Governance
Fertu’s Security and Privacy teams define controls, monitor them, and provide evidence to third-party auditors to prove those controls are working.
Our security program is built on four principles:
Least privilege
Access is limited to only those with a legitimate business need, and is always provisioned following the principle of least privilege.
Defense in depth
We layer technical, procedural, and monitoring controls to reduce blast radius and detect issues quickly (“defense in depth”).
Consistent enforcement
Security controls are applied consistently across engineering, infrastructure, and operations, not just in production-facing code.
Continuous improvement
We continuously mature our controls to increase effectiveness and auditability while minimizing friction for our team and our customers.
Compliance
SOC 2 Type II
Fertu maintains a SOC 2 Type II attestation.
A SOC 2 Type II report evaluates not only that appropriate security controls exist, but that they actually operated effectively over an extended period of time. That makes it more rigorous than a point-in-time SOC 2 Type I review.
We provide our most recent SOC 2 Type II report to customers and qualified prospects under NDA.
HIPAA
Fertu is designed for HIPAA compliance. We act as a Business Associate, and our platform supports HIPAA-compliant handling of Protected Health Information (PHI) across outreach channels (SMS, phone, mail, and email). We execute Business Associate Agreements (BAAs) with covered entities and upstream business associates, and we limit PHI use/disclosure to the “minimum necessary” required to perform patient engagement on their behalf.
Data Protection
Product Security
Secure Development Lifecycle
Every code change to the Fertu platform goes through review and automated scanning before it’s allowed to reach production. We run:
Static Application Security Testing (SAST) during pull requests and on a recurring basis
Software Composition Analysis (SCA) to identify known vulnerabilities in open source dependencies
Malicious dependency scanning to reduce software supply chain risk
Dynamic Application Security Testing (DAST) of running services
Network vulnerability scanning of exposed surfaces
Continuous attack-surface monitoring to identify any unexpected internet-facing assets
Penetration Testing
We engage independent penetration testers with deep application and infrastructure expertise at least annually. The engagement covers our application, APIs, and cloud infrastructure, with source code made available to maximize coverage and exploit realism.
We make summary penetration test reports available upon request.
Network Access & Remote Access
Production services run inside private Google Cloud VPCs. Public ingress is tightly controlled and audited. Internal services (databases, job runners, schedulers) are reachable only through private VPC connectors. Access is brokered through Google’s Cloud SQL Auth Proxy (“CloudProxy”), which enforces authenticated, encrypted connections. We enforce malware-blocking DNS servers and egress restrictions to limit outbound connections from sensitive environments.
Vendor Security
We use a risk-based vendor review process. Vendors that could access PHI, communicate with patients on our customers’ behalf, or connect to production infrastructure are evaluated for security posture before onboarding. We assess factors including the type of data involved (especially PHI), level of access to production systems, potential operational or reputational impact. Vendors with higher inherent risk require stronger controls and contractual assurances before use.
Identity & Access Management
All workforce access to production systems is enforced through Google SSO. Production access requires strong authentication, is role-scoped, and follows least-privilege provisioning and periodic review.
All corporate laptops are centrally managed. We enforce disk encryption, automatic screen lock, OS and patch baselines, and anti-malware/EDR tooling. Device posture is monitored continuously.
Data Privacy & PHI Handling
We handle PHI and other sensitive patient information only for the purpose our customers authorize (for example: outreach about a benefit they’re eligible for, or helping them schedule an Annual Wellness Visit). We do not sell PHI, share PHI for marketing unrelated to our customers’ programs, or use PHI to build unrelated data products.
We also maintain records of consent and opt-out where applicable, and we honor unsubscribe / “stop” requests across channels. This operational discipline — knowing who we’re allowed to contact, why, and in which language or modality — is fundamental to our platform, not just a legal checkbox.
Because we work with U.S. healthcare organizations and do not market to EU consumers, we are not currently a Privacy Shield / GDPR processor. Our focus is HIPAA, data minimization, and provable controls mapped to SOC 2 Type II.
Availability & Status
Fertu production infrastructure runs on Google Cloud Platform (GCP). We deploy using containerized services and managed databases, with monitoring and alerting on uptime, performance, and security signals. We are continuously improving our redundancy and recovery posture to meet healthcare-grade expectations for reliability.
We maintain audit trails for access, configuration changes, and data flows, and we make evidence (for example, SOC 2 Type II report, summary pen test findings) available to customers under NDA.