IRM|Pro® Privacy Policy

As a Company that provides solutions and services designed to help organizations protect the privacy and security of their information, Clearwater recognizes that protecting the privacy of your company’s (the “Subscriber”) data is important. This Privacy Policy (“Policy”) explains how Clearwater maintains the privacy of the information that is collected by, created by, and maintained within the IRM|Pro® Software Suite[1] (“Software”) about your company and the authorized users of the Software.

This Policy addresses the following topics:

  • Data Collected by the Software
  • Use of Cookies
  • Uses of Data Maintained Within the Software
  • How Clearwater May Share Data Maintained Within the Software
  • Security for Data Maintained Within the Software
  • Retention of Data Maintained Within the Software
  • Rights with Respect to Data Maintained Within the Software
  • Links to External Web Sites
  • Testimonials
  • Changes to This Policy

Data Collected by the Software

Subscribers can enter the following information into the Software (“Subscriber Data”):

  • The name, address, and telephone number of Subscriber’s primary location and any additional locations;
  • Names, job titles, email addresses, and other contact details of authorized users of the Software within Subscriber’s organization (“Authorized Users”);


The Software also collects the following information about Authorized Users (“Authorized User Data”):

  • Name;
  • Job title
  • Login credentials;
  • Business email address;
  • Business phone number (optional)[2];
  • Business address (optional).

Use of Cookies

Please view our Cookies Policy ( to understand the information that Clearwater collects automatically using cookies when you use the Software.

Uses of Data Maintained Within the Software

Clearwater uses Subscriber Data for the following purposes:

  • To provide Subscriber with the services offered by the Software that include, but are not limited to, helping Subscriber identify, rate and manage risks to its information systems resulting from gaps in security controls; assessing Subscriber’s compliance with the HIPAA Privacy, Security and Breach Notification Rules; and other functions.
  • To provide Authorized Users with training on the Software and/or technical support to resolve reported issues.
  • To analyze Subscriber’s use of the Software in order to improve the Software’s functionality and the Subscriber’s experience.
  • To compile anonymous benchmarking data to provide insight into the risks faced by HIPAA-covered entities, for the purpose of improving the Software to help address these risks.

Clearwater uses Authorized User Data for the following purposes:

  • To set up account profiles for the Authorized Users who will access the Software;
  • To contact Authorized Users in order to determine whether the Subscriber has feedback concerning the Software;
  • To provide newsletters and information about other solutions and services from Clearwater that may be of interest to the Subscriber;
  • To provide best practice tips, updates, release notes, security alerts, security information and other technical notices concerning the Software (“Technical Emails”).

Authorized Users can opt out of receiving newsletters and information about other Clearwater products by submitting an email to stating that he/she is no longer interested in receiving email communications.  Authorized Users cannot opt out of receiving Technical Emails from Clearwater.

How Clearwater May Share Data Maintained within the Software

All Subscriber and Authorized User Data is considered to be confidential and Clearwater will protect the confidentiality of such Data.  It is Clearwater’s policy to never share data entrusted to it with third parties for any reason.

Security for Data Maintained within the Software

All data entered into or created by the Software is stored and maintained in secure facilities that limit access to authorized personnel only. As part of Clearwater’s continuous risk management process, the Software is regularly tested to assess vulnerabilities and controls, remediate deficiencies, and to ensure that all data maintained within the Software is secure from unauthorized access or modification. Information is protected in transit via HTTPS and TLS security.  Data maintained within the Software is backed-up at an off-site remote location, consistent with Clearwater’s business continuity plan. While Clearwater will exert all commercially reasonable efforts to protect the confidentiality, integrity and availability of the data stored in the Software, Clearwater cannot guarantee that such efforts will prevent an unauthorized breach of your Data.

Retention of Data Collected By The Software

Clearwater will retain Subscriber Data for as long as Subscriber maintains its subscription to the Software, and for a reasonable period of time thereafter to ensure the Subscriber has downloaded all data and reports it wishes to maintain for its own records.  Clearwater will retain Authorized User Data for as long as the Authorized User is authorized by Subscriber to access the Software.

At the time of termination or discontinuance of the Software subscription for any reason, Clearwater will make reasonable efforts to ensure all data entered into the Software will be available for Subscriber’s designated representative (“Account Owner”) to download from the Software in CSV format, including where possible, extracts of all charts and reports provided by the Software in PDF format, as of the date of termination or discontinuation. Clearwater will delete all Subscriber and Authorized User Data it maintains within ninety (90) days of Subscriber’s termination of the Software subscription, provided however, that it is understood that information in an intangible or electronic format cannot be immediately removed, erased or otherwise deleted from system back-ups, but that such information will cycle off the back-ups and until it does will continue to be maintained in strict confidentiality.

Users’ Rights with Respect to Data Maintained Within the Software

Subscribers have the ability to access, update, or delete Authorized User data at any time through the Software, or by the Account Owner submitting a request to

Links to External Web Sites

The Software may contain links to external websites owned and maintained by third parties. If you click on one of these links, you will be directed to a third-party website that is not owned or operated by Clearwater.  Before entering any information into a third-party website you should carefully review that website’s privacy statement.  Clearwater is not responsible for any data entered into external websites.


In an effort to market the Software and other Clearwater solutions, Clearwater requests that Subscribers, through Authorized Users, provide feedback on the Software (“Testimonials”) that Clearwater can publish on its IRM|Pro® website (  Clearwater will not publish Testimonials on its website without first obtaining the Authorized User’s written consent.

Changes to this Policy

Clearwater may change this Policy from time to time in its sole discretion. If Clearwater makes a material change to this Policy, we will inform you by posting a notice on this site.  Those changes will go into effect on the effective date posted in the notice. The new privacy policy will apply to all current and past users of the Software and to all information collected or created before the date of the change. The new privacy policy will replace any prior privacy policies that are inconsistent. Please check periodically for changes to this Policy, and especially before you enter any information into the Software.  If Clearwater materially changes how we use, disclose or otherwise process data collected or created by the Software, we will contact you before doing so and obtain your consent, where legally required to do so, before using, disclosing or otherwise processing data other than as described in this Policy.

[1] The IRM|Pro® Software Suite is comprised of IRM|Analysis®; IRM|Security®; IRM|Privacy®; IRM|Framework®.

[2] All information that is not explicitly marked as “optional” is essential to the operation and/or the administration of the Product(s); and for this reason, there is no opt-out available for the collection and storage of the Information.