Skip to content
FonteumThe Graph
DataResearchCare CompareThe DifferAttestAPI
See the proof
  • Data
  • Research
  • Care Compare
  • The Differ
  • Attest
  • API
See the proof
SECURITY POSTURE

Public-records-only data. The simplest threat surface in the category.

Fonteum handles only public provider records sourced from federal and state regulatory registries. No protected health information. No personally identifiable consumer data. No payment data. The data scope is the security posture.

DATA SCOPE

What's in the dataset, and what isn't

Fonteum's dataset comprises only public regulatory-registry records: provider names, business addresses, license numbers, classification codes, NPI numbers, snapshot dates, and the source URLs they came from. These are records every American can already pull from CMS, state licensing boards, or HRSA — we aggregate, normalize, and provenance them.

Not in the dataset, by design:

  • No protected health information (PHI). We do not handle patient-level data of any kind.
  • No personally identifiable consumer information (PII). We do not collect or display consumer profiles.
  • No payment card data. Fonteum does not currently take card payments.
  • No email addresses on contractor records (CSLB and several state boards omit these by statute; we mirror that omission).

A customer integrating Fonteum data into a patient-facing product still has their own PHI/PII risk surface — but the Fonteum-supplied portion of that surface is zero. A BAA is not required because the data scope does not include protected health information.

INFRASTRUCTURE

Hosting + encryption + access

  • Hosting: Vercel (web tier), Supabase Postgres (data tier). Both are SOC 2 Type 2 attested vendors. Fonteum itself does not currently hold a SOC 2 attestation.
  • Encryption in transit: TLS 1.2+ enforced on every public endpoint via Vercel.
  • Encryption at rest: Provided by Supabase Postgres (AES-256) and Vercel infrastructure storage.
  • Access controls: Production database access limited to the operator account; service-role keys stored as Vercel environment variables, not in source.
  • Audit: Supabase row-level audit logs available; Vercel deployment logs retained per Vercel's standard retention.
PROVENANCE AS A SECURITY FEATURE

Tamper-evident by construction

Every displayable field on every Fonteum record carries an explicit source URL, snapshot date, and confidence score. Customers integrating our data can trace any individual datum back to the public registry it came from and confirm the value matches.

This isn't just an editorial choice — it's a security property. A silent tampering of any field would be detectable by re-pulling from the source URL and comparing. There is no "Fonteum-proprietary" data layer that lacks a public counterpart.

See /data-provenance for the full provenance contract.

VULNERABILITY REPORTING

How to report a finding

If you find a security issue affecting Fonteum infrastructure or data, email security@fonteum.com. We acknowledge reports within 2 business days and will keep you informed through resolution.

Good-faith security research is welcome. Please do not run automated scans that meaningfully degrade service for other users; please do not access any data beyond what's necessary to demonstrate the issue.

ROADMAP — STATED HONESTLY

Where we're not yet attested

Fonteum does not currently hold formal security attestations (SOC 2 Type 1 or Type 2, HIPAA, ISO 27001). For prospects whose procurement process requires a specific attestation, contact sales@fonteum.com to discuss the current roadmap and timeline.

We do not list speculative attestation dates on this page. If a date appears here in the future, the operator has confirmed an audit is in flight with a named auditor.

SEE ALSO
  • SLA
  • Refresh cadence
  • Data provenance
  • Pricing
  • Terms

Built on the authoritative federal record

The primary sources, named on every page.

These are the federal agencies whose public datasets Fonteum ingests and attributes — the issuing authorities, not customers or partners. Every figure on the site links back to one of them.

  • CMS
  • HHS-OIG
  • HRSA
  • FDA
  • NLM
  • NUCC
  • Census
  • BLS
  • BEA

See the full source registry, with license and refresh cadence for each →

Reproducible by design

Every figure traces to its federal source.

14-tuple provenance

Every rendered fact ties to a source URL, dataset ID, snapshot date, row key, and SHA-256 — the full chain-of-custody record.

Reproducible SQL

Each study ships the exact query behind its figures, run against the cited federal snapshot. Re-run it yourself.

Daily reconciliation

Published counts are reconciled against the upstream federal datasets on a daily cadence, with drift logged.

Named medical review

Reviewed by Jennifer Montecillo, MD, medical reviewer. Non-practicing medical reviewer.

Read the full provenance and attestation methodology →

Two doors

Use the free API and open data

Query providers, facilities, sanctions, and quality scores — each field carrying its federal source. Self-serve, no call to start.

Explore the API →Browse the data catalog →

Talk to us

Managed pilots, enterprise terms, and audit-ready, signed attestation packages for compliance, risk, and research teams.

Talk to us →
Fonteum
Products
The DifferAttestAPIFHIR API
Data
Care CompareResearchData catalogSources
Company
Why FonteumAboutPressEditorial policyCorrections
Legal
Privacy policyTerms of serviceMedical disclaimer

Reviewed by Jennifer Montecillo, MD, medical reviewer. Non-practicing medical reviewer.

© 2026 Fonteum LLC. All rights reserved.

The U.S. healthcare graph AI can cite — every fact carries its source.

Request access→

The substrate, by the numbers

9.2Mgraph entitiesProviders, organizations, owners, and facilities
12.5Mlinked identifiersNPIs, CCNs, LEIs and more, resolved to entities
4.7Mgraph edgesSource-attested relationships between entities
44federal source familiesDistinct CMS, OIG, HRSA, FDA and peer datasets
33dataset pagesCitable, downloadable /data catalog pages
49reproducible studiesEach shipping the SQL behind its figures