SOC 2 certification has become table stakes for enterprise software vendors and service providers. If your organization handles customer data and uses fax, your auditor will have questions. Here’s what to expect and how to prepare.
SOC 2 and Fax: The Basics
Trust Services Criteria Relevant to Fax
SOC 2 audits evaluate controls against five Trust Services Criteria. Four are relevant to fax operations:
Security (Required)
- Access controls
- Encryption
- Network protection
- Change management
Availability
- System uptime
- Disaster recovery
- Incident response
- Backup procedures
Confidentiality
- Data classification
- Encryption requirements
- Access restrictions
- Disposal procedures
Privacy
- Personal information handling
- Consent management
- Data subject rights
- Retention policies
Where Fax Enters the Picture
Fax creates SOC 2 considerations when:
- Customer data is transmitted via fax
- Fax is part of business processes
- Third-party fax services handle data
- Fax records require retention
Auditor Questions by Category
Security Controls
Access Management
Auditor will ask:
- Who has access to fax systems?
- How is access provisioned and deprovisioned?
- Are there unique user IDs?
- Is multi-factor authentication implemented?
Evidence to prepare:
- User access list with roles
- Access request/approval records
- MFA configuration documentation
- Access review records
Encryption
Auditor will ask:
- Is fax data encrypted in transit?
- Is fax data encrypted at rest?
- What encryption standards are used?
- How are encryption keys managed?
Evidence to prepare:
- Encryption configuration documentation
- TLS certificate information
- Key management procedures
- Encryption audit logs
Logging and Monitoring
Auditor will ask:
- What fax activities are logged?
- How long are logs retained?
- Who reviews logs?
- How are anomalies detected?
Evidence to prepare:
- Log configuration settings
- Sample log entries
- Log review procedures
- Monitoring alert configuration
Availability Controls
System Uptime
Auditor will ask:
- What is the uptime SLA?
- How is uptime measured?
- What were actual uptime metrics?
- How are outages handled?
Evidence to prepare:
- SLA documentation
- Uptime monitoring reports
- Incident records
- Post-incident reviews
Business Continuity
Auditor will ask:
- What happens if the fax system fails?
- Is there disaster recovery capability?
- How quickly can service be restored?
- When was DR last tested?
Evidence to prepare:
- Business continuity plan
- Disaster recovery procedures
- DR test results
- Recovery time documentation
Confidentiality Controls
Data Protection
Auditor will ask:
- How is confidential information identified?
- What protections exist for confidential faxes?
- Who can access confidential fax data?
- How is confidentiality enforced?
Evidence to prepare:
- Data classification policy
- Access control matrix
- Confidentiality controls documentation
- Training records
Data Disposal
Auditor will ask:
- How long is fax data retained?
- How is fax data disposed of?
- Is disposal documented?
- Are retention policies enforced?
Evidence to prepare:
- Retention policy
- Disposal procedures
- Disposal records
- Automated retention configuration
Vendor Management
Third-Party Risk
Auditor will ask:
- Who is your fax service provider?
- Does the vendor have SOC 2?
- How do you assess vendor security?
- What’s in the service agreement?
Evidence to prepare:
- Vendor SOC 2 report
- Vendor assessment documentation
- Service agreement/contract
- Security questionnaire responses
Cloud vs. On-Premise Considerations
Cloud Fax (SaaS)
Advantages for SOC 2:
- Vendor maintains infrastructure controls
- SOC 2 reports often available
- Encryption typically built-in
- Access controls integrated
Auditor focus areas:
- Vendor due diligence
- Data handling agreements
- Access management
- Integration security
On-Premise Fax
Your responsibility:
- All infrastructure controls
- Physical security
- Encryption implementation
- Backup and recovery
- All monitoring and logging
Auditor focus areas:
- Direct control evidence
- Change management
- Vulnerability management
- Capacity planning
Control Matrix: Fax Operations
| Control Area | Control Description | Evidence Required |
|---|---|---|
| Access Control | Unique user IDs for fax access | User list, ID policy |
| Role-based permissions | Role definitions, access matrix | |
| Access reviews performed | Review records, cadence | |
| MFA for administrative access | MFA configuration | |
| Encryption | TLS 1.2+ for transmission | Certificate, configuration |
| AES-256 for storage | Encryption settings | |
| Key rotation performed | Key management records | |
| Logging | All fax activities logged | Log configuration, samples |
| Logs retained per policy | Retention settings | |
| Log integrity protected | Tamper protection config | |
| Monitoring | Uptime monitoring active | Monitoring dashboards |
| Security alerts configured | Alert configuration | |
| Anomaly detection in place | Detection rules | |
| Vendor Mgmt | Vendor SOC 2 reviewed | Review documentation |
| Security requirements in contract | Contract excerpt | |
| Ongoing monitoring performed | Assessment records |
Common Audit Findings
Finding 1: Incomplete Access Reviews
Problem: Fax system access not included in quarterly access reviews.
Solution: Add fax systems to access review scope. Document review of all users with fax access, including administrators.
Finding 2: Missing Encryption Documentation
Problem: Cannot demonstrate encryption in transit for fax transmissions.
Solution: Obtain TLS configuration documentation from provider. For on-premise, document encryption settings and certificate management.
Finding 3: Insufficient Logging
Problem: Fax logs don’t capture required security events.
Solution: Enable comprehensive logging including:
- User authentication events
- Configuration changes
- Transmission records
- Access to stored faxes
Finding 4: Vendor Assessment Gaps
Problem: No documented assessment of fax service provider.
Solution: Obtain vendor SOC 2 report. Document review and acceptance. Include fax vendor in annual vendor assessment program.
Preparing for Your Audit
90 Days Before
- Inventory all fax systems and services
- Request vendor SOC 2 reports
- Review current control documentation
- Identify gaps in evidence collection
60 Days Before
- Implement any missing controls
- Update policy documentation
- Begin evidence collection
- Conduct internal assessment
30 Days Before
- Complete evidence compilation
- Perform control testing
- Address any identified issues
- Prepare walkthrough materials
During Audit
- Provide requested evidence promptly
- Schedule system demonstrations
- Clarify questions immediately
- Document auditor requests
The Cloud Fax Advantage
Modern cloud fax platforms simplify SOC 2 compliance:
| Requirement | Cloud Fax | On-Premise |
|---|---|---|
| Vendor SOC 2 | Available | N/A |
| Encryption | Built-in | Must implement |
| Access controls | Integrated | Must configure |
| Audit logging | Automatic | Must enable |
| Uptime SLA | Contractual | Self-measured |
| DR capability | Included | Must build |
Selecting a SOC 2-certified cloud fax provider transfers significant control responsibility and provides ready evidence for your audit.
The Bottom Line
Fax operations don’t have to be a SOC 2 weak point. Whether you use cloud or on-premise fax, the key is treating fax with the same control rigor as any other system handling customer data.
The organizations that sail through SOC 2 audits are those that proactively identify fax in scope and implement appropriate controls—not those surprised when the auditor asks about that fax machine in the corner.
Preparing for SOC 2 and need help with fax controls? Let’s discuss your compliance requirements.
