HIPAA-grade compliance, on day one of self-serve.
Sign your BAA from your dashboard. AES-256 at rest, TLS 1.2+ in transit. Per-fax immutable audit log. No enterprise plan, no procurement cycle.
Sign a BAA before you send your first paid fax.
mintfax provides a Business Associate Agreement that covers fax submission, fax content storage, fax delivery to the carrier, and the metadata surrounding each fax. The BAA is the same template across every paid tier. There is no premium version, and the legal text does not change at higher volume tiers.
How to sign one
Sign in to your dashboard, open the workspace where you’ll be sending faxes, and click “Sign BAA” under Compliance. The agreement is e-signed via DocuSign. You’ll receive a countersigned copy by email within minutes. You can sign separate BAAs for separate workspaces if you operate multiple environments or multiple covered entities.
What it covers
The BAA covers all PHI flowing through mintfax: fax documents at submission, the file at rest in S3, the metadata in DynamoDB and MySQL, the delivery confirmations, the audit log entries, and the webhook payloads we send to your endpoints. It also covers our employees and contractors with access to that data, our subprocessors (listed below), and our incident response and breach notification procedures.
What it doesn’t cover
The BAA does not extend to upstream carrier infrastructure for the PSTN leg, the recipient fax machine and recipient infrastructure, your application code calling the mintfax API, your webhook endpoints receiving events from us, or the analog leg of the call (the PSTN itself is unencrypted by definition; fax content over T.30 / T.38 is in the clear at the carrier-to-recipient hop). We document this explicitly so you can scope your own compliance posture against ours without surprise.
What we encrypt. What we audit. What we keep.
Encryption
AES-256 at rest. TLS 1.2 minimum in transit, with TLS 1.3 on all customer-facing endpoints. Fax content uploaded via multipart is encrypted before write to S3 using SSE-S3 with AWS-managed keys. The DynamoDB tables holding API keys, balances, and idempotency records are encrypted at rest by default. Webhook signing uses HMAC-SHA256 with a per-account secret you can rotate at any time.
Authentication and access
API authentication uses bearer tokens, scoped per workspace. The dashboard uses passwordless email OTP by default; you can opt in to a password and TOTP 2FA from your account settings. SMS-based authentication is explicitly not used (NIST has deprecated SMS OTP for primary auth). Internal access to production systems is via short-lived AWS IAM credentials, not standing API keys; access is logged and reviewed quarterly.
Audit log
Every fax submission, status change, balance modification, API key event, and account membership change writes an immutable audit log entry. Audit logs are scoped per workspace, retained for the lifetime of the workspace, and exportable as JSON or CSV from your dashboard. The audit log is the primary evidence we surface in OCR investigations or your own internal compliance reviews.
Two retention modes. Pick yours per workspace.
Standard mode
Fax documents, fax images, recipient metadata, and transaction metadata are retained per the configured retention policy and then deleted. Default retention is 90 days, configurable per workspace. You can actively delete fax data at any time via the API (DELETE /v1/fax/{id}) without waiting for the policy to elapse. Billing records, credit transactions, and account information are retained permanently.
Zero-footprint mode
Fax documents and fax-related metadata are deleted immediately after the transaction reaches a terminal state - delivered, permanently failed, or canceled. Effectively, the retention timer is set to zero. This mode supports HIPAA’s minimum-necessary principle and is the right default for high-sensitivity workloads. Billing records remain.
You can switch between modes per workspace at any time. The change applies to new submissions; existing data is governed by the policy in effect at the time of submission.
Who else touches your data.
mintfax uses the following subprocessors. Each is bound by a BAA where applicable and selected against our compliance posture. We update this list when subprocessors change and notify customers in advance.
| Subprocessor | Purpose | BAA | Region |
|---|---|---|---|
| Amazon Web Services (AWS) | Compute, storage, API gateway | Yes | US East |
| InterFax (Upland) | Carrier - PSTN fax delivery | Yes | US, multi-region |
| Carrier #2 (selection in progress) | Carrier - PSTN fax delivery (active/active) | Yes | TBD |
| Stripe | Payment processing for credit purchases | N/A (no PHI) | US |
| AWS SES | Transactional email (OTP, notifications) | Yes | US East |
We do not use general-purpose analytics, behavior tracking, or session-replay tools on api.mintfax.com or in the authenticated dashboard. Our marketing site uses privacy-respecting analytics (no third-party cookies). Customer data never flows to ad networks, lead-gen tools, or AI training pipelines.
Where we are, and where we’re going.
mintfax is HIPAA-aligned by design. We self-attest to the HIPAA Security Rule and Privacy Rule controls, sign BAAs at every paid tier, and operate against the 2026 HIPAA Security Rule requirements. HIPAA does not have an official certifying body; we self-attest and document our controls publicly.
Live today
- HIPAA-aligned operating posture
- BAA available at every paid tier (free, self-serve)
- AES-256 at rest, TLS 1.2+ in transit
- Per-workspace immutable audit log
- Zero-footprint mode
On the roadmap
- SOC 2 Type II - audit kickoff Q3 2026
- HITRUST CSF - reviewing based on customer pull
- Direct Trust / DSM gateway - exploring 2027
We do not pursue FedRAMP authorization. mintfax is not built for federal-government workloads; eFax (ECFax) is the only fax provider with FedRAMP High authorization, and that’s the right tool for that job.
Vendor portability
If you’re evaluating mintfax for a 5-10 year integration, the honest answer is that no vendor commitment is unconditional. The right question to ask is: if mintfax went away tomorrow, what would the migration look like? mintfax is built so the answer is “small.”
- Standard REST/JSON API. No proprietary protocol, no client-library lock-in. Your integration code is portable to any modern fax API surface with a small mapping layer.
- OpenAPI 3.1 specification at a stable URL. Documents the integration shape in a machine-readable form your team can preserve.
- Carrier-agnostic error taxonomy. Mintfax-owned codes mean your error-handling logic doesn’t bind to a specific carrier’s vocabulary.
- Customer-owned data. Per-workspace audit logs are exportable as JSON or CSV from your dashboard, without a support ticket.
- Standard Webhooks compatibility. Signed-webhook verification follows the Standard Webhooks spec, so receiver code is reusable.
Questions for compliance, security, or procurement?
Email [email protected] for questionnaire requests, BAA edits, audit reports, or anything we haven’t documented above. We respond within one business day. We don’t gate compliance documentation behind a sales conversation - if you need our SOC 2 report, our audit log architecture, or our incident response runbook, ask and we’ll send it.