Headspace provides a comprehensive suite of mental healthcare services, driven by mindfulness, human-to-human support, and cutting-edge technology, including EAP services. Our mission is to enhance global health and happiness through mindfulness and meditation, and we consider data security and privacy to be of paramount importance. We are dedicated to transparency and ensuring that you understand our approach related to security and privacy.

Headspace Services

Headspace: Offering mindfulness and meditation practices.
Headspace Care: A licensed healthcare provider and technology company for convenient emotional health support.
Headspace EAP: Providing a full EAP replacement with industry-leading mindfulness and more.

Our Commitment

Headspace is committed to protecting member privacy and ensuring the confidentiality, integrity, and availability of information. We adhere to standards and controls set by HIPAA, HITRUST, SOC 2 Type II, ISO 27001 and 27002. Our privacy and security program is risk-based and continuously improved on an on-going basis.

Headspace is officially certified in SOC2 Type II, HITRUST and UK Cyber Essentials.

Security & Privacy Framework and Risk Assessment

We categorize and inventory information, perform risk assessments, and employ security controls and procedures. Written policies address proper information use, security, and risk mitigation. We continuously review and update our risk analysis, monitor threats, and respond to incidents. Headspace has categorized and inventoried the information it manages and performed an analysis of the uses and flows of personal information and protected health information (PHI) including all electronic protected health information (ePHI).

Physical and Environmental Security

Headspace operates its computer systems in high-security data centers that meet SSAE 18, ISAE 3402, ISO 27001, HITRUST, and FedRAMP standards. The data centers are physically secured to minimize disruption and prevent theft, tampering, and damage.

Organizational Security

Our security team, led by the Chief Information Security Officer (CISO), enforces security policies and procedures. We emphasize access controls, proper provision and revocation, authentication, password management, and conduct background checks. The CISO is supported by the members of Information Security, Application Security, Infrastructure Security, and Governance, Risk, and Compliance (GRC) teams who are responsible for respective processes.

Security and Privacy By Design (Development)

Our secure development lifecycle focuses on secure coding, change management, testing, and deployment. Data is encrypted at rest and in transit, following industry standards and managed through AWS Key Management Service. We segment networks, employ strong access controls, monitoring, vulnerability scans, and web application firewalls. Workstations are configured to meet baseline security standards, run monitoring software, and mobile devices are managed for security.

Vulnerability Management and Bug Bounty Program

Headspace uses automated vulnerability scanning tools and periodic penetration testing to inform its risk assessment, identify vulnerabilities, and prioritize mitigation activities of servers and software. Headspace has also partnered with a 3rd party to implement a Bug-Bounty Program for external researchers to submit responsible disclosures. This encourages white-hat researchers to find vulnerabilities within our applications to report to our company. Researchers can also submit the findings or questions on bugbounty@headspace.com.

Disaster Recovery and Business Continuity

Headspace utilizes services deployed by its hosting provider to benefit from multi-zone for high-availability and multi-region for backup and disaster recovery. Headspace tests backups on a periodic basis to ensure they can be successfully restored. Backups are encrypted using Advanced Encryption Standard (AES-256).

Headspace has a systematic written disaster recovery (DR) plan to respond to disasters, restore data, and resume operations with an established Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

Incident Response

Headspace has established policies and procedures for responding to potential security and privacy incidents. All incidents are managed by Headspace’s Security Team. The policies and procedures define the types of events that must be managed via the incident response process and classifies them based on severity. In the event of a material incident, affected customers will be informed via email from our customer experience team. Incident response procedures are tested and updated at least annually.

Vendor Management

Where sub-service organizations may impact the security of Headspace’s production environment, we take appropriate steps to ensure our security and privacy posture is maintained by establishing agreements that require service organizations to adhere to confidentiality commitments we have made to users. Steps to ensure third-party vendor security include, but are not limited to:

• Written Contracts
• Annual Vendor Assessments
• Management Review of Vendor Management Program

Data Subject Requests

For assisting customers with their data subject request obligations (outlined in Privacy regulations such as GDPR, CCPA, etc.), Headspace has processes in place to facilitate such requests. Customers may reach out to support when they receive a request for which they believe Headspace’s assistance is required. Members can reach out directly to Headspace Support via emailing at help@headspace.com.

Conclusion

Should you have any inquiries about the handling of your enterprise data or harbor data security/privacy concerns, please do not hesitate to contact us at security@headspace.com. We aim to respond to your queries within three business days.