Skip to content
FonteumThe Graph

The capability layer

APIREST + bulk accessMCP serverCallable by AI agentsFHIR R4 APIBulk exportAttestation & audit packReconciliationSource-vs-source diffsEntity graphSnapshotsPoint-in-time, bitemporal

By use case

Exclusion & sanctions screeningCredentialing & provider-data enrichmentAudit evidence & defensible programsProvider data for AI / RAGM&A & network diligence

By buyer

Compliance & riskDevelopers & AI teams

The differentiator

Coverage & sourcesThe catalogFreshnessMethodologyCare CompareFacility qualityBrowse all datasets →
Research

The dev on-ramp

DocsAPI referenceMCPQuickstartStatusChangelogSDKs & integrations
Pricing
Sign inTry the FHIR sandbox →Request access →

Platform

APIMCP serverFHIR R4 APIBulk exportAttestation & audit packReconciliationEntity graphSnapshots

Solutions

Exclusion & sanctions screeningCredentialing & provider-data enrichmentAudit evidence & defensible programsProvider data for AI / RAGM&A & network diligenceCompliance & riskDevelopers & AI teams

Data

Coverage & sourcesFreshnessMethodologyCare CompareBrowse all datasets →
Research

Developers

DocsAPI referenceMCPQuickstartStatusChangelogSDKs & integrations
Pricing
Sign inTry the FHIR sandbox →Request access →
TRUST CENTER · COMPLIANCE & CERTIFICATIONS

What we hold today — and what we don't.

Fonteum does not currently hold SOC 2 (Type 1 or Type 2), HIPAA, or ISO 27001, and displays no badge it does not hold. The hosting and data tiers run on SOC 2 Type 2 attested infrastructure (Vercel, Supabase). For procurement that requires a specific attestation, contact security@fonteum.com.

How we substitute for a certification you can't yet rely on

  1. Attested infrastructure — hosting (Vercel) and the managed database (Supabase) both carry their own SOC 2 Type 2 reports.
  2. No PHI in scope — Fonteum processes only public CMS / OIG data, so the HIPAA and PHI-handling control surface does not apply.
  3. Radical transparency — row-level provenance on every record and a public corrections log stand in for an attestation Fonteum does not yet hold.

Certification status

SOC 2 Type 1NOT HELD

Fonteum does not currently hold a SOC 2 Type 1 attestation and displays no badge it does not hold. The hosting and data tiers run on SOC 2 Type 2 attested infrastructure (Vercel, Supabase). For procurement requiring a specific attestation, contact security@fonteum.com.

SOC 2 Type 2NOT HELD

Fonteum does not currently hold a SOC 2 Type 2 attestation. The upstream hosting and managed-database vendors carry their own SOC 2 Type 2 reports.

HITRUSTNOT HELD

Fonteum does not currently hold a HITRUST certification. r2 (Risk-based, 2-year) is reserved for organizations handling PHI at scale; Fonteum's no-PHI architecture (see HIPAA section below) keeps it out of scope.

HIPAAN/A · NO-PHI ATTESTATION

No-PHI attestation. Fonteum processes only public CMS data, OIG LEIE records, and de-identified provider organizational data. We do not process patient identifiers, claims data, or any Protected Health Information. HIPAA covered-entity / business-associate status is not applicable to our processing scope.

BAA (Business Associate Agreement)

BAA template available on request. Because Fonteum processes no PHI, BAA execution is typically not required for data ingestion under HIPAA — the regulatory trigger is the handling of protected health information, which our processing scope excludes. The template exists as a procurement formality for partners whose internal compliance review requires a signed BAA regardless of processing scope; the no-PHI processing clause is front-and-center in our standard template.

Request the template: security@fonteum.comwith the subject "BAA template request".

Vulnerability disclosure

Security researchers: please report vulnerabilities to security@fonteum.com. Our public security contact is also published at /.well-known/security.txt per RFC 9116.

  • Acknowledgment: within 2 business days of receipt.
  • Triage: initial severity assessment within 5 business days.
  • Resolution: P0 issues patched within 7 days; P1 within 30 days; lower severity per published roadmap.
  • Disclosure: coordinated disclosure preferred. Researchers credited on /trust#security-acknowledgments with permission.

Breach notification

If a confirmed unauthorized access to user data occurs, we notify affected parties within 24 hours of confirmation and post a public statement on /corrections-log. The notification names: scope of access, affected data classes, time window, and remediation steps. We have not had a breach to date; the policy exists so the threshold is documented, not tested.

Related Trust Center pages

  • · /trust — Trust Center hub
  • · /trust/data-provenance — Per-source license + redistribution posture
  • · /trust/portability — Architecture + RTO/RPO + acquirer takeover path
  • · /docs/integrations — REST + Delta Sharing + Snowflake + S3 roadmap
  • · /research/real-act-compliance — Real ACT Compliance
  • · /research/nsa-compliance — NSA Compliance

Built on the authoritative federal record

The primary sources, named on every page.

These are the federal agencies whose public datasets Fonteum ingests and attributes — the issuing authorities, not customers or partners. Every figure on the site links back to one of them.

  • CMS
  • HHS-OIG
  • HRSA
  • FDA
  • NLM
  • NUCC
  • Census
  • BLS
  • BEA

See the full source registry, with license and refresh cadence for each →

Reproducible by design

Every figure traces to its federal source.

14-tuple provenance

Every rendered fact ties to a source URL, dataset ID, snapshot date, row key, and SHA-256 — the full chain-of-custody record.

Reproducible SQL

Each study ships the exact query behind its figures, run against the cited federal snapshot. Re-run it yourself.

Daily reconciliation

Published counts are reconciled against the upstream federal datasets on a daily cadence, with drift logged.

Named medical review

Reviewed by Jennifer Montecillo, MD, medical reviewer. Non-practicing medical reviewer.

Read the full provenance and attestation methodology →

Two doors

Use the free API and open data

Query providers, facilities, sanctions, and quality scores — each field carrying its federal source. Self-serve, no call to start.

Explore the API →Browse the data catalog →

Talk to us

Managed pilots, enterprise terms, and audit-ready, signed attestation packages for compliance, risk, and research teams.

Talk to us →
Fonteum
Platform
Platform overviewAPIMCP serverFHIR R4 APIBulk exportAttestation & audit packReconciliationEntity graphSnapshots
Solutions
All solutionsExclusion & sanctions screeningCredentialing & enrichmentAudit evidenceProvider data for AI / RAGM&A & network diligenceCompliance & riskDevelopers & AI teams
Data & sources
Coverage & sourcesBrowse all datasetsState Medicaid exclusionsFreshnessMethodologyCare CompareSanctionsOwnershipStaffingDeficienciesSpecial Focus Facilities
Developers
Developer hubDocsAPI referenceQuickstartStatusChangelogSDKs & integrationsWebhooks
Research
Research hubHospital margin gapProvider access gapsGlossaryComparisonsCitationsWhy Fonteum
Company
AboutPressCustomersPricingContactEditorial policyCorrections
Trust & legal
TrustQualitySecurityPrivacy policyTerms of serviceMedical disclaimer

Reviewed by Jennifer Montecillo, MD, medical reviewer. Non-practicing medical reviewer.

© 2026 Fonteum LLC. All rights reserved.

·hello@fonteum.com

The U.S. healthcare graph AI can cite — every fact carries its source.

Request access→

The substrate, by the numbers

44federal source familiesDistinct CMS, OIG, HRSA, FDA and peer datasets
35dataset pagesCitable, downloadable /data catalog pages
13reproducible studiesEach shipping the SQL behind its figures