Security & HIPAA
Fluent supports language services workflows that may involve PHI—without complicating your daily operations.
We provide encryption, role-based access controls, audit logs, and workspace security settings designed to support HIPAA-regulated operations. Business Associate Agreements (BAAs) are available when applicable.
Your data, protected by design
Language services often involve sensitive information—appointment details, patient names, and scheduling context that shouldn't be floating around in emails and text threads. Fluent keeps that data in one secure place.
- Designed to support minimum-necessary access and controlled sharing.
- Customer-managed roles and permissions help limit who can view and act on data.
- Audit logging supports operational review and accountability.
- Security settings and HIPAA-ready configuration options are available for eligible workflows.
HIPAA-ready features
Below is how Fluent supports key technical safeguard categories. Your policies and implementation still matter—HIPAA is a shared responsibility.
| Feature | How Fluent supports it |
|---|---|
| Access Controls | |
| Role-based access control (RBAC) | Assign access based on roles and responsibilities to support least-privilege access. |
| Team and agency segmentation | Scope access by organization/team so users only see what they're permitted to access. |
| User provisioning and deprovisioning | Support onboarding/offboarding workflows and removal of access when no longer needed. |
| Unique user identification | Users authenticate with unique accounts (no shared logins recommended). |
| Automatic session timeout | Sessions expire after a period of inactivity (configurable where applicable). |
| Audit Controls | |
| Comprehensive audit logs | Record key actions to support traceability and review. |
| Log retention | Retention is defined by policy and customer agreement; logs support operational and security review. |
| Log export | Export options available for review and compliance workflows where applicable. |
| Tamper-evident audit history | Controls are designed to preserve log integrity and support investigation. |
| Integrity Controls | |
| Input validation | Controls are designed to help protect data integrity and reduce unauthorized modification risk. |
| Record history and versioning | Support record history where applicable to help with review and correction workflows. |
| Integrity verification | Controls are designed to help protect data integrity and detect unauthorized changes. |
| Person/Entity Authentication | |
| Password policy support | Password requirements and authentication controls support secure access. |
| Multi-factor authentication (MFA) | MFA is supported for eligible accounts and workflows. |
| Single sign-on (SSO) | SSO is supported for eligible plans/accounts. |
| Session management | Active sessions are tracked and managed to support secure access. |
| Transmission Security | |
| TLS encryption in transit | Data is encrypted in transit using TLS. |
| Encryption at rest | Data is encrypted at rest. |
| Authenticated APIs | API access is authenticated and authorized. |
| Notification controls | Configure notifications to direct users into the app for details—keep PHI out of SMS and email bodies. |
BAAs & shared responsibility
Business Associate Agreements (BAAs)
We can provide a Business Associate Agreement (BAA) for eligible customers. PHI is processed only when PHI mode is enabled and a BAA is in effect.
Shared responsibility
Fluent provides security controls and configuration options, but HIPAA is a shared responsibility. Customers are responsible for how they configure workflows, manage access, and determine what data is entered into the platform.
Security operations
Fluent maintains security practices designed to protect your data and respond to potential threats.
- Monitoring and alerting: We use automated monitoring to detect infrastructure and application anomalies and route alerts to our team.
- Vulnerability management: We apply updates and patching based on risk and impact.
- Backups and recovery: Systems are designed to support backup and recovery procedures.
- Incident response: We maintain an incident response process; incident response documentation may be available for qualified reviewers.
Pen test summaries may be available upon request. Review the security overview in the Trust Center →
Subprocessors
We use carefully selected subprocessors to operate Fluent (e.g., infrastructure, authentication, messaging, and monitoring). View our current subprocessor list and our subprocessor change notice policy in the Trust Center.
Security & HIPAA questions
Common questions about our security practices and HIPAA-ready features.
Yes—Business Associate Agreements are available for eligible customers. PHI is processed only when PHI mode is enabled and a BAA is in effect. Contact us to get started.
Fluent is built with HIPAA safeguards by default. Once a BAA is executed, your workspace can be used with PHI. HIPAA is a shared responsibility—your organization's policies and practices matter too.
Our Trust Center brings together security controls, HIPAA approach, policies, and subprocessors in one place for your team to review.
Our current subprocessor list is published publicly in the Trust Center, along with our subprocessor change notice policy.
Public resources like our BAA, DPA, and policies are available in the Trust Center. Additional artifacts (e.g., pen test summaries, architecture overviews) may be available on request for qualified security reviewers.