From £45/month on EU-sovereign UK hosting. Cancel any time.

From £45/mo · EU-sovereign · Cancel any time

See the three tiers →
UK Web Marketing Start your build

← Back to portfolio All case studies

Healthcare middleware · Case study

The connective layer for healthcare

Orenva — Next.js + Vercel (Frankfurt edge) + Cloudflare, Liveblocks for real-time collaboration, PostHog product analytics, Sentry observability, hand-coded BEM-style CSS. Six verticals unified — consultation, pharmacy, therapy, fitness, insurance, wellness — every service reads from one health context.

Orenva Health orenvahealth.com ↗
  • Next.js (App Router)
  • Vercel (Frankfurt edge)
  • Cloudflare front
  • Liveblocks
  • PostHog
  • Sentry
  • Hand-coded BEM CSS
6 Verticals unified
2 Founders
Documented ISMS controls
Liveblocks Real-time

Orenva is the connective layer for UK healthcare. The single-line positioning: “All your health, one context every service reads from.” Six verticals — consultation, pharmacy, therapy, fitness, insurance, wellness — unified so a patient (or their GP, or their insurer) is looking at the same health context regardless of which surface they’re on.

Why this is a case study and not a tier client

Orenva isn’t on a UK Web Marketing tier. It’s a separately-founded company with its own product team, its own roadmap, and its own compliance posture documented across a parallel repo (Orenva-Compliance). It’s surfaced here because the architectural disciplines are the case study — disciplines that show up in every regulated-vertical brief I take.

Jordan Gilbert and Geet are the two founders. Both have firstname.surname@orenvahealth.com mailboxes already provisioned. Currently parked at 6 stacked PRs (#26→#30) awaiting Geet’s sequential merge — frame this as “compliance docs first, code second” if you’re considering a similar build.

The technical stack

Next.js with the App Router. Server components by default. Hand-rolled BEM-style CSS — section-shell content-section section--plain, hero-split__h1 — explicitly not Tailwind. The decision matches the compliance-led posture: the surface area of CSS dependencies is one fewer thing to audit when ISO controls require a documented build chain.

Vercel Frankfurt edge. EU-resident infrastructure for a UK healthcare company. The Vercel response headers identify the Frankfurt edge POP serving the request — physically inside the EEA, not the US.

Cloudflare in front of Vercel. Double-edge architecture: Cloudflare for DNS and DDoS, Vercel for compute. The cf-cache-status: DYNAMIC and the server: cloudflare headers both appear on the response. This is the same pattern used by larger SaaS companies that want a CDN-layer ratelimiter independent of the application host.

Liveblocks for real-time collaboration. The CSP allows wss://*.liveblocks.io — there is real-time collaboration somewhere in the application surface. In a healthcare connective-layer product, that’s most likely shared records, multi-stakeholder consultation notes, or care-team workflows.

PostHog + Sentry + Vercel Analytics. Product analytics (PostHog), error monitoring (Sentry), and traffic observability (Vercel Analytics). Three independent observability planes; the compliance documentation references each one explicitly in the vendor risk register.

Strict CSP, nonce-based. No inline scripts, no wildcard sources. The header reads like a Fortune 500 SaaS CSP, not a startup default. Same posture I apply to the regulated-vertical pages on the UK Web Marketing site itself.

The six-vertical unification

The headline claim is structural, not marketing. A health context that’s unified across consultation / pharmacy / therapy / fitness / insurance / wellness has to model entities the same way:

  • One canonical patient identity across verticals
  • Consented data sharing scoped per-vertical
  • A change in one vertical (a new prescription) propagates to the others (the insurer’s quote, the fitness coach’s plan, the therapist’s safety note)
  • An audit trail that survives a vertical merge / migration

This is the hard work of healthcare interop. Most “connected health” products give up at vertical 2 (consultation + pharmacy) and call it a platform. Orenva’s claim is end-to-end across six.

The compliance scaffold

The Orenva-Compliance repo carries an ISO-style controls library:

  • 00-CONTROL-MATRIX.md — the cross-reference between controls and supporting documents
  • ISMS (Information Security Management System) documentation
  • BCP (Business Continuity Plan) and DR (Disaster Recovery)
  • Incident response runbooks
  • Vendor risk assessments per sub-processor
  • DSAR (Data Subject Access Request) procedures with response-time SLAs

This is the compliance posture a regulated UK healthcare company needs before ICO scrutiny, before NHS digital onboarding, before insurer due-diligence. The repo exists separately from the application code so non-technical reviewers (legal, clinical safety officers, auditors) can read it without git-checkout overhead.

The pattern is worth borrowing for any compliance-heavy UK vertical. UK Web Marketing’s /compliance page is a simpler version of the same idea: sub-processor disclosure, lawful-basis table, retention windows — published, versioned, public.

What the front-of-site demonstrates

The Orenva home page is a quiet surface — split hero, six-vertical grid, progressive section reveals via intersection-observer-driven lazy-section classes. No carousel. No “as featured in” logo strip. No three-step “how it works” wizard with stock illustrations. The audience is healthcare professionals and patients with chronic-condition complexity; cheap marketing motifs would actively damage trust.

The build is a study in positional restraint — show the platform’s surface, name the verticals, route to demo / sign-up, leave the noise out. That’s harder than it sounds. Most healthcare startup landing pages are stuffed with credibility theatre (logo strips, “HIPAA compliant” badges, fake “patients reached” counters). Orenva’s omission of those is the case study point.

Transferable patterns for UK Web Marketing clients

Three things I lift from Orenva and apply on Bespoke engagements whenever a regulated practice asks for more:

  1. Compliance docs as their own repo. Don’t bury the sub-processor list in a privacy policy. Put it in a versioned location with a public URL. Update it on PR. UK Web Marketing’s /compliance does this; Orenva’s is the larger-org version.

  2. CSP that’s actually restrictive. Most small-business sites I audit have either no CSP or a permissive one (* everywhere). Orenva’s nonced, per-host CSP is the model. The UK Web Marketing site emits the same pattern.

  3. Frankfurt or London edge, never US. Vercel London is the default for UK Web Marketing builds. For clients whose audience is partially in the EU but not specifically UK, Vercel Frankfurt is the right pick — same Vercel platform, EEA region.

Orenva isn’t taking new clients on (it’s a product company, not an agency). But if you want the same architectural posture for your healthcare-adjacent business: WhatsApp me. I can build the website; the compliance posture is the conversation we have first.

Other case studies

← All case studies

Three honest tiers · From £45/mo · Cancel any time

Ready for the website + infrastructure your business should already have?

Start your build
Start your build — £45/mo WhatsApp