Public-records-only data. The simplest threat surface in the category.
Fonteum handles only public provider records sourced from federal and state regulatory registries. No protected health information. No personally identifiable consumer data. No payment data. The data scope is the security posture.
What's in the dataset, and what isn't
Fonteum's dataset comprises only public regulatory-registry records: provider names, business addresses, license numbers, classification codes, NPI numbers, snapshot dates, and the source URLs they came from. These are records every American can already pull from CMS, state licensing boards, or HRSA — we aggregate, normalize, and provenance them.
Not in the dataset, by design:
- No protected health information (PHI). We do not handle patient-level data of any kind.
- No personally identifiable consumer information (PII). We do not collect or display consumer profiles.
- No payment card data. Fonteum does not currently take card payments.
- No email addresses on contractor records (CSLB and several state boards omit these by statute; we mirror that omission).
A customer integrating Fonteum data into a patient-facing product still has their own PHI/PII risk surface — but the Fonteum-supplied portion of that surface is zero. A BAA is not required because the data scope does not include protected health information.
Hosting + encryption + access
- Hosting: Vercel (web tier), Supabase Postgres (data tier). Both are SOC 2 Type 2 attested vendors. Fonteum itself does not currently hold a SOC 2 attestation.
- Encryption in transit: TLS 1.2+ enforced on every public endpoint via Vercel.
- Encryption at rest: Provided by Supabase Postgres (AES-256) and Vercel infrastructure storage.
- Access controls: Production database access limited to the operator account; service-role keys stored as Vercel environment variables, not in source.
- Audit: Supabase row-level audit logs available; Vercel deployment logs retained per Vercel's standard retention.
Tamper-evident by construction
Every displayable field on every Fonteum record carries an explicit source URL, snapshot date, and confidence score. Customers integrating our data can trace any individual datum back to the public registry it came from and confirm the value matches.
This isn't just an editorial choice — it's a security property. A silent tampering of any field would be detectable by re-pulling from the source URL and comparing. There is no "Fonteum-proprietary" data layer that lacks a public counterpart.
See /data-provenance for the full provenance contract.
How to report a finding
If you find a security issue affecting Fonteum infrastructure or data, email security@fonteum.com. We acknowledge reports within 2 business days and will keep you informed through resolution.
Good-faith security research is welcome. Please do not run automated scans that meaningfully degrade service for other users; please do not access any data beyond what's necessary to demonstrate the issue.
Where we're not yet attested
Fonteum does not currently hold formal security attestations (SOC 2 Type 1 or Type 2, HIPAA, ISO 27001). For prospects whose procurement process requires a specific attestation, contact sales@fonteum.com to discuss the current roadmap and timeline.
We do not list speculative attestation dates on this page. If a date appears here in the future, the operator has confirmed an audit is in flight with a named auditor.
Compliance posture
We don’t sell ranking and don’t accept payment to move a provider up the list. For final hire decisions, verify licensing, insurance, and references directly with the applicable licensing or credentialing body.
No bulk-licensing source family is currently ingested for this vertical. Hire-time checking still routes through the body named above.