Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintfax.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

mintfax is not PCI-DSS certified. If your fax workflows involve documents that contain cardholder data (credit card numbers, expiration dates, CVVs, or other account data covered by PCI-DSS), this page explains what mintfax does and does not provide, so you can make an informed decision about your compliance posture.

What PCI-DSS requires

PCI-DSS applies to any organization that stores, processes, or transmits cardholder data. When you send a fax containing a credit card number through mintfax, the document passes through mintfax infrastructure during processing and delivery. That puts mintfax in scope as a service provider for your PCI-DSS assessment. Because mintfax is not PCI-DSS certified, you cannot rely on a compliance attestation from mintfax to satisfy your PCI obligations for the fax transmission path. You need to evaluate whether the controls mintfax provides are sufficient for your risk profile, or whether a certified fax provider is required.

What mintfax provides

mintfax does not offer a separately hardened PCI subsystem, but several existing controls reduce exposure when faxing cardholder data.

Zero-footprint mode

Zero-footprint mode deletes fax documents and fax-related metadata as soon as the fax reaches a terminal state (delivered, permanently failed, or canceled). A short window measured in minutes allows you to retrieve the result via the API before cleanup runs. After cleanup, no document content remains on mintfax infrastructure. This does not eliminate processing exposure. During submission, queuing, and carrier delivery, the document exists in transit and at rest on mintfax infrastructure. Zero-footprint mode minimizes the retention window but does not eliminate it. Enable zero-footprint mode per workspace: 
curl -X PUT https://api.mintfax.com/v1/account/settings \
  -H "Authorization: Bearer fx_test_abc123def456" \
  -H "Content-Type: application/json" \
  -d '{"zero_footprint": true}'

Encryption

All fax documents are encrypted at rest in S3 using AES-256 (SSE-S3). All API connections require TLS 1.2 minimum, with TLS 1.3 on customer-facing endpoints. Webhook payloads are delivered over HTTPS and signed with HMAC-SHA256.

Audit logging

Every fax submission, status change, and API key event produces an immutable audit log entry. Logs are scoped per workspace, retained for the lifetime of the workspace, and exportable as JSON or CSV.

Manual deletion

You can delete any fax in a terminal state at any time via DELETE /fax/{id}, without waiting for the retention window to expire.

What mintfax does not provide

  • PCI-DSS certification or attestation. mintfax has not undergone a PCI-DSS audit and cannot provide an Attestation of Compliance (AOC) or Report on Compliance (ROC).
  • A hardened PCI subsystem. Faxes containing cardholder data travel through the same infrastructure as all other faxes. There is no separately certified processing path.
  • Tokenization or masking. mintfax does not inspect, tokenize, or mask cardholder data within fax documents. If you need to redact card numbers before faxing, do it in your application before submitting the document.
  • Control over the analog leg. The PSTN portion of a fax call is unencrypted by definition. Fax content transmitted over T.30 or T.38 is in the clear between the carrier and the receiving fax machine. No fax provider can encrypt this leg.

Practical guidance

If your PCI-DSS assessment requires a certified fax provider, mintfax is not the right choice today. If your compliance team accepts a risk-based approach with data minimization controls, the combination of zero-footprint mode, encryption, audit logging, and manual deletion may be sufficient. Work with your QSA (Qualified Security Assessor) to determine whether these controls satisfy your specific PCI-DSS requirements. To minimize exposure regardless of your compliance posture:
  1. Redact before sending. Mask or tokenize cardholder data in the document before submitting it to mintfax. If the document never contains a full PAN, the fax transmission path is out of PCI scope.
  2. Enable zero-footprint mode. Ensure no document content persists on mintfax infrastructure after delivery.
  3. Verify webhooks. Confirm delivery via signed webhook events rather than polling, so you know exactly when cleanup has occurred.
  4. Limit access. Use separate workspaces for PCI-sensitive workflows to isolate API keys and audit trails.

What to do next

  • Data retention - retention modes, zero-footprint behavior, and what gets deleted vs retained
  • HIPAA compliance - a related compliance model with BAA signing, if your workflows also involve health data
  • Webhook signing - verify delivery confirmations are authentic