Security & HIPAA
Built for agencies and organizations handling PHI.
Fluent gives you the controls you need to schedule, dispatch, and bill for language services involving protected health information — encryption, role-based access, audit logs, and BAAs for eligible customers.
Your data, protected by design
Language services often involve sensitive information—appointment details, patient names, and scheduling context that shouldn't be floating around in emails and text threads. Fluent keeps that data in one secure place.
- Minimum-necessary access by default. Users see only the appointments, customers, and interpreters their role permits.
- Roles you control. Define custom roles and permissions to match how your agency operates.
- Full audit trail. Every meaningful action is logged — who did what, when, and from where.
- PHI mode for eligible accounts. Enable stricter controls for workflows involving protected health information.
HIPAA-ready features
Below is how Fluent supports key technical safeguard categories. Your policies and implementation still matter—HIPAA is a shared responsibility.
| Feature | How Fluent supports it |
|---|---|
| Access Controls | |
| Role-based access control (RBAC) | Assign permissions to roles, not individuals. Supports least-privilege access. |
| Team and agency segmentation | Scope access by team so users see only what their role permits. |
| User provisioning and deprovisioning | Onboard and offboard users; revoke access immediately when someone leaves. |
| Unique user identification | Every user has a unique account. Shared logins are not recommended. |
| Automatic session timeout | Sessions expire after a configurable period of inactivity. |
| Audit Controls | |
| Comprehensive audit logs | Every meaningful action is recorded for review and investigation. |
| Log retention | Audit logs are retained for at least six years, or longer if required by your BAA or state law. |
| Log export | Workspace administrators can view and export audit logs for compliance reviews or incident investigations. |
| Tamper-evident audit history | Logs are stored in append-only, immutable storage to prevent modification or deletion. |
| Integrity Controls | |
| Input validation | Inputs are validated before data is stored or processed. |
| Record history and versioning | Edits to appointments, interpreter records, and billing entries are versioned. Previous values are retained for audit purposes. |
| Integrity verification | Changes are tied to a specific user and timestamp, making unauthorized edits easier to detect and investigate. |
| Person/Entity Authentication | |
| Password policy support | Password requirements and authentication controls support secure access. |
| Multi-factor authentication (MFA) | MFA is supported for eligible accounts and workflows. |
| Single sign-on (SSO) | Single sign-on (SSO) is in active development. If SSO is a requirement for your agency, contact us — we'd like to hear from you as we scope the rollout. |
| Session management | Active sessions are tracked and managed to support secure access. |
| Transmission Security | |
| TLS encryption in transit | All data in transit is encrypted with TLS 1.2 or higher. |
| Encryption at rest | All data stored in Fluent is encrypted using AES-256 encryption. |
| Authenticated APIs | Connections to third-party services use OAuth or authenticated API keys. No unauthenticated data exchange. |
| Notification controls | Configure notifications to direct users into the app for details—keep PHI out of SMS and email bodies. |
BAAs & shared responsibility
Business Associate Agreements (BAAs)
We can provide a Business Associate Agreement (BAA) for eligible customers. PHI is processed only when PHI mode is enabled and a BAA is in effect.
Shared responsibility
Fluent provides security controls and configuration options, but HIPAA is a shared responsibility. Customers are responsible for how they configure workflows, manage access, and determine what data is entered into the platform.
Security operations
Fluent maintains security practices designed to protect your data and respond to potential threats.
- Monitoring and alerting: We use automated monitoring to detect infrastructure and application anomalies and route alerts to our team.
- Vulnerability management: We apply updates and patching based on risk and impact.
- Backups and recovery: Data is backed up regularly. Recovery procedures are tested.
- Incident response: We maintain a documented incident response plan covering detection, containment, notification, and remediation. The plan is available to customers under NDA.
- Third-party penetration testing: Summaries available under NDA.
Subprocessors
We use carefully selected subprocessors to operate Fluent (e.g., infrastructure, authentication, messaging, and monitoring). View our current subprocessor list and our subprocessor change notice policy in the Trust Center.
Security & HIPAA questions
Common questions about our security practices and HIPAA-ready features.
Yes—Business Associate Agreements are available for eligible customers. PHI is processed only when PHI mode is enabled and a BAA is in effect. Contact us to get started.
Fluent is built with HIPAA safeguards by default. Once a BAA is executed, your workspace can be used with PHI. HIPAA is a shared responsibility—your organization's policies and practices matter too.
Our Trust Center brings together security controls, HIPAA approach, policies, and subprocessors in one place for your team to review.
Our current subprocessor list is published publicly in the Trust Center, along with our subprocessor change notice policy.
Public resources like our BAA, DPA, and policies are available in the Trust Center. Additional artifacts (e.g., pen test summaries, architecture overviews) may be available on request for qualified security reviewers.