Trust
Security
Last updated July 9, 2026
In plain terms: your data is encrypted in transit and at rest, isolated to your organization, reachable only through authenticated access, backed up, and monitored - and we never store your card numbers.
1. Our approach to security
FaxRx handles sensitive healthcare documents, so security is a core part of how the Service is designed and operated - not an afterthought. We protect data with encryption, strict access controls, per-organization isolation, and audit logging, and we hold our infrastructure providers to the same standard. Our HIPAA Compliance page covers how these controls map to Protected Health Information.
This page describes the security practices FaxRx maintains as of the date above. It is informational and may change as the Service evolves; it does not create any warranty and does not modify the Terms of Service or the Business Associate Agreement, which govern.
2. Data encryption
All data transmitted between your browser and FaxRx is encrypted using TLS 1.2 or higher. Fax documents, cover sheets, templates, and attachments stored on our platform are encrypted at rest using AES-256 encryption with managed keys. Encryption applies both while data moves across networks and while it is stored.
3. Authentication
Sign-in is handled through a dedicated identity provider that gives us modern, well-tested authentication controls:
- Support for multi-factor authentication.
- Single sign-on options.
- Secure session management with token rotation.
- Brute-force protection and rate limiting on sign-in.
- Industry-standard password hashing and strength requirements.
4. Access controls and tenant isolation
FaxRx is multi-tenant by design, with isolation enforced at the data-access layer. Every request for tenant data is scoped to the signed-in user's organization, so a customer cannot reach another organization's records. Access to stored fax documents is served only through authenticated, authorization-checked routes, so files are not publicly reachable. Within your organization, role-based permissions let administrators control who can act on the account.
5. Infrastructure
We build on established cloud infrastructure providers selected for their security posture. Where a provider may create, receive, maintain, or transmit Protected Health Information, we engage it under a Business Associate Agreement. We do not publish the names of our providers on our public pages; a current list is available to customers on request. Rate limiting and abuse protections guard our public endpoints.
6. Payment security
Payments are processed by a PCI DSS Level 1 certified payment processor. FaxRx never stores or transmits full card numbers on its servers; card data is handled directly between your browser and the processor. This keeps sensitive payment data out of our systems.
7. Fax transmission and storage
Faxes are transmitted through carrier-grade fax infrastructure. Transport providers that handle PHI are engaged under Business Associate Agreements that restrict their use and retention of fax content to what is necessary to provide the service. Received and sent documents are stored in a private, encrypted store that blocks public access; short-lived, signed links are minted only at the moment of an authorized action and are not persisted after use.
When you enable email delivery, received faxes are sent as attachments to the addresses you designate. We use TLS-secured transport where the receiving mail server supports it; because delivery to mailboxes we do not control uses opportunistic encryption, we cannot guarantee end-to-end encryption once a message leaves our systems. We keep the surrounding email metadata, including attachment file names, free of patient identifiers.
8. Reliability and backups
Fax documents and account data are stored on managed, redundant cloud infrastructure, and backups are encrypted. We design the platform for resilience so that data is protected against loss. We do not guarantee uninterrupted availability; the Terms of Service govern service availability and maintenance.
9. Logging, accountability, and personnel
Key events are logged with timestamps and the acting user, and audit records are written with tamper-evident integrity protection so that alteration can be detected. Access to production systems that may contain PHI is limited under least-privilege principles, and personnel with such access are bound by confidentiality and incident-reporting obligations. See our HIPAA Compliance page for the full description of audit logging and workforce controls.
10. Monitoring and incident response
We monitor our systems for errors, anomalies, and unauthorized-access attempts, with automated alerting on suspicious activity and error spikes. When a potential incident is detected, we investigate, contain, and remediate, and we review afterward to reduce the chance of recurrence. For any incident involving Protected Health Information, we follow the 60-day breach-notification commitment described on our HIPAA Compliance page.
11. Responsible disclosure
If you discover a potential security vulnerability in FaxRx, please report it responsibly to hello@fax-rx.com. We ask that you:
- Give us enough detail to reproduce the issue.
- Allow reasonable time for us to investigate and fix the issue before any public disclosure.
- Do not access, modify, or delete other users' data or any Protected Health Information.
- Do not degrade the Service or disrupt other customers.
If you make a good-faith effort to follow this policy, we will consider your testing authorized, will not pursue or support legal action against you for it, and will not treat it as a violation of our Terms of Service. This authorization is limited to your own test data. We aim to acknowledge valid reports promptly.
12. Ongoing security practices
Security is continuous. Our practices include:
- Automated scanning of dependencies for known vulnerabilities.
- Regular updates to frameworks, libraries, and runtime environments.
- Security review of application code and infrastructure configuration.
- Prompt patching of critical vulnerabilities as they are disclosed.
13. Contact us
For security questions or to report a vulnerability, contact us at hello@fax-rx.com.