Today
- TLS 1.2+ everywhere. Every request to faxloo.com, app.faxloo.com, and api.faxloo.com is HTTPS-only.
- Encryption at rest. Fax content is stored briefly in Supabase Storage (S3-compatible) with at-rest encryption, then purged after the retention window.
- No PHI in logs. Fax content, recipient details, and authentication tokens are never logged. Application logs contain only request metadata.
- Stripe handles cards. We never see your card number — Stripe's PCI-DSS-compliant infrastructure handles all payment data.
- Sub-processors disclosed. See the privacy policy for the full list of vendors that process data on our behalf.
What's not here yet
- HIPAA BAA. Not yet. We're building toward it; once available we'll list it here with the audit details.
- SOC 2. Not yet.
- ISO 27001. Not yet.
We list what's true now and what isn't. If your use case requires any of the missing items, please use a service that has them and check back with us later.
Reporting a vulnerability
Email security@faxloo.com. We respond within 48 hours.