// TRUST CENTER

Security, privacy, and HIPAA made clear.

Everything your security and procurement teams need to evaluate Fluent—our controls, HIPAA approach, subprocessors, and policies, in one place.

Contact us

Have a security or procurement question? Reach us directly at trust@fluentworks.com

Compliance

HIPAA-Ready, BAA Available

HIPAA safeguards are built in. Execute a BAA before using Fluent with PHI.

Data Processing Addendum (DPA)

Publicly available for data-protection compliance.

View DPA

Subprocessor Transparency

Public list with 30+ days advance notice before changes.

View subprocessors

Incident Response Program

Defined severity levels and notification timelines.

View details

Support & Availability

Dedicated support with defined response-time targets.

View SLA details

Resources

View all
Security artifacts — on request
On our roadmap
  • SOC 2 Type II Planned
  • Independent penetration test Planned

Data collected

Account & user data
Operational scheduling data
Interpreter profile data
Customer organization data
Billing & usage metadata
Security & audit logs
PHI note: A BAA authorizes HIPAA-regulated use of Fluent; it doesn’t change what you can enter. You control what’s submitted and apply the minimum necessary principle — Fluent protects all data with the same controls either way.

FAQ

Yes. Fluent offers a BAA for customers whose workflows involve PHI. Once executed, your workspace can enable PHI mode. Contact us or review our BAA for details.

No. Fluent does not train AI or ML models on customer PHI. AI features are opt-in, and third-party AI providers are contractually prohibited from training on your data.

Fluent's infrastructure is hosted on AWS in the United States. Data is encrypted in transit (TLS) and at rest. Backups are encrypted within the same provider.

Fluent maintains a documented incident response plan with severity levels. Breach notification follows our BAA and applicable law. Post-incident reviews identify root causes.

A BAA authorizes HIPAA-regulated use. Fluent doesn’t restrict what you enter, so don’t submit PHI unless a BAA is in place, and follow the minimum necessary principle.

Yes — multi-factor authentication (TOTP) is available to all users and required for internal staff. SAML-based SSO is on the roadmap (coming soon); contact us if you need it for a deal.

Yes. PHI access is recorded in an append-only audit log with tamper-resistant storage and queryable investigation tooling.

Yes. Scoped, audited customer data exports are available, protected by step-up verification.

Updates

View all
Compliance June 2026

Trust Center published

We published Fluent's Trust Center to give security, compliance, and procurement reviewers a single view of our security practices, controls, subprocessors, and policies.

Security April 2026

Security & HIPAA program

Fluent maintains a comprehensive security program spanning infrastructure, application, data protection, and access control, with built-in HIPAA safeguards and a Business Associate Agreement available for customers processing PHI.

Compliance March 2026

Immutable PHI access logging

Fluent maintains an append-only, tamper-resistant audit log of PHI access, with tooling to support investigation and review.

Frequently asked questions

Answers to common questions from security, compliance, and procurement teams.

Yes. Fluent offers a Business Associate Agreement (BAA) for customers whose workflows involve protected health information (PHI). Once a BAA is executed, your workspace can enable PHI mode, which Fluent uses to apply HIPAA-oriented controls such as PHI access audit logging. PHI mode is an operational designation and does not restrict what you can enter. Contact us or review our BAA for details.

Fluent is built for interpreter scheduling and operations, so avoid entering data you don’t need for those workflows. Because the same field can be PHI for one organization and not another, Fluent doesn’t restrict what you enter — a BAA authorizes HIPAA-regulated use, and you’re responsible for what’s submitted and for following the minimum necessary principle. Don’t enter PHI unless a BAA is in place.

No. Fluent does not train AI or machine-learning models on customer PHI. Where AI features are available, they are opt-in, and any data sent to third-party AI providers is subject to contractual restrictions that prevent model training on your data.

Fluent's primary infrastructure is hosted on Amazon Web Services (AWS) in the United States. Data is encrypted both in transit (TLS) and at rest. Backups are also encrypted and stored within the same cloud provider.

Fluent maintains a documented incident response plan with defined severity levels. In the event of a confirmed security incident involving customer data, we follow notification timelines specified in our BAA and applicable law. Post-incident reviews are conducted to identify root causes and implement preventive measures.

Customer data is retained for the duration of the subscription and a reasonable wind-down period after termination, as described in our MSA. Audit logs are retained for at least 12 months. Upon request and subject to applicable law, customer data can be deleted in accordance with our data retention and deletion policies.

Fluent maintains a public subprocessor list. We provide at least 30 days' notice before adding a new subprocessor, except in cases of urgent security, legal, or service-continuity needs. Customers can subscribe to updates to be notified of any changes.

Yes. A Data Processing Addendum (DPA) is available for customers who require one for data-protection compliance. Contact trust@fluentworks.com to request a copy.

Yes — multi-factor authentication (TOTP) is available to all users and required for internal staff. SAML-based SSO is on the roadmap (coming soon); contact us if you need it for a deal.

Yes. PHI access is recorded in an append-only audit log with tamper-resistant storage and queryable investigation tooling.

Yes. Scoped, audited customer data exports are available, protected by step-up verification.