All Collections
Compliance and Regulation
Security, GDPR, and more
Security: does doxy.me meet FIPS 140-2 standards?
Security: does doxy.me meet FIPS 140-2 standards?

Everything you need to know about how doxy.me handles cryptographic keys and modules

Dylan Turner avatar
Written by Dylan Turner
Updated over a week ago

If your organization or practice requires doxy.me to meet FIPS 140-2 standards, here's information on how we handle cryptographic keys and modules.

FIPS 140-2 refers to the Federal Information Processing Standards Publication detailing Security Requirements for Cryptographic Modules, and while the standards are meant for U.S. government computers and systems, any organization may rely on the standards. FIPS 140-2 has four increasing levels of security that a system may meet: Security Levels 1-4.

How doxy.me maintains cryptographic keys

Doxy.me contracts with a third-party HIPAA-compliant application hosting platform provider to ensure our Amazon Web Services infrastructure is safe and secure. This provider has a signed BAA in place with doxy.me and helps with various operations and security tasks such as database backups, server availability and uptime monitoring, intrusion detection and prevention, and managing cryptographic keys.

Among other offerings from AWS, doxy.me utilizes the AWS Key Management System (KSM) and the associated Hardware Security Modules (HSM). These keys are rotated regularly and are custom (256-bit AES encryption).

Is AWS KMS HSM FIPS 140-2 compliant?

Yes, it is. The AWS KMS Hardware Security Modules were reviewed by an independent lab and then by the Cryptographic Module Validation Program operated by NIST. You can find the official verification here.

Overall, AWS KMS HSMs are validated at a Security Level 2 and at Security Level 3 in the following areas:

  • Cryptographic Module Specification

  • Roles, Services, and Authentication

  • Physical Security

  • Design Assurance

As an important reminder, doxy.me does not store ePHI and you may only conduct a video or audio call with a patient through an end-to-end encrypted connection. All application data is encrypted at rest and in-transit to as specified in our internal policies and procedures.

If you have further questions regarding any of doxy.me's security practices, please visit our privacy and security section in the Help Center.

If you have any other questions, please contact our support team.

Did this answer your question?