// Trust & Security Report
Headspace Inc.
Mental Health and Mindfulness Platform
Certifications held
6
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.headspace.com“Certifications: Headspace SOC 2 Type II Report - 2025”
Verify on trust.headspace.com“Certifications: Headspace HITRUST Certification - 2025; Headspace HITRUST Interim Letter - 2026”
Verify on headspace.com“Headspace is subject to HIPAA as our Care Providers' business associate. Our Care Providers may provide you an additional privacy notice during enrollment which we encourage you to review.”
Verify on trust.headspace.com“Compliance: SOC 2, HITRUST, HIPAA, GDPR, UK Cyber Essentials Plus”
Verify on trust.headspace.com“Certifications: Headspace Cyber Essentials Plus - 2025”
Verify on headspace.com“Headspace's information privacy and security governance is aligned with ISO 27001 and 27002, but formal certification is referenced only for the data center infrastructure (AWS), not for Headspace as an organization. The enterprise security page notes data centers meeting ISO 27001 standards but no Headspace-issued ISO 27001 certificate appears on the Trust Center.”
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not stated
Data region
Primarily United States. Privacy policy states: 'our Platform is operated in the United States where your personal information will be primarily processed and stored.' EU/UK data transfers rely on the EU-U.S. Data Privacy Framework.
The privacy policy states data is used 'to power machine learning algorithms that support our Platform.' Ebb was trained on proprietary curated datasets combined with external LLMs, but the policy does not explicitly state whether ongoing user conversation data is fed back into model training. No opt-out mechanism for AI training is disclosed. Reflections in Ebb are not shared with care teams (unless user elects to share) and are not used for targeted advertising. The ambiguity here is material given the sensitive mental health context.
// Security controls
Penetration Testing
Annual application and infrastructure penetration testing. Reports available on Trust Center: 'Headspace Penetration Test Report - 2025' and 'Headspace Pentest Remediation Status - 2025'.
trust.headspace.comVulnerability Scanning
Automated vulnerability scanning. 'Headspace Vulnerability Scan Report - 2025' listed on Trust Center.
trust.headspace.comBug Bounty / VDP
Bug bounty program administered through a third-party partnership. Researchers submit findings to bugbounty@headspace.com. No named platform (HackerOne/Bugcrowd) identified in public sources.
headspace.comEncryption at Rest
AES-256 encryption at rest via AWS Key Management Service; backups also AES-256 encrypted.
headspace.comEncryption in Transit
Data encrypted in transit (TLS). Specified in enterprise security documentation.
headspace.comCloud Infrastructure
Amazon Web Services (AWS) is the primary cloud host, listed as subprocessor for 'Eligibility file storage and processing' (US region).
trust.headspace.comArchitecture
Multi-zone deployment for high-availability; multi-region setup for disaster recovery.
headspace.comSecurity Leadership
Chief Information Security Officer (CISO) in place, overseeing Information Security, Application Security, Infrastructure Security, and GRC teams.
headspace.comAI Safety Monitoring
100% of messages to Ebb are monitored by a proprietary Safety Risk Identification system; flagged high-acuity risks undergo deidentified human clinical review.
headspace.comBAA Availability
Business Associate Agreements (BAAs) available for enterprise/clinical services under HIPAA. BAA scope covers clinical services delivered by affiliated medical providers (Headspace Medical), not standalone consumer meditation features.
headspace.comGDPR Data Subject Rights
Access, correction, portability, deletion, and restriction of processing rights provided for EU/UK residents. Transfers rely on EU-U.S. Data Privacy Framework.
headspace.com// Products & data scope
data: Personal health and wellness data, meditation engagement, Ebb AI conversation data. NOT HIPAA-covered when used independently of clinical services. Data subject to consumer Privacy Policy and Consumer Health Data Privacy Policy.
Includes Ebb (empathetic AI companion), guided meditations, sleep content, and expert-led programs. AI-generated personalized recommendations. 59M+ downloads. Individual subscriptions: monthly/annual/lifetime.
data: Employer-sponsored access: name and email collected from Benefit Sponsor for enrollment. Employer receives registration/engagement data per contract. Clinical services within this tier can be HIPAA-covered with a BAA.
Covers 4000+ organizations. Includes mindfulness, coaching, EAP, therapy, and psychiatry. Pricing per-employee (approx. $18-36/employee/year based on anonymized market data). BAA available for clinical components.
data: Protected Health Information (PHI) under HIPAA. Delivered through affiliated medical providers (Headspace Medical Group CA P.C. and third-party Care Providers). BAA in place. HIPAA Notice of Privacy Practices applies.
Accepts insurance. Separate HIPAA Notice of Privacy Practices from Care Providers. Highest compliance tier. Full HIPAA protections with BAA; most restricted data handling.
// What to watch
- AI training data use is ambiguous: privacy policy states data is used 'to power machine learning algorithms' but does not explicitly confirm or deny that user conversation data (including sensitive Ebb reflections) feeds model training. This is a significant gap for a mental health platform.
- HIPAA protections are scoped to clinical services only. Consumer-only meditation/Ebb users are NOT under HIPAA coverage - a distinction that many enterprise buyers miss.
- ISO 27001 is referenced as an alignment standard for data centers (AWS), not as a Headspace organizational certification. No Headspace-issued ISO 27001 certificate is listed on the Trust Center.
- Data residency is US-only. EU/UK organizations relying on Headspace must rely on the EU-U.S. Data Privacy Framework for adequacy - worth flagging for strict EU data-residency requirements.
- Bug bounty platform partner not publicly named. Contact is bugbounty@headspace.com but no HackerOne/Bugcrowd page confirmed.
- Consumer Health Data is particularly sensitive (mental health context). Separate Consumer Health Data Privacy Policy exists, and CCPA/WA My Health MY Data Act-style protections are referenced.
// At a glance
Pricing model
Consumer: subscription-based (monthly ~$12.99, annual ~$69.99, lifetime $399.99). Enterprise/B2B: per-employee per year pricing (custom, approx. $18-36/employee/year), negotiated per contract size and tier.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Headspace Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.headspace.com