Security, without the marketing copy.

Every privacy page on every product page on the internet says "we take your privacy seriously" and lists badges. Most of those badges don't substantively constrain what the company can do with the data. The honest version of this page is shorter and less flattering than the genre allows.

What's true today

Encryption at rest with managed keys.

Your conversation data is stored encrypted in our cloud. The keys are managed by Fluent's infrastructure (AWS KMS), not by you personally.

TLS in transit.

All audio and metadata travel over TLS 1.2+ between your device, our backend, and any third-party integration you authorize.

No model training on your audio.

We do not use your audio or transcripts to train models — ours or any third-party vendor's. Your conversations exist to be useful to you, not to improve a product we sell to someone else.

One-time share links you control.

When you share a meeting summary with someone, it's on a unique URL you can revoke. The audio is never part of the share — only the structured output you explicitly include.

Authorization scoped to you.

Authentication via Auth0. Only you can see your conversations. Fluent staff do not have routine access to your data; access for support requires explicit consent and is audit-logged.

What's on the roadmap, not shipped

Per-user encryption keys.

Keys derived from your passcode, so even Fluent's infrastructure operators couldn't read your data. Not shipped yet. We'll say so on this page until it is.

On-device processing.

Audio processed locally on the phone for the parts that don't require cloud compute. In development.

What we don't claim

"You hold the keys."

Not yet — managed keys today, per-user keys on the roadmap.

"Subpoena-resistant."

Not without per-user encryption. Don't store anything in Fluent you couldn't respond to a subpoena about.

"HIPAA-compliant" or "HIPAA-friendly."

Fluent is not a HIPAA-certified service. We are not pursuing HIPAA certification. Don't use Fluent for protected health information.

"SOC 2 / ISO 27001 certified."

Not yet. We use AWS infrastructure that is, but Fluent itself does not currently hold those certifications.

"Zero-knowledge architecture."

Not today. The architecture would need per-user encryption first.

Questions

Security questions, vulnerability reports, or curiosity about the implementation: [email protected].