Skip to content
Trust & Procurement

Trust is conversion infrastructure — not compliance theater.

Everything a healthcare procurement team needs to evaluate Valentra Labs — BAA readiness, CAIQ/HECVAT responses, named processors, SOC 2 status, and framework alignment — is published here, not gated behind a sales call.

BAA readiness

Valentra Labs offers Business Associate Agreements to its healthcare customers and executes them before any PHI-adjacent data flows. The site itself processes no PHI.

Form pipeline
Inbound form submissions are PHI-scrubbed on free-text fields server-side before any durable write.
Queue
The durable queue stores submission fields that could carry PHI via a scrubber-miss.
Ops alerting
Operational alert channels may receive PHI-adjacent free text from submissions.
Ticketing
The governance loop — including ESCALATE-001 ticketing — may reference PHI-adjacent operator context.

CAIQ / HECVAT & evidence

Completed CAIQ and HECVAT responses, our BAA template, and supporting evidence are available on request. Email trust@valentralabs.com and we respond with the relevant artifacts.

  • CAIQ response Request On request as of
  • HECVAT (Lite) response Request On request as of
  • BAA template Request On request as of
  • Framework alignment summary View Published as of

Named processors

The subprocessors that operate the platform, with BAA status stated plainly. Vercel is an accepted, compensated Wave-1 risk; Beehiiv and Plausible process no PHI.

  • Postmark Enterprise BAA available on request

    Transactional email (may carry confirmation copy).

  • Supabase Pro (min) BAA available on request

    Durable queue (stores free-text fields that may carry PHI scrubber-misses).

  • Slack Enterprise Grid BAA available on request

    Ops alerting (channels may receive PHI-adjacent free text).

  • Sanity BAA available on request

    CMS (may carry PHI-adjacent operator copy).

  • Vercel Pro No BAA

    No BAA on Pro tier — accepted Wave-1 risk. The form handler runs on a BAA-covered runtime if forms ever carry PHI; server-side PHI scrub BEFORE queue write is the Wave-1 compensating control.

  • Beehiiv No BAA

    No BAA — the newsletter is opt-in marketing, not PHI.

  • Plausible No BAA

    No BAA — cookieless analytics, no PII processed.

SOC 2 Type II

Status
Type II — in progress (target Q4 2026).

Framework alignment

How the Valentra Nexus lifecycle stages map to the healthcare cybersecurity frameworks procurement teams assess against.

Framework alignment matrix — Valentra Nexus lifecycle stages crossed with NIST CSF 2.0, HHS HPH CPGs, 405(d) HICP, HIPAA Security Rule, and HITRUST CSF v11.x. Each cell shows the relevant control reference.
Lifecycle stageNIST CSF 2.0HHS HPH CPGs405(d) HICPHIPAA Security RuleHITRUST CSF v11.x
AssetID.AMAsset Management — physical devices, systems, software platforms, and data flows inventoried and prioritized by criticality.N/AHHS HPH CPGs address inventory only under broader governance goals; no stage-level Asset control maps directly.Practice 5IT Asset Management — maintain an accurate inventory of endpoints, servers, and medical devices across the enterprise.§164.310(d)(1)Device and Media Controls — policies governing receipt and removal of hardware and electronic media that contain ePHI.07.01.aInventory of Assets — all assets clearly identified and an inventory of all important assets drawn up and maintained.
RiskID.RARisk Assessment — the organization understands cybersecurity risk to operations, assets, and individuals.Essential — Vuln MgmtPartialMitigate Known Vulnerabilities — reduce the likelihood of threat actors exploiting known weaknesses by scoping, scoring, and prioritizing exposure across the asset surface before it reaches the board…Practice 7PartialVulnerability Management — identify, evaluate, and remediate technical vulnerabilities across the environment.§164.308(a)(1)(ii)(A)Risk Analysis — accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.03.01.aStaleRisk Management Program — a formal program operated to manage information security risk to an acceptable level.
ControlPR.AA / PR.PSProtect — identity management, authentication, access control, and platform security safeguards are deployed and managed.Essential — MFAMultifactor Authentication — strong MFA deployed across the organization to reduce credential-based compromise.Practice 3Access Management — provision, review, and revoke access to systems and ePHI based on least privilege.§164.312Technical Safeguards — access control, audit controls, integrity, authentication, and transmission security for ePHI.09.01.aDocumented Operating Procedures — operating procedures documented, maintained, and made available to all users who need them.
EvidenceDE.CMContinuous Monitoring — assets are monitored to find anomalies, indicators of compromise, and other adverse events.N/AHHS HPH CPGs are stated as outcome goals, not attestation controls; no stage-level Evidence control maps directly.§3.4Audit Logs and Monitoring — collect, protect, and review audit logs that demonstrate controls are operating as designed.§164.312(b)Audit Controls — hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI.09.10.aAudit Logging — audit logs recording user activities, exceptions, and information security events produced and retained.
WorkRS.MIMitigation — activities performed to prevent expansion of an event and to mitigate its effects.Goal 4Cybersecurity Governance — accountable leadership routes remediation and oversight work to the responsible teams.Practice 8PartialSecurity Operations and Incident Response — triage, route, and track remediation work through to closure.§164.308(a)(1)(ii)(B)Risk Management — implement security measures sufficient to reduce risks and vulnerabilities to a reasonable level.11.01.aReporting Information Security Events — security events reported through appropriate channels and remediated.
DecisionGV.OCOrganizational Context — the circumstances surrounding the organization's cybersecurity risk management decisions are understood.Enhanced — GovernancePartialCybersecurity Governance (Enhanced) — board-level oversight of the cybersecurity program and its risk decisions.N/A405(d) HICP is a practice-level technical framework; no board-Decision control maps directly to this stage.§164.308(a)(8)Evaluation — periodic technical and nontechnical evaluation establishing the extent to which safeguards meet the Rule.05.01.aManagement Direction for Information Security — management provides direction and support for information security decisions.
Generated by Valentra Nexusas offa_2026-05-14_7c3aed