Privacy matters, especially in healthcare

It all starts with security and compliance. Our guiding principles are transparency, due diligence, and accuracy.

marketing professional in healthcare on their computer
Decorative line
marketing professional on their computer
smiling marketing profesisonal meeting SSAE-16 SOC 2 standardsDecorative line


Fertu obtains independent verification of our security, privacy, and compliance controls.

This is done via an independent third-party auditor who regularly examines our governance program, virtual infrastructure, and operations to certify compliance with the SSAE-16 SOC 2 standards.


The privacy and security of consumer’s protected health information is protected by HIPAA. Consumer’s protected health information is safe with Fertu.

For more information regarding Fertu’s HIPAA compliance and how to sign a Business Associate Agreement (BAA), please reach out to a member of our team.

marketing porfesdsional meeting HIPAA requirements
Decorative line
marketing professional with data privacyDecorative line


The data that our customers provide to Fertu, belongs to our customers.

We do not scan customer data for advertisements nor sell or share with third parties.

When customers terminate their relationship with Fertu, we delete the data from our systems.


Fertu has a no tolerance spam policy. Spam means unsolicited communication to persons with whom our customers do not have a business relationship or who have not specifically requested (opted-in to) our customers’ mailings.

To use our Services, you must agree to send only permission-based email. This means no use of purchased lists.

marketing professional with anti spam policy
Decorative line
marketing team practicing due diligence and appropriate action


  • Secure Development Lifecycle: Automated linting, unit and integration testing, static analysis, and known vulnerable dependency scanning are performed against every commit.
  • Application Level Hashing/Encryption: Passwords are stored in secret managers and sensitive columns are stored with application level encryption.
  • Strict-Transport-Security: Browsers are not capable of making plaintext requests to Fertu domains.
  • Data Encryption: 100% of data is encrypted in transit and at rest.
  • Infrastructure as Code: All our infrastructure is managed as code and goes through code review.
  • Least Privilege: All IAM policies, credentials, permissions, and roles are scoped down to the minimum necessary permissions.
  • Network Segregation: Production, Sandbox and Staging accounts all live within their own separate accounts and are constrained through VPCs.
  • Hardened Hosts: Unused services/ports are removed, and containers are built off a minimal Alpine image running as a non-root user. Only a well-controlled set of hosts accept ingress traffic.
  • HIPAA: Sign a Business Associates Agreement with us for even stronger data controls.
  • Privacy: Learn more about our privacy program and compliance by visiting our Privacy page.
  • 3rd Party Audits: Fertu undergoes a SOC 2 audit by third-party assessors.
  • Penetration Tests: Fertu engages 3rd party firms to conduct penetration tests annually.
  • Vendor & Print Partner Evaluation: Fertu evaluates and monitors the security of our subprocessors and requires them to maintain a security posture at least as strong as our own.
  • Endpoint Monitoring and Management: We deploy industry leading endpoint protection and device management software on all endpoints.
  • SSO: Employee services are authenticated with SSO, with enforced password complexity and 2FA requirements.
  • Security Training: All personnel with data access complete security awareness and HIPAA training as part of onboarding and annually thereafter.
  • Standardized Onboarding/Offboarding: Employees receive minimum permissions by default, and are only granted additional access on an as-needed basis. When employees change roles or are offboarded, their unneeded permissions are removed immediately.
  • Access Review: Fertu performs access reviews on a regular basis to ensure the principle of least privilege is being followed.
Important! icon

Please report suspected abuse here:

Important! icon

Administrators for ISPs
and Blacklists may contact: