Doxy.me relies on redundant AWS-supported servers located in the United States to support the service. AWS servers are SOC 2 certified, abide by FIPS 140-2 standards, and are maintained in compliance with HIPAA regulations.
However, our servers are meant to provide the general services and do not provide the audio/video connection.
Doxy.me servers are used to establish a connection between the provider and the patient. After that, the video calls are peer-to-peer—meaning the audio-video data flows directly between the two individuals on the call, not through Doxy.me servers.
Group calls use routing servers to maintain connection quality. Still, the routed data between the parties are always encrypted.
The key point is that all transmitted data are encrypted point-to-point. That means data are only unencrypted (and thus usable) at the end user's devices. There is no feasible way for a third-party to decrypt the audio/video transmission because it is highly encrypted using standards-based technologies.
Also good to know is that Doxy.me does not store or collect protected health information. In other words, no patient data are stored on any Doxy.me servers.