All encryption and decryption happens on the end user’s device. Message data passes through all your application’s existing systems and third party services, including the Twilio cloud, but is first encrypted using private encryption keys generated locally on the user's device. The application developer and Twilio see only scrambled jibberish and have no way to decrypt it.
Healthcare applications that need to comply with HIPAA must use a two pronged approach for Twilio to be considered as a “conduit” and safe to use without a BAA:
- end-to-end encrypt user message data using E3Kit
- hard code your message data to delete from Twilio upon final delivery
How it Works:
- Create a Twilio account and implement the Twilio Programmable Chat SDK in your application.
- Create a Virgil Security account and layer the E3Kit end-to-end encryption SDK over your Programmable Chat by following this guide.
- Delete all Programmable Chat messages from Twilio once they are delivered to their end recipient.4
- If you need persistent message cloud storage, pass the encrypted message data to aHIPAA-compliant cloud provider (with a BAA in place). If you choose not to do this, any data will only be stored locally on the user’s device and not retrievable from other devices or recoverable if the user loses their device.