Our security philosophy is simple. You are trusting us with your healthcare data and we earn that trust through our everyday actions.

Castlight Health maintains a formal and comprehensive security program designed to ensure the confidentiality, integrity and availability of our systems and data while protecting against the threats faced by a modern enterprise.

Castlight Health believes everyone plays a critical role in keeping our data secure. As such, we have a purpose-built organizational culture that is both aware and proactive about security risks. Our security culture is fostered via company-wide training, regular communications and dedicated personnel working everyday to enhance our security posture.


Trusted by hundreds of employers, Castlight is committed to investing in our security to safeguard your data.


Our infrastructure is hosted in state-of-the-art data centers that meet or exceed industry standards and have achieved, at a minimum, ISO 9000, ISO 27001, PCI-DSS and SSAE18 certifications.



Our controls are based on principles such as least privilege, strong authentication, irrefutable audit trails and guaranteed data integrity. They are universally enforced across our environment to afford a consistent level of protection.



Castlight Health conducts a background investigation of all employees and contractors prior to employment. As part of onboarding, the employees and contractors undergo mandatory security training and receive continuous training throughout their Castlight career.



We regularly undergo independent verification of our security, compliance and privacy controls. Additionally, an annual penetration testing is conducted by a third party to review that our applications are adequately protected and free of vulnerabilities.


To report any potential security vulnerabilities, please send an email to [email protected].

For more information about our Security program, click here to download our whitepaper.