Castlight Security

Last updated: August 4, 2017

Our data security philosophy is simple. You’re trusting us with your healthcare data. And we take that responsibility very seriously—legally and ethically.

In addition to the substantial physical and technological safeguards outlined below, we also require that all Castlight Health employees undergo thorough background checks, HIPAA training and information security training.

Finally, we encourage you to report any potential security vulnerabilities in our site or application via email to or our toll-free compliance hotline at 1-855-754-2917.

We’re certified and compliant!

Regulatory compliance and certifications
  • HIPAA/HITECH compliant
  • SOC2 Type II certified
  • Our hosted datacenter is SOC1, SOC2, and PCI-DSS certified

Our compliance standards and certifications are regularly assessed by internal security teams and qualified third parties.

We take a layered approach to security.

Physical and environmental security

Our state-of-the-art hosted datacenter includes

  • Power distribution and backup power supply
  • Multiple, redundant UPS-protected power circuits with generator backup
  • Customer-operated environmental control
  • Smoke detection units and fire suppression systems
  • Biometric scanners
  • CCTV monitoring
Network Protection
  • Logical network segregation via internal and external firewalls
  • Server masking through traffic load balancing
  • PGP-encrypted files transfer via secure file transfer protocol (SFTP)
  • TLS v 1.2 cryptographic protocol ensures users have a secure connection from their browsers to Castlight services
  • Multifactor authentication for remote access
Data protection and application security

We have enabled Botwall Service by Shape security to protect our web applications against Bots & Automated Attacks

  • AES-256 bit encryption for data at rest
  • We utilize data leakage protection
  • Strict data retention and disposition procedures
  • Web application firewall to protect against web based attacks
Security monitoring
  • Continuous vulnerability detection and remediation
  • Host-based and network intrusion detection systems
  • 24×7 incident detection and management
  • Account and access logging with regular review