Security & compliance

Built like a healthcare product, sold like a SaaS one.

Here's what's true today, what we have on the roadmap, and what we won't claim until earned.

What we encrypt

  • TLS 1.3 for everything in transit, including provider webhooks and AI inference traffic.
  • AES-256 for stored fax PDFs, OCR text, structured triage records, and per-tenant configuration.
  • Tenants are fully isolated at the data layer — a query in one workspace can't reach another, by construction.

Who sees what

  • On the Practice plan with a signed BAA, inference runs on HIPAA-covered model endpoints (Anthropic and OpenAI both offer enterprise BAAs).
  • On Free, Starter, and Growth, you can pilot with synthetic or de-identified faxes. Live PHI requires Practice.
  • Per-tenant model request logs are retained 30 days then purged. Nothing is used to train models — yours or anyone else's.

Roles + audit

  • Role-based access on Growth and Practice: receptionists see the inbox, billers see prior auths, providers see only their own panel.
  • Append-only audit log of every triage decision, override, and access event. Exportable for internal reviews and payer audits.
  • SCIM + SSO (SAML / OIDC) on Practice.

Compliance roadmap

  • Today: HIPAA-aligned controls, BAA available on Practice, per-tenant encryption, audit log.
  • In progress: SOC 2 Type I targeted for Q3, Type II to follow.
  • Watching: HITRUST r2 — we'll only pursue once the customer mix justifies it. We'd rather underclaim than misrepresent.
Future inbound channels

Fax is the wedge. The inbox is the product.

We're building for an industry that is slowly moving past fax. As your peers light up modern interop, we'll ingest those channels into the same triage queue:

  • TEFCA + QHINsOnce Qualified Health Information Networks reach our ICP, document exchange flows through the same classification + queue.
  • Direct Messaging (HISP)HISP-based clinical messages routed into the same inbox, with the same patient-matching and assignment.
  • Payer APIsCMS Interoperability Rule + FHIR Bulk Data — pull prior-auth status, eligibility, and member data into the workflow alongside inbound documents.

We're building the inbox you'll still use when fax volume finally drops.

Have a security review?

We'll share our latest SOC 2 progress, pen-test summary, and answer your questionnaire.

security@takefax.com