DILIGENCE KIT
Diligence bundle. One PDF.
SOC 2 Type 1 in progress, BAA template, data provenance map, license grants, freshness SLA, and incident policy in one downloadable PDF.
v2026.05 · 17+ federal source families · Delaware C-corp
Included · Not yet included
SOC 2 in progress beats SOC 2 implied. This table is honest. Procurement teams respect transparency.
| Status | Item | Note |
|---|---|---|
| ✅ | Delaware C-corp registration | Fonteum, Inc. — incorporated December 2024. |
| ✅ | 13 federal datasets ingested + 4 source families for context | 17+ federal source families (CMS, HHS-OIG, HRSA, BLS, BEA, Census). 2,703,357 ingested rows. Row-level provenance on every field. |
| ✅ | Daily refresh + published SLA | Per-dataset SLA at /freshness. Methodology version on every record. |
| ✅ | Row-level provenance on every record | Source, snapshot date, methodology version, confidence tier — survives export. |
| ✅ | BAA template available | Template in this pack. Fonteum processes no PHI; BAA is a procurement formality. |
| ✅ | FHIR R4 API (Practitioner, Organization, Location, Coverage, HealthcareService) | US Core 6.1.0. SMART on FHIR auth. p99 under 300ms on single-record lookups. |
| 🟡 | SOC 2 Type 1 — in progress | SOC 2 Type 1 in progress. Expected completion Q3 2026. No badge displayed until attested. |
| 🟡 | SOC 2 Type 2 — observation period | Planned Q1 2027 after Type 1 observation period. |
| ❌ | HITRUST certification | Not pursued. SOC 2 Type 1 in progress with federal-data-only scope covers procurement requirements. |
| ❌ | FedRAMP authorization | Out of scope for current procurement tier. |
Inside the pack
Corporate
- —Delaware C-corporation — incorporated December 2024.
- —Legal name: Fonteum, Inc.
- —Registered agent: on file with Delaware Division of Corporations.
- —EIN: available to contracted customers under NDA.
Security
- —SOC 2 Type 1 — engagement underway, expected Q3 2026.
- —Infrastructure: Vercel (US-East) + Supabase managed Postgres.
- —Encryption in transit: TLS 1.2+. At rest: AES-256.
- —Access controls: row-level security on all public tables. Service-role keys never exposed to browser.
- —Vulnerability disclosure: security@fonteum.com · /.well-known/security.txt (RFC 9116).
Data
- —13 ingested datasets. 17+ federal source families. 2,703,357 rows.
- —License grant: CMS data is U.S. Government Works (public domain). HHS-OIG LEIE is publicly distributed federal data.
- —No claims data, no EHR data, no commercial data, no consumer PII.
- —Per-field provenance: source, snapshot date, methodology version, confidence tier.
- —Provenance schema documented at /methodology.
Operations
- —Freshness SLA: within 24h (daily datasets), 48h (quarterly/annual).
- —Incident notification: 72h from confirmed breach, plus public corrections-log entry.
- —Corrections log: /corrections-log — public record of every data correction.
- —Response-time commitment: P0 (service-down) within 2h. P1 (data-quality) within 24h.
Legal
- —BAA template: included in this pack. Fonteum processes no PHI.
- —AI training license: federal public-record data is public domain. No restriction on downstream model training.
- —Terms of use: /terms. Data use for research, analytics, and commercial applications is permitted with attribution.
- —GDPR position: DSAR requests honored within 30 days. We do not sell personal data.
Fonteum Audit Pack v2026.05 · 2026-05-25 17+ federal source families 2,703,357 rows with provenance SOC 2: in progress (Q3 2026 target) BAA template: included License: US Government Works
Pilot and contracted customers
Customer-scoped packs on request.
Pilot, standard, and enterprise customers receive audit packs scoped to their contracted dataset list and delivery cadence. Methodology version is pinned to the snapshot they received. Rollback to a prior version is documented in the change history.
API export endpoint
Bulk export for contracted customers.
Contracted pilots get programmatic access via /api/v1/audit-pack/export. The endpoint returns NDJSON, JSON, or CSV. Source inventory is drawn from the SPRINT1_EXPORT_SOURCES registry (17+ federal source families, row-level provenance on every field).
# Sample request
curl -H "Authorization: Bearer fnt_<your_key>" \
"https://fonteum.com/api/v1/audit-pack/export?format=ndjson"
Row-level provenance fields travel with every exported record: source, snapshot date, methodology version, confidence tier. Export keys are issued at pilot onboarding. Contact pilot@fonteum.com to request a key.