In-progress with named dates, not aspirational badges.
What Fonteum holds today, what is in active engagement, and what is on the 2027 roadmap. No claimed certifications we don't hold; every in-progress engagement names the target date and the artifact that will land here on completion.
Certification status
Engagement underway with a major SOC 2 platform vendor (final selection between Vanta and Drata pending — to be named here on signed engagement). Type 1 attestation scoped to security trust principle. Target completion: Q3 2026.
6-month observation period begins immediately after Type 1. Expanded scope to include availability + confidentiality. Type 2 report available to enterprise procurement teams under NDA on completion.
i1 (Implemented, 1-year) is the appropriate scope for a public-data platform with no PHI processing. r2 (Risk-based, 2-year) is reserved for organizations handling PHI at scale; Fonteum's no-PHI architecture (see HIPAA section below) makes r2 out of scope.
No-PHI attestation. Fonteum processes only public CMS data, OIG LEIE records, and de-identified provider organizational data. We do not process patient identifiers, claims data, or any Protected Health Information. HIPAA covered-entity / business-associate status is not applicable to our processing scope.
BAA (Business Associate Agreement)
BAA template available on request. Because Fonteum processes no PHI, BAA execution is typically not required for data ingestion under HIPAA — the regulatory trigger is the handling of protected health information, which our processing scope excludes. The template exists as a procurement formality for partners whose internal compliance review requires a signed BAA regardless of processing scope; the no-PHI processing clause is front-and-center in our standard template.
Request the template: security@fonteum.comwith the subject "BAA template request".
Vulnerability disclosure
Security researchers: please report vulnerabilities to security@fonteum.com. Our public security contact is also published at /.well-known/security.txt per RFC 9116.
- Acknowledgment: within 2 business days of receipt.
- Triage: initial severity assessment within 5 business days.
- Resolution: P0 issues patched within 7 days; P1 within 30 days; lower severity per published roadmap.
- Disclosure: coordinated disclosure preferred. Researchers credited on /trust#security-acknowledgments with permission.
Breach notification
If a confirmed unauthorized access to user data occurs, we notify affected parties within 24 hours of confirmation and post a public statement on /corrections-log. The notification names: scope of access, affected data classes, time window, and remediation steps. We have not had a breach to date; the policy exists so the threshold is documented, not tested.
Compliance posture
We don’t sell ranking and don’t accept payment to move a provider up the list. For final hire decisions, verify licensing, insurance, and references directly with the applicable licensing or credentialing body.
No bulk-licensing source family is currently ingested for this vertical. Hire-time checking still routes through the body named above.