directly offer Services to California consumers in the CCPA-regulated retail sense.
Some Customer Data processed through the platform may relate to individuals located in the EU, the UK, or California. Where that is the case, the customer firm — as the controller of that data — is the primary point of contact for the exercise of data subject rights, and ClearBAA assists the firm in fulfilling those rights as described in Section 08 above.
Dedicated workflows for EU GDPR and California CCPA consumer rights (including expanded automation of access, deletion, and portability requests) are on the ClearBAA product roadmap. Customers and prospective customers with specific concerns about EU, UK, or California data subjects should contact us at security@clearbaa.com to discuss the current state of platform support.
The clearbaa.com marketing website uses minimal cookies and does not currently load third-party tracking, advertising, or social-media pixels. Standard web server logs are kept by the website's hosting provider for security and operational purposes; these logs include IP addresses and request metadata of the kind generated by every web request.
The ClearBAA platform application uses session cookies as required for authentication. The platform does not load third-party trackers in the application.
ClearBAA may update this Privacy Statement from time to time. Material changes affecting how we handle Customer Data will be communicated to active customers by email to the designated contact at least thirty (30) days before the changes take effect, in coordination with the Sub-Processor change-notice process where applicable. Non-material updates (clarifications, formatting, contact-information changes) may be made on the effective date posted at the top of this page. The most recent effective date is shown above.
Questions about this Privacy Statement, requests for additional information about our security or data-handling practices, or notification of a suspected privacy or security incident should be directed to:
ClearBAA LLC
3333 Ancar St.
Orange, TX 77630
United States
Privacy and security matters: security@clearbaa.com
General contact: david@clearbaa.com
Customers under an active Master Services Agreement should also ensure their designated contact is on file with ClearBAA to receive Sub-Processor change notices, security communications, and other contractually-required notifications.