Security & Compliance

Carrier-grade security for documents that matter.

E-Fax Easy is built on the same SBC infrastructure that routes millions of carrier-grade calls. Encryption at every layer, audit trails on every signature, and a HIPAA roadmap your compliance team will actually accept.

Talk to Compliance Read the FAQ

256-bit AES at rest TLS 1.3 in transit ESIGN/UETA compliant

Three pillars of E-Fax Easy security

Security isn’t bolted on — it’s baked into the carrier infrastructure, the document pipeline, and the compliance posture we publish.

Carrier Infrastructure

Your faxes travel via T.38 protocol over the same Session Border Controller platform that processes millions of carrier-grade VoIP calls. No consumer API wrappers, no third-party fax middlemen.

Document Integrity

Every signed document is sealed with a tamper-evident SHA-256 hash and a timestamped audit trail. Tampering breaks the seal — provable in court, not just the dashboard.

Compliance Track Record

ESIGN and UETA compliance is built into every signature. HIPAA Business Associate Agreements ship with the Practice tier — running on dedicated infrastructure when you have a BAA in place.

How your data is protected

Encryption isn’t a marketing word here — it’s documented at every layer.

At rest

256-bit AES encryption on every document and audit-log entry. Postgres column-level encryption for sensitive fields. Daily encrypted backups retained 30 days.

In transit

TLS 1.3 with HSTS preloaded for all browser traffic. T.38 fax leg uses SRTP-equivalent encrypted media. No clear-text protocols anywhere in the path.

Authentication

Bcrypt password hashing (work factor 12). Magic-link sign-in supported. SOC 2-style password rotation policies enforced for staff accounts.

Logs and audit trails

Every signature event, fax send/receive, and admin action is logged with timestamp, user ID, IP, and user-agent. Logs are append-only and exportable on demand.

Compliance roadmap

Live

ESIGN/UETA-compliant e-signatures with full audit trail on every document

Q3 2026

HIPAA BAA available on Practice tier — dedicated tenant infrastructure

2027

SOC 2 Type II audit. Penetration testing reports available under NDA

We don’t claim certifications we don’t have. If you need to vet our security posture, email [email protected] — we’ll send our security questionnaire response within 1 business day.

View the full compliance checklist →

Security FAQ

Is E-Fax Easy HIPAA compliant?

Our infrastructure uses 256-bit AES encryption at rest and TLS 1.3 in transit — the technical foundation of HIPAA compliance. HIPAA Business Associate Agreements (BAAs) ship with the Practice tier (Q3 2026 launch). Until your BAA is in place, treat E-Fax Easy as not-yet-HIPAA-covered for PHI.

Where is data stored?

Primary database in US-East (managed Postgres with daily encrypted backups). Document blobs in encrypted object storage with US-region pinning. No data leaves the United States without an explicit configuration request.

Can I get a security questionnaire / SOC 2 / vendor assessment?

Yes. Email [email protected] with your standard questionnaire (CAIQ, SIG-Lite, custom — all fine). We respond within 1 business day. SOC 2 Type II audit is targeted for 2027; penetration test reports are available under NDA.

What happens if there's a breach?

We follow a documented incident response plan: detection → triage → containment → notification within 72 hours where required by law (HIPAA Breach Notification Rule, state data-breach laws). Affected customers are notified directly with a written incident report.

Can I delete all my data on cancellation?

Yes. Cancellation triggers a 30-day soft-delete window where you can re-activate. After 30 days, all customer data — documents, audit logs, billing records (except those legally required for retention) — is permanently deleted. Email a confirmation request to [email protected] to verify.

Who has access to my documents internally?

By default, no E-Fax Easy staff can view your documents. Document content is access-gated to your account. Internal support requires explicit written consent (escalation token granted by you) for read access, with all access logged in your audit trail.

Have a question we didn't answer?

Email [email protected] — we read every message and reply within one business day.

Email Security

Compliance questionnaires welcome · NDA on request · No salespeople