Trust is conversion infrastructure — not compliance theater.
Everything a healthcare procurement team needs to evaluate Valentra Labs — BAA readiness, CAIQ/HECVAT responses, named processors, SOC 2 status, and framework alignment — is published here, not gated behind a sales call.
BAA readiness
Valentra Labs offers Business Associate Agreements to its healthcare customers and executes them before any PHI-adjacent data flows. The site itself processes no PHI.
- Form pipeline
- Inbound form submissions are PHI-scrubbed on free-text fields server-side before any durable write.
- Queue
- The durable queue stores submission fields that could carry PHI via a scrubber-miss.
- Ops alerting
- Operational alert channels may receive PHI-adjacent free text from submissions.
- Ticketing
- The governance loop — including ESCALATE-001 ticketing — may reference PHI-adjacent operator context.
CAIQ / HECVAT & evidence
Completed CAIQ and HECVAT responses, our BAA template, and supporting evidence are available on request. Email trust@valentralabs.com and we respond with the relevant artifacts.
Named processors
The subprocessors that operate the platform, with BAA status stated plainly. Vercel is an accepted, compensated Wave-1 risk; Beehiiv and Plausible process no PHI.
- Postmark Enterprise BAA available on request
Transactional email (may carry confirmation copy).
- Supabase Pro (min) BAA available on request
Durable queue (stores free-text fields that may carry PHI scrubber-misses).
- Slack Enterprise Grid BAA available on request
Ops alerting (channels may receive PHI-adjacent free text).
- Sanity BAA available on request
CMS (may carry PHI-adjacent operator copy).
- Vercel Pro No BAA
No BAA on Pro tier — accepted Wave-1 risk. The form handler runs on a BAA-covered runtime if forms ever carry PHI; server-side PHI scrub BEFORE queue write is the Wave-1 compensating control.
- Beehiiv No BAA
No BAA — the newsletter is opt-in marketing, not PHI.
- Plausible No BAA
No BAA — cookieless analytics, no PII processed.
SOC 2 Type II
- Status
- Type II — in progress (target Q4 2026).
Framework alignment
How the Valentra Nexus lifecycle stages map to the healthcare cybersecurity frameworks procurement teams assess against.
| Lifecycle stage | NIST CSF 2.0 | HHS HPH CPGs | 405(d) HICP | HIPAA Security Rule | HITRUST CSF v11.x |
|---|---|---|---|---|---|
| Asset | ID.AMAsset Management — physical devices, systems, software platforms, and data flows inventoried and prioritized by criticality. | —N/AHHS HPH CPGs address inventory only under broader governance goals; no stage-level Asset control maps directly. | Practice 5IT Asset Management — maintain an accurate inventory of endpoints, servers, and medical devices across the enterprise. | §164.310(d)(1)Device and Media Controls — policies governing receipt and removal of hardware and electronic media that contain ePHI. | 07.01.aInventory of Assets — all assets clearly identified and an inventory of all important assets drawn up and maintained. |
| Risk | ID.RARisk Assessment — the organization understands cybersecurity risk to operations, assets, and individuals. | Essential — Vuln MgmtPartialMitigate Known Vulnerabilities — reduce the likelihood of threat actors exploiting known weaknesses by scoping, scoring, and prioritizing exposure across the asset surface before it reaches the board… | Practice 7PartialVulnerability Management — identify, evaluate, and remediate technical vulnerabilities across the environment. | §164.308(a)(1)(ii)(A)Risk Analysis — accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. | 03.01.aStaleRisk Management Program — a formal program operated to manage information security risk to an acceptable level. |
| Control | PR.AA / PR.PSProtect — identity management, authentication, access control, and platform security safeguards are deployed and managed. | Essential — MFAMultifactor Authentication — strong MFA deployed across the organization to reduce credential-based compromise. | Practice 3Access Management — provision, review, and revoke access to systems and ePHI based on least privilege. | §164.312Technical Safeguards — access control, audit controls, integrity, authentication, and transmission security for ePHI. | 09.01.aDocumented Operating Procedures — operating procedures documented, maintained, and made available to all users who need them. |
| Evidence | DE.CMContinuous Monitoring — assets are monitored to find anomalies, indicators of compromise, and other adverse events. | —N/AHHS HPH CPGs are stated as outcome goals, not attestation controls; no stage-level Evidence control maps directly. | §3.4Audit Logs and Monitoring — collect, protect, and review audit logs that demonstrate controls are operating as designed. | §164.312(b)Audit Controls — hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI. | 09.10.aAudit Logging — audit logs recording user activities, exceptions, and information security events produced and retained. |
| Work | RS.MIMitigation — activities performed to prevent expansion of an event and to mitigate its effects. | Goal 4Cybersecurity Governance — accountable leadership routes remediation and oversight work to the responsible teams. | Practice 8PartialSecurity Operations and Incident Response — triage, route, and track remediation work through to closure. | §164.308(a)(1)(ii)(B)Risk Management — implement security measures sufficient to reduce risks and vulnerabilities to a reasonable level. | 11.01.aReporting Information Security Events — security events reported through appropriate channels and remediated. |
| Decision | GV.OCOrganizational Context — the circumstances surrounding the organization's cybersecurity risk management decisions are understood. | Enhanced — GovernancePartialCybersecurity Governance (Enhanced) — board-level oversight of the cybersecurity program and its risk decisions. | —N/A405(d) HICP is a practice-level technical framework; no board-Decision control maps directly to this stage. | §164.308(a)(8)Evaluation — periodic technical and nontechnical evaluation establishing the extent to which safeguards meet the Rule. | 05.01.aManagement Direction for Information Security — management provides direction and support for information security decisions. |