> ## Documentation Index
> Fetch the complete documentation index at: https://docs.messagedesk.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Data Security, Compliance & HIPAA

> What you can safely send by SMS, HIPAA do's and don'ts, and how MessageDesk secures your data, including our SOC 2 roadmap and Trust Center.

# Data Security, Compliance & HIPAA

We protect your data and help you use SMS responsibly. This page explains **what you can send**, **what to avoid**, and how to access our **security documentation**.

***

## TL;DR

* **SMS isn't end-to-end encrypted.** Use it for **non-PHI** communications only.
* **HIPAA:** You **may not** send PHI by text via MessageDesk. MessageDesk **cannot sign BAAs** at this time.
* **SOC 2 Type II:** Certified.
* **Trust Center:** Get policies, control mappings, and audit materials: [**security.messagedesk.com**](https://security.messagedesk.com/).
* **Legal:** See our [**Privacy Policy**](https://www.messagedesk.com/privacy-policy), [**Terms of Service**](https://www.messagedesk.com/terms), and [**Use Agreement**](https://www.messagedesk.com/use-agreement).

***

## HIPAA and texting: what's allowed (and what isn't)

SMS is a carrier-routed channel and cannot be made fully end-to-end encrypted. That means **don't send PHI** (Protected Health Information) over SMS.

### What you **can** send (non-PHI)

* Appointment reminders **without** health details
* General practice information (address, parking, directions)
* Office hours and contact information
* Non-specific follow-ups ("Thanks for visiting, complete your post-visit survey")

### What you **should not** send (PHI)

* Diagnoses or symptoms
* Treatment or care plan details
* Prescriptions or medication names/dosages
* Lab or test results
* Any other **patient-identifying health information**

<Warning>
  **No BAA:** MessageDesk is **not currently in a legal position to sign BAAs**. If your organization requires a BAA, MessageDesk may not be the right fit for PHI-related workflows today.
</Warning>

### Best practices for healthcare teams

1. **Train your staff** on PHI restrictions and when to switch channels.
2. [**Use templates**](/messaging/templates-tags) that exclude PHI and include clear, neutral language.
3. **Keep reminders generic** (date/time/location only).
4. **Redirect PHI** to secure portals, phone calls, or in-network tools.
5. **Document your policy** for when SMS is appropriate vs. not.
6. Reference our [**Privacy Policy**](https://www.messagedesk.com/privacy-policy) for how we handle personal information.

***

## Our security posture (at a glance)

* **Hosting:** AWS (US).
* **Encryption:** **AES-256 at rest**, **TLS in transit**.
* **Access controls:** MFA support; **RBAC** with granular permissions (Admin, Manager, Operator + resource-level controls).
* **Vulnerability management:** SLAs to remediate Critical/High/Medium findings within defined windows.
* **Segregation:** Separate staging/production; change management and rollback procedures.
* **Monitoring & logs:** Auth and configuration events logged and retained.
* **Pen test:** Most recent third-party test reported **no critical/high** findings.

<Info>
  For full details (policies, controls, audit artifacts), request access to our [**Trust Center**](https://security.messagedesk.com/).
</Info>

***

## SOC 2, compliance, and Trust Center

MessageDesk has achieved **SOC 2 Type II** certification.

Legal references: [**Terms of Service**](https://www.messagedesk.com/terms) and [**Use Agreement**](https://www.messagedesk.com/use-agreement).

### Request access to our Trust Center

1. Visit [**security.messagedesk.com**](https://security.messagedesk.com/)
2. Click **Request Access**
3. Complete the form and submit
4. We'll email you once access is approved

<Card icon="lock" iconType="regular" href="https://security.messagedesk.com/" title="Trust Center">
  Get policies, control mappings, and audit materials in the MessageDesk Trust Center.
</Card>

***

## Frequently asked data and compliance questions

**Is MessageDesk HIPAA compliant?**\
We **do not** transmit PHI by SMS and **do not** sign BAAs currently. You can use MessageDesk for **non-PHI** communications (e.g., generic reminders).

**Can I include links in reminders?**\
Yes. Use links to your **secure patient portal** for PHI. Keep the SMS itself generic.

**Are you SOC 2 certified?**\
Yes. MessageDesk has achieved **SOC 2 Type II** certification. You can request access to our audit report via the **Trust Center**.

**Where is our data stored?**\
In the **United States** on AWS. Data is encrypted **at rest** and **in transit**. See our [**Privacy Policy**](https://www.messagedesk.com/privacy-policy) for more on data handling.

**Can we enable SSO and MFA?**\
Yes. We support SSO (SAML/OIDC) and MFA. See our **Trust Center** and [**Use Agreement**](https://www.messagedesk.com/use-agreement) for additional terms.

**How do Terms apply to my workspace?**\
Your use of MessageDesk is governed by our [**Terms of Service**](https://www.messagedesk.com/terms) and [**Use Agreement**](https://www.messagedesk.com/use-agreement).