Compliance
HIPAA-Ready, BAA Available
HIPAA safeguards are built in. Execute a BAA before using Fluent with PHI.
Subprocessor Transparency
Public list with 30+ days advance notice before changes.
View subprocessorsResources
View all- SOC 2 Type II Planned
- Independent penetration test Planned
Controls
Infrastructure Security
- Hosted on AWS
- Network segmentation & firewalls
- DDoS mitigation
- Automated patching
Access Control
- Role-based access (RBAC)
- Least-privilege by role & team
- MFA available (TOTP)
- Session timeout controls
- SSO — coming soon
Application Security
- TLS encryption in transit
- Input validation
- Secure SDLC practices
- Dependency monitoring
Data Protection
- Encryption at rest
- Encrypted backups
- Workspace data isolation
- Retention & deletion policies
Incident Response
- Documented IR plan
- Severity classification
- Breach notification per BAA
- Post-incident review
HIPAA & PHI Handling
- BAA available
- PHI mode safeguards
- No secondary PHI use
- Audit logging for PHI
Organizational Security
- Security awareness training
- Background checks
- Acceptable use policies
- On/offboarding procedures
AI Security & Data Use
- No AI training on PHI
- AI features are opt-in
- AI providers listed as subprocessors
- No model training on your data
Data collected
Subprocessors
View all- Amazon Web Services (AWS) · Infrastructure Hosting Core Product US
- Google Cloud / Firebase · Authentication & Push Notifications Core Product US
- Stripe · Payment Processing Core Product US
- Twilio · SMS Verification Core Product US
- SendGrid (Twilio) · Transactional Email Delivery Core Product US
- Sentry · Error Monitoring Core Product US
- New Relic · Performance Monitoring Core Product US
- Google Maps Platform · Maps & Geocoding Core Product US
- ConfigCat · Feature Flags Core Product US
- IPify · IP Address Lookup Core Product US
FAQ
Yes. Fluent offers a BAA for customers whose workflows involve PHI. Once executed, your workspace can enable PHI mode. Contact us or review our BAA for details.
No. Fluent does not train AI or ML models on customer PHI. AI features are opt-in, and third-party AI providers are contractually prohibited from training on your data.
Fluent's infrastructure is hosted on AWS in the United States. Data is encrypted in transit (TLS) and at rest. Backups are encrypted within the same provider.
Fluent maintains a documented incident response plan with severity levels. Breach notification follows our BAA and applicable law. Post-incident reviews identify root causes.
A BAA authorizes HIPAA-regulated use. Fluent doesn’t restrict what you enter, so don’t submit PHI unless a BAA is in place, and follow the minimum necessary principle.
Yes — multi-factor authentication (TOTP) is available to all users and required for internal staff. SAML-based SSO is on the roadmap (coming soon); contact us if you need it for a deal.
Yes. PHI access is recorded in an append-only audit log with tamper-resistant storage and queryable investigation tooling.
Yes. Scoped, audited customer data exports are available, protected by step-up verification.
Updates
View allTrust Center published
We published Fluent's Trust Center to give security, compliance, and procurement reviewers a single view of our security practices, controls, subprocessors, and policies.
Security & HIPAA program
Fluent maintains a comprehensive security program spanning infrastructure, application, data protection, and access control, with built-in HIPAA safeguards and a Business Associate Agreement available for customers processing PHI.
Immutable PHI access logging
Fluent maintains an append-only, tamper-resistant audit log of PHI access, with tooling to support investigation and review.
Policies and agreements available for review.
Master Subscription Agreement (MSA)
The terms governing use of the Fluent platform.
Acceptable Use Policy (AUP)
Guidelines for acceptable use of the Fluent Service.
Privacy Policy
How Fluent collects, uses, and protects personal data.
Business Associate Agreement (BAA)
HIPAA-specific terms for customers processing PHI.
Data Processing Addendum (DPA)
Publicly available for data-protection compliance.
Cookie Policy
Details on cookies and tracking technologies used by Fluent.
Support & SLA Policy
Support tiers, response-time targets, and availability commitments.
Security Incident Response Exhibit
Severity levels, response procedures, and notification timelines.
The following documents are available under NDA or on request for qualified security reviewers.
Answers to common questions from security, compliance, and procurement teams.
Yes. Fluent offers a Business Associate Agreement (BAA) for customers whose workflows involve protected health information (PHI). Once a BAA is executed, your workspace can enable PHI mode, which Fluent uses to apply HIPAA-oriented controls such as PHI access audit logging. PHI mode is an operational designation and does not restrict what you can enter. Contact us or review our BAA for details.
Fluent is built for interpreter scheduling and operations, so avoid entering data you don’t need for those workflows. Because the same field can be PHI for one organization and not another, Fluent doesn’t restrict what you enter — a BAA authorizes HIPAA-regulated use, and you’re responsible for what’s submitted and for following the minimum necessary principle. Don’t enter PHI unless a BAA is in place.
No. Fluent does not train AI or machine-learning models on customer PHI. Where AI features are available, they are opt-in, and any data sent to third-party AI providers is subject to contractual restrictions that prevent model training on your data.
Fluent's primary infrastructure is hosted on Amazon Web Services (AWS) in the United States. Data is encrypted both in transit (TLS) and at rest. Backups are also encrypted and stored within the same cloud provider.
Fluent maintains a documented incident response plan with defined severity levels. In the event of a confirmed security incident involving customer data, we follow notification timelines specified in our BAA and applicable law. Post-incident reviews are conducted to identify root causes and implement preventive measures.
Customer data is retained for the duration of the subscription and a reasonable wind-down period after termination, as described in our MSA. Audit logs are retained for at least 12 months. Upon request and subject to applicable law, customer data can be deleted in accordance with our data retention and deletion policies.
Fluent maintains a public subprocessor list. We provide at least 30 days' notice before adding a new subprocessor, except in cases of urgent security, legal, or service-continuity needs. Customers can subscribe to updates to be notified of any changes.
Yes. A Data Processing Addendum (DPA) is available for customers who require one for data-protection compliance. Contact trust@fluentworks.com to request a copy.
Yes — multi-factor authentication (TOTP) is available to all users and required for internal staff. SAML-based SSO is on the roadmap (coming soon); contact us if you need it for a deal.
Yes. PHI access is recorded in an append-only audit log with tamper-resistant storage and queryable investigation tooling.
Yes. Scoped, audited customer data exports are available, protected by step-up verification.