Compliance Guide
Online Fax Compliance: HIPAA, GDPR, PHIPA & SOC 2
Online fax is legal everywhere a paper fax is. Whether it's compliant is a different question β and the answer comes down to a signed agreement, real encryption, and proof the provider has been audited rather than just taking its own word for it. Here's how the major regimes work and which services actually meet them.
The short version: a fax service is "compliant" only when the provider signs the right agreement for your data (a BAA for US health data, a DPA for EU personal data), encrypts that data in transit and at rest, and can show an independent audit. Everything else is marketing.
If you only remember one thing: audited beats self-attested. A SOC 2 Type 2 or HITRUST report you can read is worth more than any "bank-grade security" badge.
Is online fax legally valid?
Yes β and this part is settled. An online fax carries the same legal weight as one sent from a machine on a phone line. The transmission confirmation acts as your proof of delivery, which is exactly why courts, government agencies, banks and hospitals still rely on fax for signed and time-sensitive documents. Sending it from the cloud instead of a desk-side machine changes nothing about its standing.
Legal validity and data-protection compliance are two separate tests, though. A fax can be perfectly valid as a document and still break privacy law if it moves regulated data through a service that has no agreement to handle it. The rest of this guide is about that second test.
What actually makes an online fax compliant
Four things decide it. A provider that nails the first one but skips the rest still isn't safe for regulated data.
Encryption, end to end
Documents have to be encrypted while they travel (TLS 1.2+) and while they sit on the provider's servers (AES-256). A fax pushed as plain-text email to a gateway fails this before it even leaves your outbox.
A signed agreement
For US health data you need a Business Associate Agreement (BAA); for EU personal data, a Data Processing Agreement (DPA). The provider becomes legally responsible the moment it handles regulated data on your behalf β no signed agreement, no compliance.
An independent audit, not a claim
There's a real gap between "we're HIPAA compliant" on a marketing page and a third-party SOC 2 Type 2 or HITRUST report you can actually read. Audited providers have been checked by someone other than themselves. Self-attested ones have not.
Where the data lives
Data residency decides which laws apply. GDPR favours data kept in the EU (or a country with an adequacy decision, like Switzerland); some sectors require it outright. Check where the provider stores faxes before you sign.
Compliance by regime
Which rules apply depends on what data you send and where everyone sits. The common requirement across all of them is a written agreement and encryption you can verify.
HIPAA + HITECH
United States Β· healthcareWhat it requires: A signed BAA, encryption, access controls and audit logs, and breach notification. HITRUST CSF and FedRAMP are higher bars that large health systems and government-adjacent buyers often demand.
Who fits: Documo (BAA on every plan, HITRUST), eFax Protect (HITRUST + FedRAMP), iFax Plus and up (SOC 2 + ISO 27001), SRFax (BAA every plan).
PHIPA / PIPEDA
Canada Β· health & generalWhat it requires: Provincial health-privacy (PHIPA in Ontario) plus federal PIPEDA. In practice: a signed agreement, Canadian or North-American data handling, and strong encryption.
Who fits: SRFax is purpose-built for this β native HIPAA/PHIPA/PIPEDA and free PGP encryption on every plan, with US/Canada coverage.
GDPR
European Union Β· personal dataWhat it requires: A Data Processing Agreement, a lawful basis, EU (or adequacy-country) data residency, and the EU-US Data Privacy Framework if data crosses to the US.
Who fits: Fax.Plus is the standout β Swiss-hosted under one of the strongest privacy regimes, ISO 27001 + SOC 2 Type II audited. Dropbox Fax publishes ISO 27018 and EU-US DPF coverage on its Trust Center.
APPI
Japan Β· personal informationWhat it requires: Japan's Act on the Protection of Personal Information governs how personal data is handled and transferred abroad. HIPAA is US-specific and only matters if you handle US patient data.
Who fits: Look for audited security (SOC 2 / ISO 27001) and clear cross-border transfer terms rather than a HIPAA badge, which doesn't map to Japanese law.
Sector rules
Legal Β· financeWhat it requires: Law firms answer to confidentiality and privilege obligations; finance adds GLBA and, for card data, PCI DSS. The common thread is encryption, access control, and a provider that will put its obligations in writing.
Who fits: eFax and Fax.Plus carry the broadest certification stacks; SRFax adds free PGP for highly sensitive transmissions.
New to the BAA side of things? Start with our plain-English explainer on whether fax is HIPAA compliant.
Which fax services meet which standard
From the providers in our 2026 ranking. The column that matters most is "Audit" β it's the difference between a checked claim and a promise.
| Service | Signed agreement | Audit | Certifications | Data region | Best for |
|---|---|---|---|---|---|
| Documo | BAA β every plan | Audited | HITRUST CSF, SOC 2 Type II | US | Clinical / EHR workflows |
| eFax | BAA β Protect plan | Audited | HITRUST, SOC 2, FedRAMP | US, 200+ countries | Enterprise & government |
| iFax | BAA β Plus plan & up | Audited (Pro) | SOC 2 Type 2, ISO 27001 | US/UK/CA/IT | Best-value audited HIPAA |
| Fax.Plus | BAA β Enterprise only | Audited | ISO 27001, SOC 2 Type II | Switzerland / GDPR | EU / international |
| Dropbox Fax | BAA β paid (on request) | Audited | SOC 2 Type 2, ISO 27001/27018 | US | Cloud-first teams |
| SRFax | BAA β every plan | Audited | HIPAA/PHIPA, free PGP | US / Canada | North-American compliance |
| CocoFax | BAA β on request | Self-attested | No public SOC 2 / HITRUST | Global | Budget (verify before PHI) |
FaxZero, MetroFax and MyFax don't offer HIPAA and aren't built for regulated data. Plans and terms change β always confirm the current BAA or DPA in writing before sending anything sensitive.
How to choose a compliant fax service
- Single-location clinic or small practice: iFax on the Plus plan ($24.99/mo) is the best-value audited HIPAA option β signed BAA included, SOC 2 + ISO 27001 on Pro. See the best fax for healthcare.
- Hospital, multi-site group, or government-adjacent: Documo (HITRUST, BAA on every plan, EHR integrations) or eFax Protect (FedRAMP). Full list in our HIPAA-compliant fax guide.
- EU business or GDPR data: Fax.Plus β Swiss-hosted, ISO 27001 + SOC 2 Type II, DPA available.
- Canadian health or legal: SRFax β native HIPAA/PHIPA and free PGP on every plan.
- Law firm: encryption, e-signature and reliability matter most β see the best fax for law firms.
- On a budget with no regulated data: any audited provider works; just don't route PHI through a self-attested service.
This guide is general information, not legal advice. Your obligations depend on your organization, your jurisdiction, and how the service is configured β confirm the specifics with your privacy officer or counsel.
Frequently Asked Questions
Is online fax legally valid?
Yes. An online fax has the same legal standing as a paper fax in the US, EU, Canada and Japan, and the transmission confirmation serves as proof of delivery. Courts, agencies and healthcare organizations routinely accept cloud-sent faxes. Legal validity and data-protection compliance are separate questions, though β a fax can be valid but still mishandle regulated data.
Is online fax HIPAA compliant?
Only when the provider signs a Business Associate Agreement (BAA) and meets HIPAA's safeguards: encryption in transit and at rest, access controls and audit logs, and breach notification. Services that sign a BAA include Documo (every plan), iFax (Plus and up), SRFax (every plan), eFax (Protect) and Fax.Plus (Enterprise). A free service, or one that only self-attests, isn't a safe choice for PHI.
Is online fax GDPR compliant?
It can be, if the provider signs a Data Processing Agreement, keeps data in the EU or an adequacy country, and covers EU-US transfers under the Data Privacy Framework. Fax.Plus is the strongest fit β Swiss-hosted, ISO 27001 + SOC 2 Type II β and Dropbox Fax publishes ISO 27018 and EU-US DPF coverage. Confirm the DPA and data-residency terms for your use case.
What's the difference between audited and self-attested compliance?
Audited compliance means a third party β through SOC 2 Type 2 or HITRUST β has independently verified the provider's controls, and you can read the report. Self-attested is the vendor's own claim with no external check. For regulated data, choose audited. CocoFax, for instance, lists HIPAA, GDPR and PHIPA, but those claims are self-attested with no public SOC 2 or HITRUST audit.
Do I need a BAA or a DPA?
It depends on the data and region. For US protected health information you need a HIPAA Business Associate Agreement (BAA). For EU personal data you need a GDPR Data Processing Agreement (DPA). An organization handling both β say a US clinic with EU patients β may need both, plus EU-US Data Privacy Framework coverage for transfers.
Which online fax service is the most compliant?
It depends on your regime. For US healthcare, Documo leads (HITRUST + BAA on every plan); eFax Protect adds FedRAMP for government-adjacent work. For the best value with an audited posture, iFax Plus ($24.99/mo) gives a signed BAA, and SOC 2 + ISO 27001 on Pro. For GDPR and EU data residency, Fax.Plus. For Canadian health and legal, SRFax.
Need a fax service that holds up to an audit?
See which providers sign a BAA or DPA and pass our security checks in the 2026 ranking.