Skip to content
FonteumThe Graph
DataResearchCare CompareThe DifferAttestAPI
See the proof
  • Data
  • Research
  • Care Compare
  • The Differ
  • Attest
  • API
See the proof
TRUST CENTER · COMPLIANCE & CERTIFICATIONS

In-progress with named dates, not aspirational badges.

What Fonteum holds today, what is in active engagement, and what is on the 2027 roadmap. No claimed certifications we don't hold; every in-progress engagement names the target date and the artifact that will land here on completion.

Timeline

  1. Q3 2026 — SOC 2 Type 1 attestation (security trust principle).
  2. 6-month observation period — begins immediately after Type 1. Controls must operate over this window before Type 2 can attest; it cannot be parallelized with Type 1.
  3. Q1 2027 — SOC 2 Type 2 report (adds availability + confidentiality).
  4. 2027 — HITRUST i1 evaluation.

Certification status

SOC 2 Type 1IN PROGRESS · September 30, 2026

Engagement underway with a major SOC 2 platform vendor (final selection between Vanta and Drata pending — to be named here on signed engagement). Type 1 attestation scoped to security trust principle. Target completion: Q3 2026.

SOC 2 Type 2PLANNED · Q1 2027

6-month observation period begins immediately after Type 1. Expanded scope to include availability + confidentiality. Type 2 report available to enterprise procurement teams under NDA on completion.

HITRUST i1PLANNED · 2027 evaluation

i1 (Implemented, 1-year) is the appropriate scope for a public-data platform with no PHI processing. r2 (Risk-based, 2-year) is reserved for organizations handling PHI at scale; Fonteum's no-PHI architecture (see HIPAA section below) makes r2 out of scope.

HIPAAN/A · NO-PHI ATTESTATION

No-PHI attestation. Fonteum processes only public CMS data, OIG LEIE records, and de-identified provider organizational data. We do not process patient identifiers, claims data, or any Protected Health Information. HIPAA covered-entity / business-associate status is not applicable to our processing scope.

BAA (Business Associate Agreement)

BAA template available on request. Because Fonteum processes no PHI, BAA execution is typically not required for data ingestion under HIPAA — the regulatory trigger is the handling of protected health information, which our processing scope excludes. The template exists as a procurement formality for partners whose internal compliance review requires a signed BAA regardless of processing scope; the no-PHI processing clause is front-and-center in our standard template.

Request the template: security@fonteum.comwith the subject "BAA template request".

Vulnerability disclosure

Security researchers: please report vulnerabilities to security@fonteum.com. Our public security contact is also published at /.well-known/security.txt per RFC 9116.

  • Acknowledgment: within 2 business days of receipt.
  • Triage: initial severity assessment within 5 business days.
  • Resolution: P0 issues patched within 7 days; P1 within 30 days; lower severity per published roadmap.
  • Disclosure: coordinated disclosure preferred. Researchers credited on /trust#security-acknowledgments with permission.

Breach notification

If a confirmed unauthorized access to user data occurs, we notify affected parties within 24 hours of confirmation and post a public statement on /corrections-log. The notification names: scope of access, affected data classes, time window, and remediation steps. We have not had a breach to date; the policy exists so the threshold is documented, not tested.

Related Trust Center pages

  • · /trust — Trust Center hub
  • · /trust/data-provenance — Per-source license + redistribution posture
  • · /trust/portability — Architecture + RTO/RPO + acquirer takeover path
  • · /integrations — REST + Delta Sharing + Snowflake + S3 roadmap
  • · /research/real-act-compliance — Real ACT Compliance
  • · /research/nsa-compliance — NSA Compliance

Built on the authoritative federal record

The primary sources, named on every page.

These are the federal agencies whose public datasets Fonteum ingests and attributes — the issuing authorities, not customers or partners. Every figure on the site links back to one of them.

  • CMS
  • HHS-OIG
  • HRSA
  • FDA
  • NLM
  • NUCC
  • Census
  • BLS
  • BEA

See the full source registry, with license and refresh cadence for each →

Reproducible by design

Every figure traces to its federal source.

14-tuple provenance

Every rendered fact ties to a source URL, dataset ID, snapshot date, row key, and SHA-256 — the full chain-of-custody record.

Reproducible SQL

Each study ships the exact query behind its figures, run against the cited federal snapshot. Re-run it yourself.

Daily reconciliation

Published counts are reconciled against the upstream federal datasets on a daily cadence, with drift logged.

Named medical review

Reviewed by Jennifer Montecillo, MD, medical reviewer. Non-practicing medical reviewer.

Read the full provenance and attestation methodology →

Two doors

Use the free API and open data

Query providers, facilities, sanctions, and quality scores — each field carrying its federal source. Self-serve, no call to start.

Explore the API →Browse the data catalog →

Talk to us

Managed pilots, enterprise terms, and audit-ready, signed attestation packages for compliance, risk, and research teams.

Talk to us →
Fonteum
Products
The DifferAttestAPIFHIR API
Data
Care CompareResearchData catalogSources
Company
Why FonteumAboutPressEditorial policyCorrections
Legal
Privacy policyTerms of serviceMedical disclaimer

Reviewed by Jennifer Montecillo, MD, medical reviewer. Non-practicing medical reviewer.

© 2026 Fonteum LLC. All rights reserved.

The U.S. healthcare graph AI can cite — every fact carries its source.

Request access→

The substrate, by the numbers

44federal source familiesDistinct CMS, OIG, HRSA, FDA and peer datasets
35dataset pagesCitable, downloadable /data catalog pages
61reproducible studiesEach shipping the SQL behind its figures