Opero Fax App Security Statement
Opero Fax is a web application plugin for Salesforce that allows you to send and receive faxes out of your own Salesforce org. The customer owns their own Salesforce org in contract with Salesforce. The customer implements Opero Fax into their own Salesforce org by installing the app from Salesforce AppExchange and configuring it for their use. The customer decides and implements their process within their Salesforce in terms of what they are faxing. That content is not controlled by Opero Fax.
Opero Fax must pass the Salesforce security review in order to be published on the Salesforce AppExchange. Salesforce routinely conducts security review annually on all apps published on their AppExchange.
When you install Opero Fax app into your Salesforce org, the code for the application is installed and copied into your org, but remains private for your viewing for copyright protection. You then connect your Salesforce to our external web application written in .Net and hosted on Azure (Microsoft Cloud Server) using an Oauth token. Our code that sits on Azure cloud server has a MS SQL database that stores only reference numbers for your org Id, fax number, date time stamps, Ids of records. No faxes, PDFs, or sensitive information is stored outside of your own Salesforce org. Azure is the leading cloud servers, and our server is managed by Microsoft and is configured with a firewall and only specific IP addresses can access the database. Azure/Microsoft manages the server for us and all security aspects in terms of physical access and monitoring.
The eFax server and Azure server are located in the west coast USA.
Our .Net code communicates with eFax Developer (J2, eFax) via their api to transmit the faxes. They also do not store the data and just keep records for reference like fax number, date/time, ids. eFax is the leading electronic fax solution on the market which is why we partnered with them to be the backbone of our fax app with Salesforce. eFax Developer server is located in USA. eFax Developed platform is also HiTrust certified. Here are links to some of their security statements: https://enterprise.efax.com/industry/healthcare & https://enterprise.efax.com/online-fax-services/fax-api. If you require a SOC or security reports beyond what is stated in this article, you can contact support for further assistance. A signed NDA will be required for security reports from eFax. For Azure SOC report, you can view this article. And more security information on identity management for Azure can be found here.
When you send a fax from Salesforce the document is encrypted through HTTPS/TLS before it hits the network. HTTPS is used to transmit the data between Salesforce to Azure to eFax. Salesforce and eFax don’t allow any communication outside the proper current security standards.
When a fax is received, eFax transmits it to Opero Fax server (on Azure) and we transmit to your Salesforce all through HTTPS. The fax data is encrypted only in transmission, then removed once transmitted. eFax is only keeping the fax data if not transmitted and retrying, up to 24 hours. After 24 hours, the fax data is deleted from their system (HIPAA compliant).
Opero Fax Flow Chart
Opero Fax/ eFax HIPAA Compliance
The Department of Health and Human Services, the federal agency that deals with HIPAA, has stated in the Federal Register that “entities that act as mere conduits for the transport of protected health information but do not access the information other than on a random or infrequent basis are not business associates” and “a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.” In other words, if we are merely transporting information (which is what we do), whether you qualify as a conduit depends on whether and how you access the information.
We don’t access the information apart from on a random or infrequent basis. See more detail here or HIPAA statement.