TRUST CENTER

Security, privacy, and HIPAA—made clear.

This Trust Center brings together Fluent’s security controls, HIPAA approach, subprocessors, and policies—so your team can review everything in one place.

Security & HIPAA overview Legal & policies Subprocessors
Ask a question

Security Controls

A detailed view of the security and compliance controls Fluent maintains across infrastructure, application, data, and organizational domains.

Last updated: February 24, 2026
Related: Subprocessors · HIPAA & Security Overview · Legal & Policies

Infrastructure Security

Fluent uses managed cloud services with built-in redundancy and hardened defaults. Production access is restricted and auditable.

February 2026
Control Status
Hosted on managed cloud infrastructure (AWS) Implemented
Network segmentation and security groups restrict traffic between tiers Implemented
Encrypted backups with defined retention lifecycle In progress
Environment separation between production and non-production In progress
Centralized logging for infrastructure events and access attempts Implemented
Vulnerability scanning for dependencies and container images Planned

Access Control

Least-privilege access enforced at the application layer and for internal operations. Users are scoped by role, team, and agency.

February 2026
Control Status
Role-based access control (RBAC) with least-privilege defaults Implemented
Customer admins manage user roles and team-based access scopes Implemented
Unique user accounts required; no shared credentials (enforced by policy) Implemented
Session management with configurable timeout controls In progress
Administrative actions recorded in audit logs (PHI-aware where applicable) Implemented
Secure password requirements enforced at account creation In progress
MFA available for user accounts; required for internal staff Planned

Application Security

Security is integrated into our development lifecycle. We maintain multiple layers of defense at the application layer.

February 2026
Control Status
TLS 1.2+ encryption for all data in transit Implemented
Input validation and output encoding to reduce injection risk Implemented
Authorization enforced server-side for resource access (not UI-only) Implemented
Rate limiting and abuse prevention on public-facing endpoints In progress
Dependency monitoring and patch management process In progress
Code review required for all production changes Implemented
Secrets managed via secure secret storage service Implemented

Data Protection

Data is protected at rest and in transit. Customers retain control over their data and can request export or deletion.

February 2026 Retention policy
Control Status
Encryption at rest for stored data Implemented
Data minimization guidance provided to customers (minimum necessary) Implemented
Separation of PHI fields from non-PHI operational metadata In progress
Customer-controlled data exports with audit logging Planned
Defined data retention and deletion policies Implemented
Backups encrypted and access restricted to authorized personnel Implemented
Customer data used only to provide the Service (no secondary PHI use) Implemented

Incident Response

Fluent maintains a formal incident response program to detect, contain, and recover from security events with transparent communication.

February 2026
Control Status
Documented incident response plan with roles and escalation paths Implemented
Severity classification and triage process Implemented
24/7 monitoring for critical infrastructure events In progress
Security incident notification timeline defined in MSA / BAA Implemented
Post-incident review and remediation tracking Implemented
Dedicated security contact: security@fluentworks.com Implemented

HIPAA & PHI Handling

Fluent supports HIPAA-regulated workflows. PHI is only intended to be processed when PHI mode is enabled and a BAA is in effect.

February 2026 View BAA
Control Status
BAA available and required for PHI mode activation Implemented
PHI mode gates PHI-designated features and safeguards Implemented
PHI should not be entered into non-designated free-text fields Implemented
Audit logging supports tracking PHI access and changes In progress
Subprocessors with PHI access are contractually bound (BAA flow-down) Implemented
Breach notification obligations defined in the BAA Implemented
No secondary use of PHI (not used for analytics, benchmarking, or marketing) Implemented
No AI/ML model training on customer PHI Implemented

Shared Responsibility

  • Customer: Configure roles and permissions, train users on PHI handling, and control what PHI is submitted to the Service.
  • Fluent: Provide platform-level safeguards, contractual commitments (BAA), PHI mode controls, and audit logging.

Organizational Security

Security is an organizational priority. We maintain policies and practices to ensure our team operates securely.

February 2026
Control Status
Confidentiality obligations for all personnel and contractors Implemented
Access provisioning and offboarding process for internal staff In progress
Security awareness training for internal staff Planned
Vendor and subprocessor security review process In progress
Security policy review on a defined cadence Planned

AI Security & Data Use

Fluent maintains strict boundaries around how customer data interacts with AI systems. PHI is never used for model training.

February 2026 Subprocessors
Control Status
No AI/ML model training on customer PHI Implemented
AI features (if/when added) will be opt-in and documented Implemented
AI subprocessors (if any) listed in Subprocessor List Implemented
Data sent to AI providers limited to what is necessary for the feature Planned