Security & Compliance
Security you can prove.
You’re trusting WestFax with data that decides outcomes — patient records, financial files, criminal-justice information. We hold the certifications and sign the agreements that let you show your auditors exactly how it’s protected.
The directory
Nine frameworks. One standard of care.
Choose any framework to see how WestFax meets it — and the documentation that backs it up.
HITRUST
Cybersecurity assurance
Independent, third-party assurance for our Cloud Fax Service — validated against NIST-, ISO-, and OWASP-aligned controls.
Read the announcementSOC 2
Trust services controls
Audited and attested against the AICPA Trust Services Criteria for security, availability, and confidentiality.
Email us for the reportPCI DSS
Cardholder data
Compliant with PCI DSS v4.0 for handling payment card data. Attestation available on request.
How we complyTX-RAMP
Texas state agencies
Certified under the Texas Risk and Authorization Management Program for use by Texas state agencies.
Download certificateHIPAA
Patient health data (PHI)
Meets or exceeds the HIPAA Security and Privacy Rules — with a Business Associate Agreement included on every plan.
See the compliance matrixGLBA
Financial customer data
Secure, encrypted fax for financial institutions safeguarding customer information under the Gramm-Leach-Bliley Act.
How we complyFERPA
Student education records
Protects the privacy of student education records for schools, districts, and institutions.
How we complyCJIS
Criminal-justice information
Aligned to the FBI CJIS Security Policy across all 13 policy areas for criminal-justice data.
How we complyPIPEDA
Canadian data residency
Canadian-hosted faxing that keeps transmission, processing, and storage in-country under PIPEDA.
How we complyHow we protect your data
One security foundation under every framework
The certifications differ. The controls underneath them don’t — every fax rides the same encrypted, audited, access-controlled platform.
- Transmission security
- The highest level of TLS available for data in transit — web, print driver, and API — plus TLS-protected SMTP (RFC 3207) and FTPS/SFTP.
- Encryption at rest
- AES-256 encryption of fax data at every phase of processing, guarded by Access Control Lists.
- Physical security
- SOC 2-compliant data centers with 24×7 guards, video surveillance, and biometric control of private-cloud areas.
- Access control
- Data isolated to a private-cloud environment, with unique user IDs, enforced password complexity, and multi-factor authentication.
- Data integrity
- End-to-end encryption and signature protocols prevent tampering in transit; every message is archived encrypted.
- Audit & monitoring
- Internal and external access logs reviewed in real time to detect and prevent security issues.
Questions
Common questions
Still have questions?
Tell us which framework you need to satisfy and we’ll get you the documentation and answers your auditors expect.
Certifications like HITRUST r2, SOC 2 Type II, PCI DSS, and TX‑RAMP are validated by independent third parties. Compliance with HIPAA, GLBA, FERPA, CJIS, and PIPEDA means our platform is built and operated to meet the requirements of a law or mandate. Some frameworks have no certifying body at all — for CJIS, there is no such thing as being “CJIS certified.”
Yes. A BAA is included with every WestFax plan, at no extra cost.
Yes. SOC 2, PCI, and other documentation are available through your account team.
Yes. WestFax offers Canadian-hosted faxing aligned with PIPEDA, PHIPA, and provincial privacy laws, with transmission, processing, and storage kept in-country. See PIPEDA & Canadian residency.
