Certification in progress
SOC 2
Control narratives, mapped evidence, and programme status can be reviewed under NDA during diligence.
Security and governance for regulated financial operations.
Fontana is built for workflows where the control record matters as much as the output. Procurement, security, technology, and operations teams get a clear view of how workflows, users, data, AI assistance, lineage, and evidence are governed.
Current certification posture.
Enterprise buyers need clarity on what is available today, what is in progress, and what should be reviewed under NDA.
Certification in progress
ISO/IEC 27001
Security management controls are being prepared and documented; status is published as the programme advances toward formal certification.
Operational controls available
GDPR-aligned controls
DPA, subprocessor disclosure, access controls, retention configuration, and data-processing safeguards are available for review.
Governance controls buyers can inspect.
Each area is framed so reviewers can continue the conversation with the right architecture, legal, operations, or security evidence.
Deployment models
Run Fontana in the deployment pattern your reviewers approve: managed cloud, dedicated single-tenant environment, private cloud/VPC, or customer-controlled infrastructure where required.
Identity and access
SSO/OIDC, role-based access, workspace scoping, approval permissions, and administrative separation keep operational actions tied to accountable users.
Data protection
Encryption in transit and at rest, configurable retention, tenant-aware data boundaries, and optional customer-managed key patterns support regulated workflows without weakening controls.
AI and model governance
AI assists analysis and drafting through governed routing, approved-provider policies, prompt and output logging, human review gates, and deterministic execution boundaries.
Audit, logging, lineage, and replay
Every run should leave the evidence a regulated operations team needs: source inputs, rule versions, approvals, exceptions, outputs, model interactions, lineage, and replay context.
Tenant isolation
Tenant boundaries are explicit across workspaces, data scopes, configuration, model access, and operational evidence so teams can reason about who can see and run what.
Incident response and resilience
Operational resilience is treated as part of the control layer: monitoring, escalation paths, recovery procedures, change records, and customer communication are diligence topics, not afterthoughts.
Diligence pack under NDA
Security questionnaires, architecture diagrams, control narratives, data-processing terms, subprocessor details, and deployment walkthroughs are available to qualified procurement and security teams.
Engage procurement early. Detailed review under NDA.
Fontana can support a qualified review with architecture diagrams, deployment-model walkthroughs, control narratives, legal terms, subprocessor information, AI governance posture, and operating evidence examples.