// Trust & Security Report
Calm Inc.
Mental health and wellness platform. Consumer app (Calm) with meditation, sleep stories, and mindfulness content; Calm Sleep (iOS-focused sleep app); Calm Health (clinical healthcare product with condition-specific programs); Calm for Team and Calm for Business (B2B offerings for employers and health plans).
Certifications held
5
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on calm.com“Calm regularly commissions independent audits of its compliance with security policies as part of its SOC 2 Type II certification and will make summaries of its audit reports available to customers. Upon customer request, Calm will make available copies of, or extracts from, its audit reports related to security (for example, its SOC 2 report).”
Verify on support.calm.com“Calm Health is built to comply with HIPAA privacy and security standards. Calm will sign a business associate agreement for workplace and healthcare solutions delivered on a HIPAA-compliant platform.”
Verify on support.calm.com“Calm Health is built to comply with HITRUST and HIPAA privacy and security standards.”
Verify on support.calm.com“Calm's data processing is subject to the GDPR, Member State laws implementing the GDPR, and the UK GDPR. Calm uses Standard Contractual Clauses (SCCs) for EU data transfers and maintains a Data Processing Agreement available at https://www.calm.com/data-processing-agreement.”
Verify on cloudsecurityalliance.org“Calm Health was listed in the CSA STAR Registry since 11/11/2024, indicating a Level 1 self-assessment submission with the Cloud Controls Matrix (CCM) questionnaire.”
> Show 2 unconfirmed / not-held certifications
source: calm.comNo public evidence of direct ISO 27001 certification by Calm. Calm leverages AWS for cloud hosting, which is ISO 27001 compliant, but AWS compliance does not equate to Calm's own certification.
source: calm.comNo public evidence of PCI DSS certification. While Calm processes payments, no direct claim of PCI DSS certification was found in vendor materials.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
AWS (us-east-1 and eu-west-1 inferred from Standard Contractual Clauses; no explicit data residency guarantee for EU users in public docs)
Calm uses Amazon Personalize to train machine learning models on customer behavior data including user choices, listening history, and purchase data. The system feeds behavioral data (which sessions users complete, stress levels, time of day, integrated wearable data like heart rate and sleep patterns) into third-party ML systems to generate personalized content recommendations. Users can withdraw consent for data usage. Calm also uses Amplitude for analytics. Note: This applies to behavioral/engagement data; separate health data privacy policies exist for Calm Health product.
// Security controls
Cloud hosting provider
Amazon Web Services (AWS), which is SOC 2, HIPAA, NIST, and ISO compliant
calm.comFacility security
AWS data centers maintain 24-hour security and controlled access to facilities
calm.comStaff training
Staff subject to contractual or statutory confidentiality obligations and regularly trained regarding privacy and security
calm.comBreach notification
Calm will notify customers of data breaches without undue delay and assist with GDPR notification obligations under Articles 33-34
calm.comSubprocessor management
Uses subprocessors including Amazon Web Services (hosting) and Amplitude (analytics). Customers can verify subprocessor list upon request.
calm.com// Products & data scope
data: User behavior, listening history, sleep data, stress assessments, optional wearable data (heart rate, sleep), optional health data (with Calm Health integration)
Paid subscription ($14.99/month or $69.99/year). Uses ML for personalized recommendations. Trains on customer engagement data. Covered by standard Privacy Policy and Data Processing Agreement.
data: Sleep patterns, listening history, device data from Apple HealthKit
Standalone iOS app launched September 2025. Features 500+ Sleep Stories. Integrates with Apple HealthKit.
data: Employee usage data, engagement metrics
For organizations with 5-100 employees. Tier-based pricing. Calm can sign BAA for HIPAA compliance when needed.
data: Employee and dependent usage data, health data (if employers are self-insured)
For 100+ employee organizations. Custom enterprise pricing. Calm partners with 4000+ leading organizations. HIPAA-compliant with BAA; triggers business associate obligations for self-insured employers.
data: Health information, vital signs (per health.calm.com/consumer-health-data-privacy-policy/), behavioral health data, wearable-derived health metrics
Clinical-grade product for condition-specific programs. Available only through employer health plans or healthcare providers (not direct-to-consumer). Built to HIPAA and HITRUST standards. Separate privacy policies and consumer health data privacy policy apply.
// What to watch
- DATA_TRAINING: Calm actively trains on customer engagement and behavioral data using Amazon Personalize ML. This is disclosed in privacy policies but users should be aware before selecting this platform.
- CERT_PRODUCT_VARIANCE: HIPAA and HITRUST certifications are explicitly stated for Calm Health product, not the consumer Calm app. B2B/Team offerings can add HIPAA BAA upon request, creating three tiers of compliance posture. Marketplace listing should clarify which product the certs apply to.
- NO_ISO_27001: No evidence of independent ISO 27001 certification; vendor relies on AWS compliance. This is common for SaaS platforms but should be noted.
- NO_DEDICATED_TRUST_CENTER: Calm does not maintain a dedicated trust center; compliance info is distributed across Privacy Policy, DPA, and help center articles. This is acceptable but less transparent than enterprise vendors.
- DATA_RESIDENCY_UNCLEAR: Standard Contractual Clauses are in place for GDPR but no explicit commitment to EU data residency. Data likely processed in us-east-1 or eu-west-1 AWS regions; customer should verify directly.
- AMPLITUDE_ANALYTICS: Third-party analytics via Amplitude could be a concern for users in regions with strict privacy laws. Audit Calm's Amplitude configuration and DPA with Amplitude.
- CONSUMER_HEALTH_DATA_SCOPE: Calm Health collects sensitive health data (vital signs, symptoms, bodily functions). Separate Consumer Health Data Privacy Policy applies; different deletion and consent rules than main app.
// At a glance
Pricing model
Freemium (7-day free trial). Subscription (consumer: $14.99/month or $69.99/year). B2B: per-user pricing (Team tier 5-100 employees), custom enterprise pricing (100+ employees). Calm Health: through health plan or employer sponsorship (not direct consumer pricing).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Calm Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
calm.com