Control Panel Start Free Trial

Security & Compliance

Compliant by Design. Secure by Protocol.

T38Fax is SOC 2 Type II certified and HIPAA compliant. The compliance story starts with how T.38 works — and it's simpler than most vendors make it.

Start Free Trial Request a Quote
The Protocol Advantage

Compliance That Starts at the Architecture Level

Most fax compliance conversations begin with certifications and end with a list of controls. With T38Fax, it’s worth starting one level deeper — with how T.38 actually works — because it changes the shape of every compliance question that follows.

T.38 is a real-time fax transmission protocol. When your equipment sends a fax over T38Fax, the data travels through our network in real time and terminates at the destination. We don’t store fax content on our servers. We don’t buffer it, index it, or retain it. There is no database of transmitted documents on our end, because the protocol doesn’t create one. The fax passes through and it’s gone — the same way a phone call works on a traditional POTS line.

This isn’t a policy decision. It’s a consequence of how the protocol operates. And it has direct, meaningful implications for HIPAA, for data security, and for the compliance posture of any organization that handles sensitive documents over fax.

T38Fax Compliance at a Glance

HIPAA Compliant

T.38 real-time protocol — no PHI stored. Conduit exception applies. BAA not required.

SOC 2 Type II Certified

Independently audited security controls over an extended observation period. Report available on request.

IPSec VPN Encryption

Optional encrypted transport at no additional charge. Encrypts SIP signaling and media path.

Private Dedicated Circuits

MPLS and direct cloud connections for environments requiring full network isolation.

HIPAA Compliance

No Business Associate Agreement Required

T38Fax is HIPAA compliant. For healthcare organizations, the most important practical consequence of this is straightforward: a Business Associate Agreement is not required.

Under HIPAA, a vendor that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a Covered Entity is a Business Associate, and a BAA is required. But HIPAA includes an important exception for “conduits” — entities that transmit PHI but do not access or store it. The classic example is a postal carrier: it handles envelopes containing PHI but never opens them, so it is not a Business Associate.

T38Fax operates as a conduit under this exception. When a healthcare organization sends a fax containing PHI over T38Fax, the data passes through our network in real time. We transmit it. We don’t store it, access it, or retain copies of it. Because we don’t maintain PHI — we only move it — HIPAA’s conduit exception applies and the BAA requirement does not.

What this means for your compliance checklist: If your organization uses T38Fax to transmit faxes containing PHI, you do not need to execute a Business Associate Agreement with us before going live. This simplifies your vendor onboarding process and removes a contract negotiation from your compliance workflow — a meaningful difference compared to store-and-forward fax services, where PHI sits in a vendor database and a BAA is both required and necessary.

If your compliance team requires written confirmation of our HIPAA posture, contact our sales team and we can provide documentation for your records.

SOC 2 Type II

Independently Audited Security Controls

T38Fax is SOC 2 Type II certified. SOC 2 Type II is an independent audit of a service provider’s security controls conducted by a third-party CPA firm. Unlike a SOC 2 Type I report — which is a point-in-time assessment — Type II covers an extended observation period, typically six to twelve months. It confirms that our security controls were not just designed correctly, but were operating effectively over time.

For enterprise procurement teams evaluating T38Fax, SOC 2 Type II certification means you have independent third-party verification of our security posture — not just our self-attestation. It is increasingly a baseline requirement for vendor approval in enterprise and regulated-industry environments.

⚑ Darren: Review Required

SOC 2 Type II certificate details needed here. This section confirms the certification exists but does not include the audit period, certifying firm, or a link to the certificate or report. Two options:

Option A: Add the audit period and certifying firm name (e.g., "Our most recent SOC 2 Type II report covers the period [date] through [date], conducted by [firm]."). If the report or certificate can be shared publicly or on request, note that here.

Option B: Leave this section as general confirmation and direct enterprises to contact sales for the full report. This is standard practice — most vendors share SOC 2 reports under NDA rather than publicly.

Please provide the cert details or confirm Option B and I'll finalize this section.

Transport Security

Encryption and Private Network Options

For organizations that require encrypted transport between their infrastructure and T38Fax, we offer two options that address different levels of requirement.

IPSec VPN tunnels are available at no additional charge. A VPN tunnel encrypts the SIP signaling and UDPTL media path between your network and our gateways, so fax traffic travels over an encrypted channel end-to-end rather than over the public internet. This is the right option for most organizations with encryption requirements — it adds a meaningful layer of transport security without adding cost or significant configuration complexity.

Private dedicated circuits are available for environments with stricter network isolation requirements. If your security policy prohibits fax traffic from traversing the public internet under any circumstances — as is common in certain government, financial, and defense adjacent environments — we can provision a private MPLS or direct circuit connection between your facility and our network. Additional monthly charges apply for this option; contact our sales team for details and lead times.

Cloud & Hosted Environments

Direct Connections for Cloud-Hosted Fax Infrastructure

Organizations running fax servers or fax-capable infrastructure in cloud environments — AWS, Azure, and similar platforms — can connect to T38Fax directly without routing traffic through an on-premises network. Direct cloud interconnects are available for environments where standard SIP over the public internet does not meet your network policy requirements.

If your fax server runs in a hosted environment and you have specific connectivity requirements, contact our sales team to discuss your architecture. We’ve worked through a wide range of hosted configurations and can advise on the right connection model for your setup.

Related

More on T38Fax

Understand the full T38Fax story — why we built our own T.38 infrastructure, how ECM error correction works, and what sets us apart from voice carriers offering fax as an afterthought.

Why T38Fax

Healthcare organizations, financial services firms, and other regulated industries rely on T38Fax for enterprise fax server connectivity. See how we work with RightFax, HylaFAX Enterprise, and similar platforms.

Enterprise Fax Servers

Questions About Your Compliance Requirements?

Our team can walk through your specific environment, answer compliance questions, and help you confirm T38Fax meets your requirements before you commit to anything.

Contact Sales Start Free Trial