Security you can verify.

LuzardoFax is built from the ground up to meet HIPAA Security Rule requirements for Protected Health Information (PHI). Every paid plan — from Solo to Business — includes the same encryption, the same BAA terms, and the same audit infrastructure.

• Instant online BAA — signed during account onboarding with timestamp and IP capture. No printable PDFs to fax back, no manual paperwork.
• Subprocessor BAAs — we have signed BAAs in place with all third parties that touch PHI, including Vultr (hosting), Telnyx (fax transport), and SendGrid (email).
• HIPAA Privacy Rule — access controls, audit trails, breach notification procedures, and data minimization built in.
• HIPAA Security Rule — administrative, physical, and technical safeguards. Risk assessments performed before every major change.

• In transit — TLS 1.3 for all web traffic. TLS-encrypted SIP for fax transmission to Telnyx.
• At rest — AES-256-GCM encryption on all fax PDFs, contact data, and audit logs in our database.
• Backups — Encrypted at rest with separate keys from production data. Stored in isolated environments.
• Email notifications — TLS-encrypted in transit via SendGrid. Optional Secure Mode sends a link instead of attaching the PDF.
• Passwords — bcrypt hashing with strong cost factors. We can't see your password — even we can't read it.

LuzardoFax production infrastructure runs on Vultr in their Miami, FL region. Vultr maintains SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and HIPAA-aligned controls, with independently audited compliance reports available.

Important context: SOC 2 certifications belong to the provider, not us. Vultr's certifications validate that their infrastructure meets those standards — they don't automatically certify our application. Our responsibility is to configure their infrastructure correctly, sign the BAA with Vultr, and apply our own controls on top.

• Region — Miami, FL (US-only data residency)
• Network — DDoS mitigation, firewall isolation, private networking between services
• Backups — Daily encrypted backups with 30-day retention
• Monitoring — 24/7 infrastructure monitoring with automatic alerts

• Two-factor authentication — Optional on Solo/Plus/Team. Enforced on Business and Enterprise plans.
• Role-based access — On Business plans, admins control who has which permissions: send, receive, manage users, view audit logs.
• Session management — JWT tokens with reasonable expiry. Sessions revoked instantly on logout.
• Password requirements — Minimum length, complexity, and breached-password checks at signup.
• Account isolation — Multi-tenant architecture with strict account-level data separation enforced at every database query.

Every action that touches PHI or account configuration is logged with timestamp, user, IP address, and user agent. Account admins can view and export logs anytime from the dashboard.

• Fax send / receive / view / download / delete events
• Login attempts (successful and failed)
• Settings changes (security, notifications, billing)
• User add / remove / permission changes
• BAA signing event with IP and timestamp
• Exports in CSV format · API access on Business+

Logs are retained for the full 7-year HIPAA standard — same as your faxes.

Every subprocessor that processes Protected Health Information has a signed Business Associate Agreement with us. Where applicable, they also maintain their own SOC 2 / ISO certifications.

If we add or replace a subprocessor, we'll notify all customers 30 days in advance. Need the full list with effective BAA dates? Contact us — we'll send you a current copy.

We follow the HIPAA Breach Notification Rule. In the event of any incident affecting PHI:

• Detection — 24/7 monitoring of infrastructure and application logs flags anomalies for review.
• Containment — Immediate isolation of affected systems and forensic preservation.
• Notification — Affected customers notified within statutory HIPAA deadlines (60 days max, typically much faster).
• Disclosure — Full transparency: what happened, what data was affected, what we're doing to prevent it again.
• Post-incident — Root-cause analysis, corrective actions documented, BAA review updated.

For security concerns or to report a vulnerability, email [email protected].

Faxes, audit logs, and account history are retained for 7 years from the original transmission date, matching the standard HIPAA documentation retention period. The same retention applies on every plan — Solo or Business — at no additional cost.

• During retention — Faxes are searchable, downloadable, and available 24/7 in your inbox.
• After 7 years — Faxes move to cold archive. Still recoverable on request via support, but no longer indexed in the inbox.
• On cancellation — 30 days read-only access to download anything you need. After 30 days, account data is archived per HIPAA retention obligations and deleted when the 7-year window expires.
• Customer-initiated deletion — You can request earlier deletion of specific faxes (e.g., to comply with patient rights). Audit log entries are preserved per HIPAA.

Security is not a one-time effort. As we grow, here's what's planned for the LuzardoFax security program:

• Hardware key support (FIDO2 / WebAuthn) — for high-security customers who want phishing-resistant 2FA.
• IP allowlisting — Enterprise feature, currently in development.
• SSO with Google, Microsoft, Okta — Enterprise plans.
• Bug bounty program — once we cross certain volume thresholds, we'll launch a responsible disclosure program.
• Third-party penetration testing — Annual external pen testing once our customer base reaches the volume that justifies it.