Second pass: fix FIPS claim in about-secrets, refine security-domain wording

- Fix about-secrets.md: replace stale FIPS 140-2 Level 3 claim with link to compliance table
- Refine security-domain.md: 'HSM hardware and cryptographic design' (not just firmware)

Co-authored-by: Copilot <[email protected]>

Author: msmbaldwin

articles/key-vault/managed-hsm/security-domain.md

@@ -26,7 +26,7 @@ A managed HSM security domain serves the following purposes:
   - The managed HSM instance was soft-deleted by a customer and the resource was purged after the mandatory retention period expired.
   - The customer archived a project by performing a backup that included the managed HSM instance and all data, and then deleted all Azure resources that were associated with the project.
 
-Without the security domain, disaster recovery isn't possible — all keys are permanently and irrecoverably lost. Microsoft has no way to recover the security domain, and Microsoft can't access your keys without the security domain. This is architecturally enforced by the HSM firmware, not merely by policy. Protecting the security domain is therefore of the utmost importance for your business continuity.
+Without the security domain, disaster recovery isn't possible — all keys are permanently and irrecoverably lost. Microsoft has no way to recover the security domain, and Microsoft can't access your keys without the security domain. This is architecturally enforced by the HSM hardware and cryptographic design, not merely by policy. Protecting the security domain is therefore of the utmost importance for your business continuity.
 
 ## Security domain protection best practices
 

articles/key-vault/secrets/about-secrets.md

@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: secrets
 ms.topic: overview
-ms.date: 01/08/2026
+ms.date: 04/02/2026
 ms.author: mbaldwin
 ---
 
@@ -23,9 +23,9 @@ Key Vault also supports a contentType field for secrets. Clients can specify the
 
 ## Encryption
 
-Key Vault stores all secrets in your key vault as encrypted data. Key Vault encrypts secrets at rest by using a hierarchy of encryption keys, and modules that are FIPS 140-2 compliant protect all keys in that hierarchy. This encryption is transparent and requires no action from you. The Azure Key Vault service encrypts your secrets when you add them and decrypts them automatically when you read them.
+Key Vault stores all secrets in your key vault as encrypted data. Key Vault encrypts secrets at rest by using a hierarchy of encryption keys, with all keys in the hierarchy protected by FIPS-validated modules. This encryption is transparent and requires no action from you. The Azure Key Vault service encrypts your secrets when you add them and decrypts them automatically when you read them.
 
-The encryption leaf key of the key hierarchy is unique to each key vault. The encryption root key of the key hierarchy is unique to the security world and is protected by a module validated for FIPS 140-2 Level 3 or higher. 
+The encryption leaf key of the key hierarchy is unique to each key vault. The encryption root key of the key hierarchy is unique to the security world. For information about the FIPS validation levels for each Key Vault tier and Managed HSM, see [About keys: Compliance](/azure/key-vault/keys/about-keys#compliance).
 
 ## Secret attributes