What is Mental Wealth Solutions, Inc.?

Mental Wealth Solutions, Inc. is the company behind VibeCheck — the between-session companion for therapists and their clients, bundled with Shaula, the AI-staffed office that runs inside the clinician's own Google Workspace. The earlier five-vertical portfolio (HealthcareCheck, TransplantCheck, CoachesCheck, EAPCheck, VeteranCheck) proved the same patent-pending architecture and is retired as separate products; everything now ships in VibeCheck.

Who founded Mental Wealth Solutions?

Matthew Sexton, LCSW, founded Mental Wealth Solutions, Inc. in 2024. He is a Licensed Clinical Social Worker and Certified Narcissistic Abuse Treatment Clinician. His private clinical practice is operated separately under Matthew Sexton PLLC d/b/a Mental Wealth Solutions.

Is VibeCheck HIPAA-eligible?

Yes. VibeCheck operates under executed Business Associate Agreements (BAAs) with our cloud and AI infrastructure providers. Patient health information is encrypted at rest using pgcrypto on PostgreSQL and in transit via TLS. Weekly HIPAA gates verify the security posture.

How do I start with VibeCheck?

Therapists start a free trial at vibecheck.luxury or apply for the founding cohort at vibecheck.luxury/founding-clinician — founding clinicians lock $77.77/mo for life. Organizations and EAPs book a 30-minute walkthrough with the founder.

Where can I find clinical care from Matthew Sexton?

Clinical care is provided through Matthew Sexton PLLC d/b/a Mental Wealth Solutions, a separate clinical entity from Mental Wealth Solutions, Inc. The clinical practice is at https://matthewsextonlcswpllc.org. Telehealth is available in New York, Florida, Maine, and Delaware.

How do I contact Mental Wealth Solutions, Inc.?

Email info@mentalwealthsolutions.org or book a 30-minute call with the founder at https://calendly.com/matthewsextonlcsw-mentalwealthsolutions/30min.

Business Associate Agreement

Between Mental Wealth Solutions, Inc. (VibeCheck) and the Provider

Version: 1.1 Effective Date: 2026-06-16

Changelog v1.0 → v1.1 (cloud-agnostic subprocessor language). This version makes the infrastructure and AI-subprocessor language technology-neutral so the Agreement covers any cloud or AI subprocessor that is bound by an executed BAA with Business Associate — permitting migration between cloud providers (e.g., AWS to Google Cloud) without amending this Agreement each time. The protective mechanism is unchanged: PHI may be processed only by subprocessors bound by an executed BAA (flow-down, Sections 4.1, 4.3, 4.4). Substantive edits, all confined to Sections 3 and 4.2: (1) §3 Infrastructure — replaced the single-cloud reference with "cloud infrastructure operated by subprocessors bound by an executed BAA … meeting the HIPAA Security Rule"; (2) §4.2 — added a technology-neutral subprocessor clause; (3) §4.2 table — lists Amazon Web Services and Google Cloud as current PHI-processing subprocessors; (4) §4.2 AI note — vendor-neutral (Amazon Bedrock and/or Google Cloud Vertex AI under their respective HIPAA BAAs).

Parties

This Business Associate Agreement ("BAA" or "Agreement") is entered into by and between:

Mental Wealth Solutions, Inc., a New York corporation, on behalf of its product VibeCheck ("Business Associate," "MWS," "we," or "us"); and
The clinician, practice, agency, or organization that accepts this Agreement and uses VibeCheck to create, receive, maintain, or transmit Protected Health Information ("Covered Entity," "Provider," or "you").

Business Associate and Covered Entity are each a "Party" and together the "Parties."

This Agreement supplements, and is incorporated by reference into, the VibeCheck Provider Terms of Service (the "Underlying Agreement"). If the Underlying Agreement and this BAA conflict on the handling of Protected Health Information, this BAA controls.

Recitals

Covered Entity is a "covered entity" or a "business associate" of a covered entity under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended by the HITECH Act (collectively, "HIPAA").
Business Associate provides VibeCheck, a software platform that supports between-session clinical workflows, and in doing so may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity.
The Parties enter into this Agreement to satisfy the business-associate-contract requirements of 45 C.F.R. §§ 164.502(e), 164.504(e), and 164.314(a), and to permit Covered Entity to comply with HIPAA.

1. Definitions

Capitalized terms not defined here have the meaning given in HIPAA (45 C.F.R. Parts 160 and 164).

Protected Health Information ("PHI") — individually identifiable health information that Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity. "Electronic PHI ("ePHI")" is PHI in electronic form.
Breach, Security Incident, Unsecured PHI, Required by Law, Designated Record Set, Subcontractor — as defined in 45 C.F.R. §§ 164.402, 164.304, 164.402, 164.103, 164.501, and 164.103 respectively.
Individual — the person who is the subject of PHI (in VibeCheck, a client/patient invited by the Provider).
Services — the VibeCheck platform and related services provided under the Underlying Agreement.

2. Permitted Uses and Disclosures by Business Associate

2.1 Performance of the Services. Business Associate may use and disclose PHI only as necessary to perform the Services under the Underlying Agreement, as permitted or required by this BAA, or as Required by Law.

2.2 Management and administration. Business Associate may use PHI for its proper management and administration and to carry out its legal responsibilities. Business Associate may disclose PHI for those purposes only if the disclosure is Required by Law, or Business Associate obtains reasonable written assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and the recipient notifies Business Associate of any breach of confidentiality.

2.3 Data aggregation. Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

2.4 De-identification. Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c). De-identified data is not PHI and is not subject to this Agreement.

2.5 Minimum necessary. Business Associate will limit its uses, disclosures, and requests of PHI to the minimum necessary to accomplish the intended purpose, consistent with 45 C.F.R. § 164.502(b).

2.6 No prohibited use. Business Associate will not use or disclose PHI in any manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except as set out in Sections 2.2 and 2.3.

2.7 No sale; no marketing. Business Associate will not sell PHI and will not use or disclose PHI for marketing, in each case except as expressly permitted by HIPAA and authorized in writing by Covered Entity and the Individual where required.

2.8 No use to train general AI models on identifiable PHI. Business Associate will not use Individuals' PHI to train, fine-tune, or improve any general-purpose or third-party artificial-intelligence model in a manner that exposes PHI outside the safeguards of this Agreement. Any in-product personalization that processes PHI occurs only within Business Associate's BAA-covered infrastructure and BAA-covered AI subprocessors (see Section 4).

3. Safeguards

Business Associate will use appropriate administrative, physical, and technical safeguards, and will comply with Subpart C of 45 C.F.R. Part 164 (the Security Rule) with respect to ePHI, to prevent use or disclosure of PHI other than as provided by this Agreement. These safeguards include, at minimum:

Encryption at rest — PHI is encrypted using AES-256 (PostgreSQL pgcrypto).
Encryption in transit — all PHI transmission is encrypted using TLS 1.2 or higher.
Access control — role-based access control (RBAC) restricts PHI to authorized roles; client PHI is scoped to the inviting Provider's care relationship.
Authentication — multi-factor authentication (MFA) is required for Provider accounts.
Session controls — authenticated sessions time out after 15 minutes of inactivity.
Audit controls — append-only, tamper-resistant audit logs record access to PHI.
Infrastructure — all PHI is stored and processed within cloud infrastructure operated by subprocessors that are bound by an executed business associate agreement with Business Associate and that meet the requirements of the HIPAA Security Rule. Business Associate's current infrastructure subprocessors are listed in Section 4.2.

Business Associate will review and update its safeguards as reasonably necessary to maintain compliance with the Security Rule.

4. Subcontractors and Subprocessors (Flow-Down)

4.1 Written assurances. Business Associate will require any Subcontractor that creates, receives, maintains, or transmits PHI on Business Associate's behalf to agree in writing to restrictions and conditions at least as protective as those that apply to Business Associate under this Agreement, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2).

4.2 Subprocessors generally; current subprocessors. Business Associate will store, process, and transmit PHI, and perform any artificial-intelligence inference on PHI, only on cloud infrastructure and AI services operated by subprocessors that (a) are bound by an executed business associate agreement with Business Associate, and (b) implement the safeguards required by the HIPAA Security Rule. Business Associate may add, change, or replace such subprocessors — including to migrate between cloud providers — provided the conditions in (a) and (b) are met and Section 4.4 is followed. The table below lists Business Associate's current PHI-processing subprocessors and is updated as they change.

Subprocessor	Role	BAA status
Amazon Web Services, Inc. — including Amazon Bedrock (AI inference), Amazon EC2, Amazon RDS, Amazon S3, Amazon CloudFront, Amazon SES	Cloud hosting, storage, transmission, and AI inference	Executed
Google LLC (Google Cloud) — including Vertex AI (AI inference), Cloud SQL for PostgreSQL, Cloud Storage, Cloud Logging, and Cloud Run / Compute Engine	Cloud hosting, storage, transmission, and AI inference	Executed

AI inference path. AI inference on PHI is performed only by BAA-covered subprocessors (currently Amazon Bedrock and/or Google Cloud Vertex AI under their respective HIPAA BAAs). Business Associate will not route PHI to any AI model endpoint, vendor, or service that is not covered by an executed BAA, and will not add a new PHI-processing AI subprocessor without first executing a BAA and updating this Section.

4.3 No PHI to non-BAA endpoints. Business Associate will not transmit PHI to any AI model endpoint, vendor, or service that is not covered by an executed BAA. AI inference on PHI is performed only by BAA-covered subprocessors listed in Section 4.2.

4.4 Updates to the subprocessor list. Business Associate will maintain a current list of PHI-processing subprocessors and will make it available to Covered Entity on request. Business Associate will execute a BAA with any new PHI-processing subprocessor before that subprocessor processes PHI.

5. Reporting

5.1 Breach of Unsecured PHI. Business Associate will notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no event later than sixty (60) calendar days after discovery of the Breach — the maximum period permitted under 45 C.F.R. § 164.410(b) — or within any shorter period the Parties agree to in writing. The notification will include, to the extent known and as it becomes available, the information required by 45 C.F.R. § 164.410(c) — including the identification of each Individual whose Unsecured PHI was or is reasonably believed to have been involved, a description of what happened, the types of PHI involved, and the remediation steps taken.

5.2 Security Incidents. Business Associate will report to Covered Entity any Security Incident of which it becomes aware, in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C). The Parties acknowledge that unsuccessful, routine attempts (e.g., pings, port scans, blocked access attempts) occur frequently and are reported in the aggregate only on Covered Entity's reasonable request.

5.3 Other unauthorized use or disclosure. Business Associate will report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, without unreasonable delay.

5.4 Mitigation. Business Associate will mitigate, to the extent practicable, any harmful effect known to it of a use or disclosure of PHI in violation of this Agreement (45 C.F.R. § 164.530(f), applied through this Agreement).

6. Individual Rights (Business Associate Support of Covered Entity)

The Individual's HIPAA rights run to and through Covered Entity. Business Associate will support Covered Entity as follows:

6.1 Access (§ 164.524). To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will, within a reasonable time and in the form requested, make that PHI available to Covered Entity (or, at Covered Entity's direction, to the Individual) so Covered Entity can meet its access obligations.

6.2 Amendment (§ 164.526). Business Associate will make PHI in a Designated Record Set available for amendment and will incorporate amendments directed by Covered Entity.

6.3 Accounting of disclosures (§ 164.528). Business Associate will document disclosures of PHI and information related to those disclosures as needed for Covered Entity to respond to an Individual's request for an accounting, and will make that information available to Covered Entity.

6.4 Restrictions and confidential communications. Business Associate will honor restrictions and confidential-communication arrangements that Covered Entity is required to accommodate, to the extent the restriction affects PHI in Business Associate's systems and Covered Entity notifies Business Associate.

6.5 Direct Individual requests. If an Individual contacts Business Associate directly to exercise a HIPAA right, Business Associate will refer the Individual to Covered Entity and will assist Covered Entity in responding.

7. Access by the Secretary

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA (45 C.F.R. § 164.504(e)(2)(ii)(I)).

8. Covered Entity Obligations

8.1 Notice of Privacy Practices. Covered Entity is responsible for issuing its own Notice of Privacy Practices to Individuals. Business Associate provides an adoptable template Notice of Privacy Practices for Provider convenience; Covered Entity remains solely responsible for the content, accuracy, and distribution of the Notice it adopts.

8.2 Permissible requests. Covered Entity will not request that Business Associate use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity, except as permitted under Sections 2.2–2.3.

8.3 Consents and authorizations. Covered Entity is responsible for obtaining any consents or authorizations from Individuals required for the PHI it inputs into the Services and for inviting Individuals to the platform.

8.4 Changes affecting use. Covered Entity will notify Business Associate of any limitation in its Notice of Privacy Practices, any change in or revocation of an Individual's permission, or any restriction Covered Entity has agreed to, to the extent it affects Business Associate's use or disclosure of PHI.

9. Term and Termination

9.1 Term. This Agreement is effective on the date Covered Entity accepts it (by click-through acceptance or by signature) and continues until all PHI is returned, destroyed, or protections are extended under Section 9.4.

9.2 Termination for cause by Covered Entity. If Covered Entity determines that Business Associate has materially breached this Agreement, Covered Entity may provide written notice and an opportunity to cure within a reasonable period; if Business Associate does not cure, Covered Entity may terminate this Agreement and the Underlying Agreement.

9.3 Termination for cause by Business Associate. If Business Associate determines that Covered Entity has materially breached this Agreement, Business Associate may, after notice and a reasonable cure period, suspend the Services or terminate this Agreement.

9.4 Effect of termination. On termination, Business Associate will, if feasible, return or destroy all PHI received from, created, or received on behalf of Covered Entity that Business Associate maintains, and retain no copies. Where return or destruction is infeasible (including where retention is Required by Law), Business Associate will extend the protections of this Agreement to that PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible, for as long as it retains the PHI. Covered Entity may export Individual data through the Services before termination.

10. Retention of HIPAA Documentation

Business Associate will retain this Agreement and the documentation required by HIPAA for at least six (6) years from the date of its creation or the date it was last in effect, whichever is later, in accordance with 45 C.F.R. §§ 164.316(b)(2) and 164.530(j)(2).

Note on clinical-record retention: Retention of the underlying treatment/clinical record is the Covered Entity's obligation under applicable state law (in New York, governed by state record-retention rules), not a HIPAA requirement. HIPAA itself sets no medical-record retention period. Business Associate retains PHI as instructed by Covered Entity and as Required by Law.

11. Acceptance Mechanisms

This Agreement may be executed by either mechanism, and both bind the Parties equally:

11.1 Click-through acceptance. A Provider accepts this Agreement electronically within VibeCheck. PHI entry is gated: a Provider cannot create, invite a client, or enter any PHI until this Agreement is accepted. Electronic acceptance is governed by the federal ESIGN Act and the New York Electronic Signatures and Records Act and is as binding as a handwritten signature. The platform records the accepting user, entity, timestamp, and version.

11.2 Countersigned PDF on request. A Provider may request a signed PDF counterpart. Email matthewsextonlcsw@mentalwealthsolutions.org to initiate. A countersigned PDF and a click-through acceptance of the same version have identical effect.

12. Miscellaneous

Governing law. This Agreement is governed by the laws of the State of New York, without regard to conflict-of-law principles.
No third-party beneficiaries. Nothing in this Agreement confers rights on any person other than the Parties.
Regulatory amendment. The Parties will amend this Agreement as necessary to comply with changes to HIPAA. The Parties intend this Agreement to be interpreted consistently with HIPAA.
Survival. Sections 9.4, 10, and the confidentiality and PHI-protection obligations survive termination.
Interpretation. Any ambiguity is resolved to permit compliance with HIPAA.

Signature Block (PDF counterpart)

This Agreement is ordinarily executed by electronic click-through acceptance within VibeCheck (Section 11.1). When a Provider accepts, VibeCheck automatically records the accepting user, the practice/entity, the typed-signature legal name, the document version, the acceptance timestamp, and the originating IP address. That electronic record is the signed instrument and supplies the signatory and date for both Parties — no manual date or wet signature is required.

	Business Associate	Covered Entity
Entity	Mental Wealth Solutions, Inc.	Accepting Provider / Practice
Signatory	Matthew Sexton, LCSW	Provider's typed-signature legal name (captured at acceptance)
Title	Authorized Representative	Authorized Representative of the Provider
Date	Date of the Provider's electronic acceptance (auto-recorded)	Date of the Provider's electronic acceptance (auto-recorded)

A separately countersigned PDF remains available on request under Section 11.2; where used, each Party's signatory and date are completed at signing.

Business Associate Agreement v1.1, effective 2026-06-16, between Mental Wealth Solutions, Inc. and the accepting Provider. Supersedes v1.0 (effective 2026-05-31). For questions about this Agreement, contact matthewsextonlcsw@mentalwealthsolutions.org.