A5 Fax App Security Statement

A5 Fax is a web application plugin for Salesforce that allows you to send and receive faxes out of your own Salesforce org.  The customer owns their own Salesforce org in contract with Salesforce. The customer implements A5 Fax into their own Salesforce org by installing the app from Salesforce AppExchange and configuring it for their use.  The customer decides and implements their process within their Salesforce in terms of what they are faxing. That content is not controlled by A5 Fax.

A5 Fax must pass the Salesforce security review in order to be published on the Salesforce AppExchange.  Salesforce routinely conducts security review annually on all apps published on their AppExchange.

When you install A5 Fax app into your Salesforce org, the code for the application is installed and copied into your org, but remains private for your viewing for copyright protection.  You then connect your Salesforce to our external web application written in .Net and hosted on Azure (Microsoft Cloud Server) using an oauth token.  Our code that sits on Azure cloud server has a MS SQL database that stores only reference numbers for your org id, fax number, date time stamps, ids of records.  No faxes, PDFs, or sensitive information is stored outside of your own Salesforce org. Azure is the leading cloud servers, and our server is managed by Microsoft and is configured with a firewall and only specific IP addresses can access the database.  Azure/Microsoft manages the server for us and all security aspects in terms of physical access and monitoring. Our Azure server is located in the USA.

Our .Net code communicates with eFax Developer (J2, eFax) via their api to transmit the faxes.  They also do not store the data and just keep records for reference like fax number, date/time, ids.  eFax is the leading electronic fax solution on the market which is why we partnered with them to be the backbone of our fax app with Salesforce. eFax servers are located in Canada.

When you send a fax from Salesforce the document is encrypted through HTTPS/TLS before it hits the network. HTTPS is used to transmit the data between Salesforce to Azure to eFax.  Salesforce and eFax don’t allow any communication outside the proper current security standards.

When a fax is received, eFax transmits it to A5 Fax server (on Azure) and we transmit to your Salesforce all through HTTPS. The fax data is encrypted only in transmission, then removed once transmitted.  eFax is only keeping the fax data if not transmitted and retrying, up to 24 hours. After 24 hours, the fax data is deleted from their system (HIPAA compliant).

A5 Fax Flow Chart:

A5 Fax/ eFax HIPAA Compliance
The Department of Health and Human Services, the federal agency that deals with HIPAA, has stated in the Federal Register that “entities that act as mere conduits for the transport of protected health information but do not access the information other than on a random or infrequent basis are not business associates” and “a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.”  In other words, if we are merely transporting information (which is what we do), whether you qualify as a conduit depends on whether and how you access the information.
We don’t access the information apart from on a random or infrequent basis. See more detail here or HIPAA statement.