Headspace logo

Enterprise Security and Privacy

Headspace helps you with your health and happiness goals while keeping your member management secure and compliant. We have implemented administrative, technical, and physical safeguards to ensure the confidentiality and integrity of all client data.

Headspace has established detailed operating policies, procedures, and processes designed to help manage the overall quality and integrity of the application environment. We’ve also implemented proactive security procedures, such as perimeter defense and network intrusion monitoring and prevention.

Headspace is HITRUST CSF Certified, reflecting the alignment of its security controls with the HITRUST CSF framework. The framework, designed for use by organizations that use, store or exchange sensitive information, combines multiple security standards, state, federal and international regulations, and leading security practices.

For questions about Headspace’s information security or compliance, please contact security@headspace.com.

Data security and privacy

Leverage the full depth and breadth of our guided mindful living platform and library while keeping your organization’s members data secure and safe.

Headspace is hosted in a cloud environment. We take advantage of a highly scalable and high-availability features of the cloud computing platform with end-to-end security and privacy features built in.

We have data redundancy and a backup process in order to mitigate risk of data loss and application downtime.

We encrypt our customers’ data conforming with industry-tested and accepted standards. Your data is encrypted — at rest and in transit.

The only personal data processing taking place in the scope of our contractual relationship is with respect to your sharing of eligibility files with Headspace.

  • In any such relationship, Headspace is acting as a data processor (as defined under the General Data Protection Regulation, or “GDPR”) and our customers are acting as data controllers (also as defined under GDPR).

If you do not share eligibility files with Headspace, we do not process any personal data on your behalf and therefore do not act as a data processor.

Any personal data provided by your employees to register for and use the Headspace platform falls within the controller-data subject relationship between Headspace and its end users. This relationship is outside of the scope of your direct relationship with Headspace. Headspace will comply with all applicable data controller obligations with respect to this processing.

Application Security

We have implemented a secure Software Development Life Cycle (Secure SDLC) and rigorous secure product development process. Our continuous build and delivery provide continuous updates and patching of the application.

We continuously run vulnerability scans against our environment to make sure all systems are patched and risk mitigated.

Third party penetration test and bug bounty program

We conduct ongoing internal security tests and a yearly detailed penetration test suite by third-party security experts to confirm the security of our products and environment.

We have implemented a bug bounty program to monitor our applications with continuous testing by partnering with the largest army of ethical hackers.

Organizational Security

At Headspace, we believe that security needs a curious mind and continuous education. We have created continuous education for our personnel at all levels to ensure continued participation and improvement of our standards.

Our third party risk program includes evaluation and risk assessment of our third party processors and vendors. We require all third party providers to hold appropriate levels of security standards.

As part of our personnel security, we run background checks on all employees. We follow the principle of least privilege through role-based access. We require MFA for all employees, no matter their rank or responsibility.

We continuously monitor our environment to detect anomalies and protect company assets with anti-malware solutions installed on all endpoints. We don’t allow customer data to be stored on employee laptops. All workstations are centrally managed, password protected, and patched with local drives fully encrypted and set with automatic screen lock after a fixed period of inactivity.

The Headspace business continuity plan leverages cloud technology and processes to ensure resiliency, recoverability and contingency during business interruptions. Our system backups are maintained in separate geographical regions.

Questions or Concerns?

If you have questions about how your enterprise data is handled or have a data security concern, please email us at security@headspace.com attention: Director of Information Security. We will respond within three business days.