Skip to main content

Data Security, Compliance & HIPAA

We protect your data and help you use SMS responsibly. This page explains what you can send, what to avoid, and how to access our security documentation.

TL;DR

  • SMS isn’t end-to-end encrypted. Use it for non-PHI communications only.
  • HIPAA: You may not send PHI by text via MessageDesk. MessageDesk cannot sign BAAs at this time.
  • SOC 2: Audit in progress; targeted completion January 2026.
  • Trust Center: Get policies, control mappings, and audit materials: security.messagedesk.com.
  • Legal: See our Privacy Policy, Terms of Service, and Use Agreement.

HIPAA & Texting: What’s Allowed (And What Isn’t)

SMS is a carrier-routed channel and cannot be made fully end-to-end encrypted. That means don’t send PHI (Protected Health Information) over SMS.

What you can send (non-PHI)

  • Appointment reminders without health details
  • General practice information (address, parking, directions)
  • Office hours and contact information
  • Non-specific follow-ups (“Thanks for visiting—complete your post-visit survey”)

What you should not send (PHI)

  • Diagnoses or symptoms
  • Treatment or care plan details
  • Prescriptions or medication names/dosages
  • Lab or test results
  • Any other patient-identifying health information
No BAA: MessageDesk is not currently in a legal position to sign BAAs. If your organization requires a BAA, MessageDesk may not be the right fit for PHI-related workflows today.

Best practices for healthcare teams

  1. Train your staff on PHI restrictions and when to switch channels.
  2. Use templates that exclude PHI and include clear, neutral language.
  3. Keep reminders generic (date/time/location only).
  4. Redirect PHI to secure portals, phone calls, or in-network tools.
  5. Document your policy for when SMS is appropriate vs. not.
  6. Reference our Privacy Policy for how we handle personal information.

Our Security Posture (At a Glance)

  • Hosting: AWS (US).
  • Encryption: AES-256 at rest, TLS in transit.
  • Access controls: MFA support; RBAC with granular permissions (Admin, Manager, Operator + resource-level controls).
  • Vulnerability management: SLAs to remediate Critical/High/Medium findings within defined windows.
  • Segregation: Separate staging/production; change management and rollback procedures.
  • Monitoring & logs: Auth and configuration events logged and retained.
  • Pen test: Most recent third-party test reported no critical/high findings.
For full details (policies, controls, audit artifacts), request access to our Trust Center.

SOC 2, Compliance & Trust Center

MessageDesk is undergoing SOC 2 Type I & II audit (target January 2026). We align operations with industry standards and maintain GDPR/CCPA-aligned processes. Legal references: Terms of Service and Use Agreement.

Request access to our Trust Center

  1. Visit security.messagedesk.com
  2. Click Request Access
  3. Complete the form and submit
  4. We’ll email you once access is approved

Trust Center

Get policies, control mappings, and audit materials in the MessageDesk Trust Center.

Frequently Asked Data & Compliance Questions

Is MessageDesk HIPAA compliant?
We do not transmit PHI by SMS and do not sign BAAs currently. You can use MessageDesk for non-PHI communications (e.g., generic reminders). Can I include links in reminders?
Yes—use links to your secure patient portal for PHI. Keep the SMS itself generic. Do you have SOC 2 today?
We’re in audit. Target completion is January 2026. Interim materials are in the Trust Center. Where is our data stored?
In the United States on AWS. Data is encrypted at rest and in transit. See our Privacy Policy for more on data handling. Can we enable SSO and MFA?
Yes. We support SSO (SAML/OIDC) and MFA. See our Trust Center and Use Agreement for additional terms. How do Terms apply to my workspace?
Your use of MessageDesk is governed by our Terms of Service and Use Agreement.