Is Fonteum SOC 2 certified?

SOC 2 Type 1 is in progress. Engagement is underway with a target completion of Q3 2026. Fonteum is not yet attested; no SOC 2 badge is displayed until the audit completes.

Does Fonteum process PHI?

No. Fonteum aggregates federal public records only. No PHI, no consumer PII, no EHR data, no prescription data.

What infrastructure does Fonteum use?

Application hosting: Vercel. Database: Supabase (managed Postgres with row-level security). Encryption in transit: TLS 1.2+. At rest: AES-256.

OPERATING STANCE

federal-only sourcing

No enrichment. No interpretation.

Fonteum aggregates federal data and routes it. We do not enrich, model, or score. 22 federal source families · Row-level provenance on every record. SOC 2 Type 1 - Q3 2026.

Read the audit pack →

What Fonteum is · What Fonteum is not

Federal data, passed through without enrichment.

Fonteum is

Fonteum is not

A federal data aggregator. 22 federal source families.

A data enrichment vendor.

Row-level provenance on every record.

A trust-score or rating provider.

A pass-through of what federal agencies publish.

An independent verifier of provider credentials.

A pipeline with published methodology versioning.

A claims processor or clearinghouse.

Honest about what we do and do not hold.

An aggregator of commercial, EHR, or Rx data.

What Fonteum does not do

No enrichment. No scoring. No inference.

—Enrich or score provider records beyond what federal sources publish.

—Infer demographics, market segments, or clinical outcomes.

—Aggregate commercial claims data, EHR data, or Rx transactions.

—Source from consumer demographics lists or marketing databases.

—Republish data from restricted-distribution registries.

—Assert credentials not traceable to a named federal public source.

Data not ingested

Explicit rejection list.

Commercial medical claims (clearinghouse or insurer-derived)

Electronic health record extracts of any kind

Prescription transaction data

Consumer demographic or behavioral datasets

Marketing list aggregators

Scraped third-party directory data

State medical board membership rosters

NMLS Consumer Access records

ABMS / CertiFacts certification records

Security posture

SOC 2 Type 1 in progress.

SOC 2 Type 1 in progress (target Q3 2026). SOC 2 Type 2 follows after a 6-month observation period (target Q1 2027). HITRUST i1 evaluation 2027. Fonteum is not yet attested and does not display a SOC 2 badge it does not hold.

See pricing →

Infrastructure: Vercel (application hosting) + Supabase (managed Postgres, row-level security enforced). Encryption in transit (TLS 1.2+) and at rest. No service-role keys shipped to the browser.

HITRUST i1 evaluation planned for 2027 — i1 (Implemented, 1-year) is the appropriate scope for a no-PHI public-data platform. HIPAA covered-entity status is not applicable — Fonteum processes no PHI.

Vulnerability disclosure: security@fonteum.com · /.well-known/security.txt (RFC 9116).

BAA availability

BAA template on request.

Because Fonteum processes no PHI, BAA execution is typically not required under HIPAA for data ingestion. The template exists as a procurement formality for partners whose internal compliance review requires a signed BAA regardless of processing scope.

Download audit pack (includes BAA template) →

Customer evidence

Pilot intake open.

SOC 2 Type 1 — Q3 2026. Customer evidence published as pilots close. No fake logos, no anonymous testimonials.

Incident disclosure policy

72-hour incident disclosure. Public corrections log.

If a confirmed unauthorized access to user data is discovered, Fonteum notifies affected parties within 72 hours of confirmation and posts a public statement naming the scope of access, the affected data classes, the time window, and the remediation steps taken.

Data-quality incidents (a wrong figure on a live page) follow the same corrections workflow and are logged below alongside doctrinal corrections. Fonteum has not had a breach to date. The policy exists so the threshold is documented.

Corrections log · last 30 days

Federal-source corrections and re-sync timestamps.

Last 30 days · 5 entries · static snapshot — live feed in Q3 2026

2026-05-25
Accepted
CMS Care Compare · Dataset sync
Home health agency count reconciled with upstream CMS quarterly release. 12,392 CCN-keyed records confirmed.
2026-05-24
Accepted
CMS Provider of Services · Schema update
POS facility type field mapping updated to align with CMS April 2026 release schema.
2026-05-20
Accepted
HHS-OIG · Record count update
Monthly LEIE refresh completed. 68,055 exclusion records confirmed current.
2026-05-15
Accepted
CMS Care Compare · Hospice data refresh
Q1 2026 Care Compare Hospice refresh completed. 6,943 facility records updated.
2026-05-10
Accepted
CMS QPP · Score recalculation
PY2023 individual clinician scores updated following CMS correction bulletin.

Download audit pack →Request access →Read the methodology →

Methodology · Corrections log · Editorial policy

Federal data, passed through without enrichment.

Fonteum is

Fonteum is not

A federal data aggregator. 22 federal source families.

A data enrichment vendor.

Row-level provenance on every record.

A trust-score or rating provider.

A pass-through of what federal agencies publish.

An independent verifier of provider credentials.

A pipeline with published methodology versioning.

A claims processor or clearinghouse.

Honest about what we do and do not hold.

An aggregator of commercial, EHR, or Rx data.

No enrichment. No scoring. No inference.

—Enrich or score provider records beyond what federal sources publish.

—Infer demographics, market segments, or clinical outcomes.

—Aggregate commercial claims data, EHR data, or Rx transactions.

—Source from consumer demographics lists or marketing databases.

—Republish data from restricted-distribution registries.

—Assert credentials not traceable to a named federal public source.

Explicit rejection list.

Commercial medical claims (clearinghouse or insurer-derived)

Electronic health record extracts of any kind

Prescription transaction data

Consumer demographic or behavioral datasets

Marketing list aggregators

Scraped third-party directory data

State medical board membership rosters

NMLS Consumer Access records

ABMS / CertiFacts certification records

SOC 2 Type 1 in progress.

See pricing →

Infrastructure: Vercel (application hosting) + Supabase (managed Postgres, row-level security enforced). Encryption in transit (TLS 1.2+) and at rest. No service-role keys shipped to the browser.

Vulnerability disclosure: security@fonteum.com · /.well-known/security.txt (RFC 9116).

72-hour incident disclosure. Public corrections log.

Federal-source corrections and re-sync timestamps.

Last 30 days · 5 entries · static snapshot — live feed in Q3 2026

2026-05-25
Accepted
CMS Care Compare · Dataset sync
Home health agency count reconciled with upstream CMS quarterly release. 12,392 CCN-keyed records confirmed.
2026-05-24
Accepted
CMS Provider of Services · Schema update
POS facility type field mapping updated to align with CMS April 2026 release schema.
2026-05-20
Accepted
HHS-OIG · Record count update
Monthly LEIE refresh completed. 68,055 exclusion records confirmed current.
2026-05-15
Accepted
CMS Care Compare · Hospice data refresh
Q1 2026 Care Compare Hospice refresh completed. 6,943 facility records updated.
2026-05-10
Accepted
CMS QPP · Score recalculation
PY2023 individual clinician scores updated following CMS correction bulletin.

No enrichment. No interpretation.

Federal data, passed through without enrichment.

No enrichment. No scoring. No inference.

Explicit rejection list.

SOC 2 Type 1 in progress.

BAA template on request.

Pilot intake open.

72-hour incident disclosure. Public corrections log.

Federal-source corrections and re-sync timestamps.

Compliance posture

No enrichment. No interpretation.

Federal data, passed through without enrichment.

No enrichment. No scoring. No inference.

Explicit rejection list.

SOC 2 Type 1 in progress.

BAA template on request.

Pilot intake open.

72-hour incident disclosure. Public corrections log.

Federal-source corrections and re-sync timestamps.

Compliance posture