TRUST CENTER

Security, privacy, and HIPAA—made clear.

This Trust Center brings together Fluent’s security controls, HIPAA approach, subprocessors, and policies—so your team can review everything in one place.

Security & HIPAA overview Legal & policies Subprocessors
Ask a question

Compliance

HIPAA & BAA Available

BAA offered for customers processing PHI.

View BAA

HIPAA-Ready by Default

HIPAA safeguards are built in. Execute a BAA to use Fluent with PHI.

View details

Data Processing Addendum (DPA)

Publicly available for data-protection compliance.

View DPA

Subprocessor Transparency

Public list with 30+ days advance notice before changes.

View subprocessors

Incident Response Program

Defined severity levels and notification timelines.

View details

Support & Availability

Dedicated support with defined response-time targets.

View SLA details

Resources

View all
Compliance
Privacy & Legal
Questionnaires

Controls

Updated Feb 2026 View all

Infrastructure Security

  • Hosted on AWS
  • Network segmentation & firewalls
  • DDoS mitigation
  • Automated patching
View more

Access Control

  • Role-based access (RBAC)
  • Least-privilege by role & team
  • MFA available
  • Session timeout controls
View more

Application Security

  • TLS encryption in transit
  • Input validation
  • Secure SDLC practices
  • Dependency monitoring
View more

Data Protection

  • Encryption at rest
  • Encrypted backups
  • Workspace data isolation
  • Retention & deletion policies
View more

Incident Response

  • Documented IR plan
  • Severity classification
  • Breach notification per BAA
  • Post-incident review
View more

HIPAA & PHI Handling

  • BAA available
  • PHI mode safeguards
  • No secondary PHI use
  • Audit logging for PHI
View more

Organizational Security

  • Security awareness training
  • Background checks
  • Acceptable use policies
  • On/offboarding procedures
View more

AI Security & Data Use

  • No AI training on PHI
  • AI features are opt-in
  • AI providers listed as subprocessors
  • No model training on your data
View more

Data collected

Account & user data
Operational scheduling data
Interpreter profile data
Customer organization data
Billing & usage metadata
Security & audit logs
PHI note: PHI is only processed when PHI mode is enabled and a BAA is in effect. Follow the minimum necessary principle.

Subprocessors

View all

FAQ

Yes. Fluent offers a BAA for customers whose workflows involve PHI. Once executed, your workspace can enable PHI mode. Contact us or review our BAA for details.

No. Fluent does not train AI or ML models on customer PHI. AI features are opt-in, and third-party AI providers are contractually prohibited from training on your data.

Fluent's infrastructure is hosted on AWS in the United States. Data is encrypted in transit (TLS) and at rest. Backups are encrypted within the same provider.

Fluent maintains a documented incident response plan with severity levels. Breach notification follows our BAA and applicable law. Post-incident reviews identify root causes.

Avoid entering PHI unless PHI mode is enabled and a BAA is in place. Even with PHI mode, follow the minimum necessary principle.

Updates

View all
Compliance Feb 24, 2026

Trust Center launched

Published centralized access to security practices, controls, and policy documents.

Policy Feb 2026

Updated Subprocessor List

Added subprocessor details including data access scope and regions.

Security Jan 2026

Security Incident Response Exhibit

Published severity classification, escalation procedures, and notification timelines.

Frequently asked questions

Answers to common questions from security, compliance, and procurement teams.

Yes. Fluent offers a Business Associate Agreement (BAA) for customers whose workflows involve protected health information (PHI). Once a BAA is executed, your workspace can enable PHI mode, which activates additional safeguards designed for HIPAA-regulated data. Contact us or review our BAA for details.

Fluent is designed for interpreter scheduling and operations. You should not enter data unnecessary for these workflows. If PHI mode is not enabled or a BAA is not in place, avoid entering any PHI. Even with PHI mode enabled, we recommend following the minimum necessary principle — only include PHI required for the appointment or workflow.

No. Fluent does not train AI or machine-learning models on customer PHI. Where AI features are available, they are opt-in, and any data sent to third-party AI providers is subject to contractual restrictions that prevent model training on your data.

Fluent's primary infrastructure is hosted on Amazon Web Services (AWS) in the United States. Data is encrypted both in transit (TLS) and at rest. Backups are also encrypted and stored within the same cloud provider.

Fluent maintains a documented incident response plan with defined severity levels. In the event of a confirmed security incident involving customer data, we follow notification timelines specified in our BAA and applicable law. Post-incident reviews are conducted to identify root causes and implement preventive measures.

Customer data is retained for the duration of the subscription and a reasonable wind-down period after termination, as described in our MSA. Audit logs are retained for at least 12 months. Upon request and subject to applicable law, customer data can be deleted in accordance with our data retention and deletion policies.

Fluent maintains a public subprocessor list. We provide at least 30 days' notice before adding a new subprocessor, except in cases of urgent security, legal, or service-continuity needs. Customers can subscribe to updates to be notified of any changes.

Yes. A Data Processing Addendum (DPA) is available for customers who require one for data-protection compliance. Contact security@fluentworks.com to request a copy.