We don't consider texting secure enough to be used to transmit PHI under HIPAA, and so we wouldn't consider Tixt to be HIPAA compliant.
We use 3rd party APIs to handle the communication with the cell network
Securing transmitted messages:
All communication between our servers and any of the APIs we use are TLS encrypted.
Message storage:
Currently message bodies are logged for troubleshooting and visible in our admin interface, we are planning to tighten this up. We're evaluating all of our data storage/usage practices for security purposes and compliance with various privacy laws and working through improving them.
Our servers are hosted in the US in Google's cloud platform. We are using Google's database services to benefit from their security model for our database storage. Our ops team needs to use hardware security tokens to access any of our back-end servers. We do have the ability to view message bodies from our admin interface, and we're planning to reduce this access, as well as limit the amount of time we hold on to this information. There is room for improvement in our security posture (isn't there always?), but we regularly work to make improvements to our security.