Security & Compliance
Compliant by Design, Secure by Protocol
T38Fax is SOC 2 Type I certified and HIPAA compliant. The compliance story starts with how T.38 works — and it's simpler than most vendors make it.
Compliance That Starts at the Architecture Level
Most fax compliance conversations begin with certifications and end with a list of controls. With T38Fax, it’s worth starting one level deeper — with how T.38 actually works — because it changes the shape of every compliance question that follows.
T.38 is a real-time fax transmission protocol. When your equipment sends a fax over T38Fax, the data travels through our network in real time and terminates at the destination. We don’t store fax content on our servers. We don’t buffer it, index it, or retain it. There is no database of transmitted documents on our end, because the protocol doesn’t create one. The fax passes through and it’s gone — the same way a phone call works on a traditional POTS line.
This isn’t a policy decision. It’s a consequence of how the protocol operates. And it has direct, meaningful implications for HIPAA, for data security, and for the compliance posture of any organization that handles sensitive documents over fax.
T38Fax Compliance at a Glance
T.38 real-time protocol — fax content is never stored in transit. BAA available on request.
Independently audited security controls. Report and trust page available on request.
Optional encrypted transport at no additional charge. Encrypts SIP signaling and media path.
SD-WAN and direct cloud connections for environments requiring full network isolation.
Fax Content Never Stored in Transit
T38Fax is HIPAA compliant. The key to understanding our compliance posture is understanding how T.38 actually works: fax data travels through our network in real time and terminates at the destination. We transmit it — we don’t store it, access it, or retain copies of it. There is no database of your transmitted fax documents on our infrastructure.
This is a meaningful structural advantage compared to store-and-forward fax services, where documents containing Protected Health Information sit in a vendor’s database and must be secured, audited, and defended as a standing compliance obligation. With T38Fax, the document is gone as soon as it’s delivered.
If your compliance team requires written confirmation of our HIPAA posture or supporting documentation, contact our sales team and we can provide materials for your records.
Independently Audited Security Controls
T38Fax is SOC 2 Type I certified. SOC 2 is an independent audit of a service provider’s security controls conducted by a third-party CPA firm, confirming that our security controls are designed correctly to meet the Trust Services Criteria. SOC 2 certification is increasingly a baseline requirement for vendor approval in enterprise and regulated-industry environments.
Our security posture and certification status are published on our trust page at t38fax-incorporated.trust.site. For organizations that require the full SOC 2 report for vendor approval purposes, contact our sales team — we share the report with prospective customers under standard confidentiality terms.
Encryption and Private Network Options
For organizations that require encrypted transport between their infrastructure and T38Fax, we offer two options that address different levels of requirement.
IPSec VPN tunnels are available at no additional charge. A VPN tunnel encrypts the SIP signaling and UDPTL media path between your network and our gateways, so fax traffic travels over an encrypted channel rather than over the public internet. This is the right option for most organizations with encryption requirements — it adds a meaningful layer of transport security without adding cost or significant configuration complexity.
Private dedicated circuits are available for environments with stricter network isolation requirements. If your security policy prohibits fax traffic from traversing the public internet under any circumstances — as is common in certain government, financial, and defense-adjacent environments — we can provision a private SD-WAN or direct circuit connection between your facility and our network. Additional monthly charges apply for this option; contact our sales team for details and lead times.
Direct Connections for Cloud-Hosted Fax Infrastructure
Organizations running fax servers or fax-capable infrastructure in cloud environments — AWS, Azure, and similar platforms — can connect to T38Fax directly without routing traffic through an on-premises network. Direct cloud interconnects are available for environments where standard SIP over the public internet does not meet your network policy requirements.
If your fax server runs in a hosted environment and you have specific connectivity requirements, contact our sales team to discuss your architecture. We’ve worked through a wide range of hosted configurations and can advise on the right connection model for your setup.
More on T38Fax
Understand the full T38Fax story — why we built our own T.38 infrastructure, how ECM error correction works, and what sets us apart from voice carriers offering fax as an afterthought.
Why T38FaxHealthcare organizations, financial services firms, and other regulated industries rely on T38Fax for enterprise fax server connectivity. See how we work with RightFax, HylaFAX Enterprise, and similar platforms.
Enterprise Fax Servers