Skip to content
FonteumThe Graph

By use case

Exclusion & monitoring (self-serve)Free roster screen — no accountExclusion & sanctions screeningCredentialing & provider-data enrichmentAudit evidence & defensible programsProvider data for AI / RAGM&A & network diligence

By buyer

Compliance & riskDevelopers & AI teams

By industry

HealthcareProviders & facilitiesFederal contractingSAM · USASpending · FAPIIS

The capability layer

APIREST + bulk accessMCP serverCallable by AI agentsFHIR R4 APIBulk exportAttestation & audit packReconciliationSource-vs-source diffsEntity graphSnapshotsPoint-in-time, bitemporal

The differentiator

Coverage & sourcesThe catalogFreshnessMethodologyCare CompareFacility qualityBrowse all datasets →
Research

The dev on-ramp

DocsAPI referenceMCP — connect your agentOne-paste installFHIR sandboxLive API surfaceQuickstartStatusChangelogSDKs & integrations
Pricing
Sign inFree roster screen →Get a signed certificate →

Solutions

Exclusion & monitoring (self-serve)Exclusion & sanctions screeningCredentialing & provider-data enrichmentAudit evidence & defensible programsProvider data for AI / RAGM&A & network diligenceCompliance & riskDevelopers & AI teamsHealthcareFederal contracting

Platform

APIMCP serverFHIR R4 APIBulk exportAttestation & audit packReconciliationEntity graphSnapshots

Data

Coverage & sourcesFreshnessMethodologyCare CompareBrowse all datasets →
Research

Developers

DocsAPI referenceMCP — connect your agentFHIR sandboxQuickstartStatusChangelogSDKs & integrations
Pricing
Sign inFree roster screen →Get a signed certificate →
TRUST CENTER · COMPLIANCE & CERTIFICATIONS

What we hold today — and what we don't.

Fonteum does not currently hold SOC 2 (Type 1 or Type 2), HIPAA, or ISO 27001, and displays no badge it does not hold. The hosting and data tiers run on SOC 2 Type 2 attested infrastructure (Vercel, Supabase). For procurement that requires a specific attestation, contact security@fonteum.com.

How we substitute for a certification you can't yet rely on

  1. Attested infrastructure — hosting (Vercel) and the managed database (Supabase) both carry their own SOC 2 Type 2 reports.
  2. No PHI in scope — Fonteum processes only public CMS / OIG data, so the HIPAA and PHI-handling control surface does not apply.
  3. Radical transparency — row-level provenance on every record and a public corrections log stand in for an attestation Fonteum does not yet hold.

Certification status

SOC 2 Type 1NOT HELD

Fonteum does not currently hold a SOC 2 Type 1 attestation and displays no badge it does not hold. The hosting and data tiers run on SOC 2 Type 2 attested infrastructure (Vercel, Supabase). For procurement requiring a specific attestation, contact security@fonteum.com.

SOC 2 Type 2NOT HELD

Fonteum does not currently hold a SOC 2 Type 2 attestation. The upstream hosting and managed-database vendors carry their own SOC 2 Type 2 reports.

HITRUSTNOT HELD

Fonteum does not currently hold a HITRUST certification. r2 (Risk-based, 2-year) is reserved for organizations handling PHI at scale; Fonteum's no-PHI architecture (see HIPAA section below) keeps it out of scope.

HIPAAN/A · NO-PHI ATTESTATION

No-PHI attestation. Fonteum processes only public CMS data, OIG LEIE records, and de-identified provider organizational data. We do not process patient identifiers, claims data, or any Protected Health Information. HIPAA covered-entity / business-associate status is not applicable to our processing scope.

BAA (Business Associate Agreement)

BAA template available on request. Because Fonteum processes no PHI, BAA execution is typically not required for data ingestion under HIPAA — the regulatory trigger is the handling of protected health information, which our processing scope excludes. The template exists as a procurement formality for partners whose internal compliance review requires a signed BAA regardless of processing scope; the no-PHI processing clause is front-and-center in our standard template.

Request the template: security@fonteum.comwith the subject "BAA template request".

Vulnerability disclosure

Security researchers: please report vulnerabilities to security@fonteum.com. Our public security contact is also published at /.well-known/security.txt per RFC 9116.

  • Acknowledgment: within 2 business days of receipt.
  • Triage: initial severity assessment within 5 business days.
  • Resolution: P0 issues patched within 7 days; P1 within 30 days; lower severity per published roadmap.
  • Disclosure: coordinated disclosure preferred. Researchers credited on /trust#security-acknowledgments with permission.

Breach notification

If a confirmed unauthorized access to user data occurs, we notify affected parties within 24 hours of confirmation and post a public statement on /corrections-log. The notification names: scope of access, affected data classes, time window, and remediation steps. We have not had a breach to date; the policy exists so the threshold is documented, not tested.

Related Trust Center pages

  • · /trust — Trust Center hub
  • · /trust/data-provenance — Per-source license + redistribution posture
  • · /trust/portability — Architecture + RTO/RPO + acquirer takeover path
  • · /docs/integrations — REST + Delta Sharing + Snowflake + S3 roadmap
  • · /research/real-act-compliance — Real ACT Compliance
  • · /research/nsa-compliance — NSA Compliance

Built on the authoritative federal record

The primary sources, named on every page.

These are the federal agencies whose public datasets Fonteum ingests and attributes — the issuing authorities, not customers or partners. Every figure on the site links back to one of them.

  • CMS
  • HHS-OIG
  • HRSA
  • FDA
  • NLM
  • NUCC
  • Census
  • BLS
  • BEA

See the full source registry, with license and refresh cadence for each →

Reproducible by design

Every figure traces to its federal source.

14-tuple provenance

Every rendered fact ties to a source URL, dataset ID, snapshot date, row key, and SHA-256 — the full chain-of-custody record.

Reproducible SQL

Each study ships the exact query behind its figures, run against the cited federal snapshot. Re-run it yourself.

Daily count checks

Published counts are checked against the upstream federal datasets on a daily cadence, with drift logged.

Named medical review

Reviewed by Jennifer Montecillo, MD, medical reviewer. Non-practicing medical reviewer.

Read the full provenance and attestation methodology →

Two doors

Use the free API and open data

Query providers, facilities, sanctions, and quality scores — each field carrying its federal source. Self-serve, no call to start.

Explore the API →Browse the data catalog →

Talk to us

Managed pilots, enterprise terms, and audit-ready, signed attestation packages for compliance, risk, and research teams.

Talk to us →
Fonteum
Platform
Platform overviewAPIMCP serverFHIR R4 APIBulk exportAttestation & audit packReconciliationEntity graphSnapshots
Solutions
All solutionsExclusion & sanctions screeningCredentialing & enrichmentAudit evidenceProvider data for AI / RAGM&A & network diligenceCompliance & riskDevelopers & AI teams
Data & sources
Coverage & sourcesBrowse all datasetsState Medicaid exclusionsFreshnessMethodologyCare CompareSanctionsOwnershipStaffingDeficienciesSpecial Focus Facilities
Federal contracting
OverviewAwards during active exclusionFederal debarment scorecardProcurement questionsContractor lookup8(a) certification guide
Developers
Developer hubDocsAPI referenceQuickstartStatusChangelogSDKs & integrationsWebhooks
Research & guides
Research hubGuidesHealthcare provider dataExclusion & sanctions screeningProvider credentialing dataHealthcare data for AIHospital margin gapProvider access gapsGlossaryComparisonsCitationsWhy Fonteum
Company
AboutPressCustomersPricingContactEditorial policyCorrections
Trust & legal
TrustTrust markQualitySecurityPrivacy policyTerms of serviceAPI & MCP termsMedical disclaimer

Reviewed by Jennifer Montecillo, MD, medical reviewer. Non-practicing medical reviewer.

© 2026 Fonteum LLC. All rights reserved.

·hello@fonteum.com

The U.S. healthcare graph AI can cite — every fact carries its source.

Every fact Fonteum serves carries a signed, re-checkable trust mark — source, as-of date, and an Ed25519 signature travel with the data. Re-check any fact at fonteum.com/verify · the trust-mark standard (W3C Verifiable Credentials 2.0, C2PA-aligned).
Request access→

The substrate, by the numbers

9.2Mgraph entitiesProviders, organizations, owners, and facilities
15.7Mlinked identifiersNPIs, CCNs, LEIs and more, resolved to entities
5Mgraph edgesSource-attested relationships between entities
44federal source familiesDistinct CMS, OIG, HRSA, FDA and peer datasets
35dataset pagesCitable, downloadable /data catalog pages
70reproducible studiesEach shipping the SQL behind its figures