All Collections
Compliance and Regulation
Security, GDPR, and more
Security: does meet FIPS 140-2 standards?
Security: does meet FIPS 140-2 standards?

Everything you need to know about how handles cryptographic keys and modules

Dylan Turner avatar
Written by Dylan Turner
Updated over a week ago

If your organization or practice requires to meet FIPS 140-2 standards, here's information on how we handle cryptographic keys and modules.

FIPS 140-2 refers to the Federal Information Processing Standards Publication detailing Security Requirements for Cryptographic Modules, and while the standards are meant for U.S. government computers and systems, any organization may rely on the standards. FIPS 140-2 has four increasing levels of security that a system may meet: Security Levels 1-4.

How maintains cryptographic keys contracts with a third-party HIPAA-compliant application hosting platform provider to ensure our Amazon Web Services infrastructure is safe and secure. This provider has a signed BAA in place with and helps with various operations and security tasks such as database backups, server availability and uptime monitoring, intrusion detection and prevention, and managing cryptographic keys.

Among other offerings from AWS, utilizes the AWS Key Management System (KSM) and the associated Hardware Security Modules (HSM). These keys are rotated regularly and are custom (256-bit AES encryption).

Is AWS KMS HSM FIPS 140-2 compliant?

Yes, it is. The AWS KMS Hardware Security Modules were reviewed by an independent lab and then by the Cryptographic Module Validation Program operated by NIST. You can find the official verification here.

Overall, AWS KMS HSMs are validated at a Security Level 2 and at Security Level 3 in the following areas:

  • Cryptographic Module Specification

  • Roles, Services, and Authentication

  • Physical Security

  • Design Assurance

As an important reminder, does not store ePHI and you may only conduct a video or audio call with a patient through an end-to-end encrypted connection. All application data is encrypted at rest and in-transit to as specified in our internal policies and procedures.

If you have further questions regarding any of's security practices, please visit our privacy and security section in the Help Center.

If you have any other questions, please contact our support team.

Did this answer your question?