BAA and compliance
What our Business Associate Agreement covers, what we need from you, and how to handle PHI on each plan.
A signed Business Associate Agreement (BAA) is required before any real PHI flows through your TakeFax workspace.
Quick reference
| Free | Starter | Growth | Practice | |
|---|---|---|---|---|
| Use with real PHI | ❌ | ❌ | ❌ | ✅ |
| Use with synthetic / de-identified faxes | ✅ | ✅ | ✅ | ✅ |
| BAA available | — | — | — | ✅ |
The product is fully usable in non-PHI mode on Free, Starter, and Growth — you can pilot the workflow with synthetic test faxes generated from any of these public datasets (link coming soon).
What our BAA covers
- Inbound and outbound fax content stored in your workspace
- AI-generated triage records (classification, extracted fields, action items)
- Audit log, user activity, role assignments
- PHI processed by model endpoints, under our upstream BAAs with the model providers
What we need from you
- Practice plan — required for live PHI traffic
- A designated security contact at your organization
- Acceptance of our standard BAA (we publish the current version on request), or a redline cycle if you require yours
How to request
Email baa@takefax.com with your organization name and security contact. We'll send the standard BAA the same business day; most signings close in under a week.
Storage and encryption
- TLS 1.3 in transit (provider webhooks, dashboard, API)
- AES-256 at rest (fax PDFs, OCR text, structured triage records)
- Per-tenant isolation — queries in one workspace can't reach another, by construction
- 30-day retention on model-provider request logs, then purged
- Nothing used to train models — yours or anyone else's
Things we haven't claimed (yet)
We do not currently claim SOC 2 or HITRUST. SOC 2 Type I is targeted for Q3 with Type II to follow. We'll publish the report when we have it. We'd rather underclaim than misrepresent.