// Trust & Security Report

    Headspace Inc. logo

    Headspace Inc.

    Mental Health and Mindfulness Platform

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Certifications: Headspace SOC 2 Type II Report - 2025

    Verify on trust.headspace.com
    HITRUST
    HELD

    Certifications: Headspace HITRUST Certification - 2025; Headspace HITRUST Interim Letter - 2026

    Verify on trust.headspace.com
    HIPAA
    HELD

    Headspace is subject to HIPAA as our Care Providers' business associate. Our Care Providers may provide you an additional privacy notice during enrollment which we encourage you to review.

    Verify on headspace.com
    GDPR
    HELD

    Compliance: SOC 2, HITRUST, HIPAA, GDPR, UK Cyber Essentials Plus

    Verify on trust.headspace.com
    UK Cyber Essentials Plus
    HELD

    Certifications: Headspace Cyber Essentials Plus - 2025

    Verify on trust.headspace.com
    ISO 27001
    HELD

    Headspace's information privacy and security governance is aligned with ISO 27001 and 27002, but formal certification is referenced only for the data center infrastructure (AWS), not for Headspace as an organization. The enterprise security page notes data centers meeting ISO 27001 standards but no Headspace-issued ISO 27001 certificate appears on the Trust Center.

    Verify on headspace.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not stated

    Data region

    Primarily United States. Privacy policy states: 'our Platform is operated in the United States where your personal information will be primarily processed and stored.' EU/UK data transfers rely on the EU-U.S. Data Privacy Framework.

    The privacy policy states data is used 'to power machine learning algorithms that support our Platform.' Ebb was trained on proprietary curated datasets combined with external LLMs, but the policy does not explicitly state whether ongoing user conversation data is fed back into model training. No opt-out mechanism for AI training is disclosed. Reflections in Ebb are not shared with care teams (unless user elects to share) and are not used for targeted advertising. The ambiguity here is material given the sensitive mental health context.

    // Security controls

    Penetration Testing

    Annual application and infrastructure penetration testing. Reports available on Trust Center: 'Headspace Penetration Test Report - 2025' and 'Headspace Pentest Remediation Status - 2025'.

    trust.headspace.com

    Vulnerability Scanning

    Automated vulnerability scanning. 'Headspace Vulnerability Scan Report - 2025' listed on Trust Center.

    trust.headspace.com

    Bug Bounty / VDP

    Bug bounty program administered through a third-party partnership. Researchers submit findings to bugbounty@headspace.com. No named platform (HackerOne/Bugcrowd) identified in public sources.

    headspace.com

    Encryption at Rest

    AES-256 encryption at rest via AWS Key Management Service; backups also AES-256 encrypted.

    headspace.com

    Encryption in Transit

    Data encrypted in transit (TLS). Specified in enterprise security documentation.

    headspace.com

    Cloud Infrastructure

    Amazon Web Services (AWS) is the primary cloud host, listed as subprocessor for 'Eligibility file storage and processing' (US region).

    trust.headspace.com

    Architecture

    Multi-zone deployment for high-availability; multi-region setup for disaster recovery.

    headspace.com

    Security Leadership

    Chief Information Security Officer (CISO) in place, overseeing Information Security, Application Security, Infrastructure Security, and GRC teams.

    headspace.com

    AI Safety Monitoring

    100% of messages to Ebb are monitored by a proprietary Safety Risk Identification system; flagged high-acuity risks undergo deidentified human clinical review.

    headspace.com

    BAA Availability

    Business Associate Agreements (BAAs) available for enterprise/clinical services under HIPAA. BAA scope covers clinical services delivered by affiliated medical providers (Headspace Medical), not standalone consumer meditation features.

    headspace.com

    GDPR Data Subject Rights

    Access, correction, portability, deletion, and restriction of processing rights provided for EU/UK residents. Transfers rely on EU-U.S. Data Privacy Framework.

    headspace.com

    Security Contact

    security@headspace.com, 3-business-day response target stated.

    headspace.com

    Incident Response

    Incident response procedures tested and updated annually.

    headspace.com

    // Products & data scope

    Headspace Consumer AppMental Health / Mindfulness / AI Companion

    data: Personal health and wellness data, meditation engagement, Ebb AI conversation data. NOT HIPAA-covered when used independently of clinical services. Data subject to consumer Privacy Policy and Consumer Health Data Privacy Policy.

    Includes Ebb (empathetic AI companion), guided meditations, sleep content, and expert-led programs. AI-generated personalized recommendations. 59M+ downloads. Individual subscriptions: monthly/annual/lifetime.

    Headspace for Organizations (B2B / Employer)Employee Mental Health Benefits / EAP

    data: Employer-sponsored access: name and email collected from Benefit Sponsor for enrollment. Employer receives registration/engagement data per contract. Clinical services within this tier can be HIPAA-covered with a BAA.

    Covers 4000+ organizations. Includes mindfulness, coaching, EAP, therapy, and psychiatry. Pricing per-employee (approx. $18-36/employee/year based on anonymized market data). BAA available for clinical components.

    Headspace Clinical Services (Therapy / Psychiatry)Online Therapy / Telehealth

    data: Protected Health Information (PHI) under HIPAA. Delivered through affiliated medical providers (Headspace Medical Group CA P.C. and third-party Care Providers). BAA in place. HIPAA Notice of Privacy Practices applies.

    Accepts insurance. Separate HIPAA Notice of Privacy Practices from Care Providers. Highest compliance tier. Full HIPAA protections with BAA; most restricted data handling.

    // What to watch

    • AI training data use is ambiguous: privacy policy states data is used 'to power machine learning algorithms' but does not explicitly confirm or deny that user conversation data (including sensitive Ebb reflections) feeds model training. This is a significant gap for a mental health platform.
    • HIPAA protections are scoped to clinical services only. Consumer-only meditation/Ebb users are NOT under HIPAA coverage - a distinction that many enterprise buyers miss.
    • ISO 27001 is referenced as an alignment standard for data centers (AWS), not as a Headspace organizational certification. No Headspace-issued ISO 27001 certificate is listed on the Trust Center.
    • Data residency is US-only. EU/UK organizations relying on Headspace must rely on the EU-U.S. Data Privacy Framework for adequacy - worth flagging for strict EU data-residency requirements.
    • Bug bounty platform partner not publicly named. Contact is bugbounty@headspace.com but no HackerOne/Bugcrowd page confirmed.
    • Consumer Health Data is particularly sensitive (mental health context). Separate Consumer Health Data Privacy Policy exists, and CCPA/WA My Health MY Data Act-style protections are referenced.

    // At a glance

    Pricing model

    Consumer: subscription-based (monthly ~$12.99, annual ~$69.99, lifetime $399.99). Enterprise/B2B: per-employee per year pricing (custom, approx. $18-36/employee/year), negotiated per contract size and tier.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Headspace Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.headspace.com

    > Browse all vendor trust reports