// TRUST CENTER

Security, privacy, and HIPAA made clear.

Everything your security and procurement teams need to evaluate Fluent—our controls, HIPAA approach, subprocessors, and policies, in one place.

Contact us

Have a security or procurement question? Reach us directly at trust@fluentworks.com

Security Controls

A detailed view of the security and compliance controls Fluent maintains across infrastructure, application, data, and organizational domains.

Last updated: June 22, 2026
Related: Subprocessors · HIPAA & Security Overview · Legal & Policies

Infrastructure Security

Fluent uses managed cloud services with built-in redundancy and hardened defaults. Production access is restricted and auditable.

June 2026
Control Status
Hosted on managed cloud infrastructure (AWS) Implemented
Network segmentation and security groups restrict traffic between tiers Implemented
Implemented

Databases are continuously backed up with point-in-time restore (7-day window) and encrypted at rest. Recovery procedures are tested to support restoration after a disruption.

Environment separation between production and non-production Implemented
Centralized logging for infrastructure events and access attempts Implemented
Vulnerability scanning for dependencies and container images Implemented

Access Control

Least-privilege access enforced at the application layer and for internal operations. Users are scoped by role, team, and agency.

June 2026
Control Status
Implemented

Access to data is governed by role-based permissions scoped to a user's role, team, and agency, with least-privilege defaults. Customer administrators control who can see and do what within their workspace.

Customer admins manage user roles and team-based access scopes Implemented
Unique user accounts required; shared credentials prohibited Implemented
Session management with configurable timeout controls Implemented
Administrative actions recorded in audit logs Implemented
Secure password requirements enforced at account creation Implemented
Account lockout and brute-force protection on authentication Implemented
Implemented

Multi-factor authentication (TOTP) is available to all users and required for Fluent's internal staff. Once enrolled, a time-based one-time code is required at sign-in in addition to the password.

Single sign-on (SSO / SAML) — coming soon Planned

Application Security

Security is integrated into our development lifecycle. We maintain multiple layers of defense at the application layer.

June 2026
Control Status
Implemented

All traffic between your browser or device and Fluent is encrypted using TLS 1.2 or higher; modern clients negotiate TLS 1.3 automatically. We do not serve application traffic over unencrypted connections.

Browser security headers enforced (Content-Security-Policy, HSTS) Implemented
Input validation and output encoding to reduce injection risk Implemented
Authorization enforced server-side on every resource request Implemented
Rate limiting and abuse prevention on public-facing endpoints Implemented
Dependency monitoring and patch management process Implemented
Code review required for all production changes Implemented
Implemented

Application secrets and credentials are stored in a managed secret store and injected at runtime — never committed to source code or configuration files.

Data Protection

Data is protected at rest and in transit. Customers retain control over their data and can request export or deletion.

June 2026 Retention policy
Control Status
Implemented

All customer data — database records, file storage, and backups — is encrypted at rest using AES-256. Encryption keys are managed through our cloud provider's managed key service.

Centralized encryption key management Implemented
Data minimization guidance provided to customers (minimum necessary) Implemented
Separation of PHI fields from non-PHI operational metadata Implemented
Implemented

PHI is excluded from application logs, error monitoring, and performance analytics through automated scrubbing before any data leaves our systems. Third-party monitoring providers do not receive PHI.

Implemented

Customers can request scoped exports of their data, protected by step-up verification and recorded in an audit log. On termination, data is deleted in accordance with our retention and deletion policies and applicable law.

Defined data retention and deletion policies Implemented
Backups encrypted and access restricted to authorized personnel Implemented
Customer data used only to provide the Service (no secondary PHI use) Implemented

Incident Response

Fluent maintains a formal incident response program to detect, contain, and recover from security events with transparent communication.

June 2026
Control Status
Implemented

Fluent maintains a documented incident response plan with defined severity levels, escalation paths, and post-incident review. If a confirmed incident affects your data, we notify you within the timelines defined in your agreement and BAA.

Severity classification and triage process Implemented
Implemented

Fluent continuously monitors infrastructure and access patterns for anomalies using cloud-native threat detection, with automated alerts routed to our team for investigation.

Security incident notification timeline defined in MSA / BAA Implemented
Post-incident review and remediation tracking Implemented
Dedicated security contact: trust@fluentworks.com Implemented

HIPAA & PHI Handling

Fluent supports HIPAA-regulated workflows. PHI is only intended to be processed when PHI mode is enabled and a BAA is in effect.

June 2026 View BAA
Control Status
Implemented

PHI is only processed once a Business Associate Agreement (BAA) is executed and PHI mode is enabled for your workspace. PHI mode activates additional safeguards and gates PHI-designated features.

PHI mode gates PHI-designated features and safeguards Implemented
PHI should not be entered into non-designated free-text fields Implemented
Implemented

Access to protected health information is recorded in an append-only audit log capturing who accessed what and when. Logs are written to tamper-resistant storage and retained for at least 12 months.

Tamper-resistant, append-only audit logs Implemented
Implemented

Subprocessors that may handle PHI are contractually bound by BAAs or equivalent obligations. We publish our subprocessor list and provide at least 30 days’ notice before adding a new subprocessor.

Breach notification obligations defined in the BAA Implemented
Implemented

Customer data, including PHI, is used only to provide the Service. We never use it for advertising, resale, benchmarking, or to train AI/ML models.

No AI/ML model training on customer PHI Implemented

Shared Responsibility

  • Customer: Configure roles and permissions, train users on PHI handling, and control what PHI is submitted to the Service.
  • Fluent: Provide platform-level safeguards, contractual commitments (BAA), PHI mode controls, and audit logging.

Organizational Security

Security is an organizational priority. We maintain policies and practices to ensure our team operates securely.

June 2026
Control Status
Confidentiality obligations for all personnel and contractors Implemented
Access provisioning and offboarding process for internal staff Implemented
Security awareness training for internal staff Implemented
Vendor and subprocessor security review process Implemented
Security policy review on a defined cadence Implemented

AI Security & Data Use

Fluent maintains strict boundaries around how customer data interacts with AI systems. PHI is never used for model training.

June 2026 Subprocessors
Control Status
Customer data, including PHI, is never used to train AI or ML models Implemented
AI features are opt-in and clearly documented Implemented
Any AI provider is listed as a subprocessor and contractually restricted from training on your data Implemented
Only the minimum data necessary is shared with an AI provider for a given feature Implemented