The GDPR is the European Union law that safeguards the privacy and data protection of EU citizens. It applies to all companies handling the personal data of the EU citizens, even if the company is not located in the EU. The GDPR is effective from May 25, 2018. Its purpose is to give EU citizens and residents more control over their personal data and to make the data protection rules clearer for international businesses operating in the EU, to facilitate secure personal data flows.
The GDPR describes different requirements depending on how an organization handles data subjects' personal data:
HeyGen is both a Data Controller in our relationship to the data of our users that we use for our own purposes, such as analytics and service improvement. However, for the majority of the data processed through the HeyGen platform and service, we are Data Processor since our role is to help users to process their data and achieve their purposes using the HeyGen platform.
In line with our commitment to GDPR compliance we developed, reviewed, updated and modified many of our internal practices and policies to ensure we meet GDPR requirements as both Data Controller and Data Processor. Below is an overview of several key things we put in place and maintain to ensure such compliance.
We also monitor the guidance around GDPR compliance from privacy-related regulatory bodies, and update our product features and contractual commitments accordingly. We’ll provide you with regular updates so that you’re always current.
Since HeyGen’s core business consists of data processing, it is paramount that all of our team is aware about the personal data protection related duties and compliance. Therefore, all of our team went through the suitable GDPR training. In this way we are dedicated to building the GDPR compliant culture in HeyGen.
We offer a data processing agreement (DPA) for our enterprise users who collect data from data subjects in the EU. Our DPA offers contractual terms that meet GDPR requirements.
Our DPA is available and transparent. Enterprise users that require a DPA agreement with HeyGen in our role as the processor can download and execute a copy of our DPA here.
To ensure that no terms are imposed on HeyGen beyond what is reflected in our DPA and Terms of Service, in most scenarios we cannot agree to sign users' facilitated DPAs. If you are unable to comply with our standard DPA, please email us at firstname.lastname@example.org. We are happy to discuss your concerns and our options.
We maintain an internal data map and other relevant documentation identifying all categories of data subjects with which HeyGen interacts and the categories of data collected about each category of these data subjects. This documentation was drafted and built in response to the GDPR requirements and is updated whenever changes to HeyGen's product, infrastructure, marketing functions or any other data processing occur.
These documents enable us to ascertain and validate the legal basis and legitimate purposes for collecting and processing personal data. We also constantly evaluate potential risks personal data processing may pose to fundamental rights and ensure that we have in place the appropriate and proportional security and privacy safeguards across our infrastructure and software ecosystem. We only store and process data for as long as necessary to achieve relevant purposes.
Protecting personal data is a process requiring appropriate technical and organizational safeguards, as well as a privacy protection dedicated mindset. Therefore we take our cybersecurity seriously, by implementing and complying with SOC 2 Type I or II certificates. You can request our certificate here.
If you’d like to learn more about Heygen’s security policies and procedures, please see our security page. It provides detailed information on how we approach security, including our technical and organizational measures as well as our encryption standards.
We maintain a list of third-party vendors on our website here. We have signed DPAs with each of these subprocessors. We engage only subprocessors meeting high privacy protection and security standards, that are appropriate and proportional to the type of data processing.
We maintain an internal Security Incident Response Plan that outlines the process our team follows in the event of a suspected data breach. We updated this document in response to the GDPR and other relevant data privacy regulations.
Under the GDPR you must have a legal basis for all data processing. As a Data Controller using HeyGen, it is likely that consent will be one of the legal bases used to ensure compliance for the data you upload to our platform.
In order to be valid, consent must be verifiable. As the Data Controller, it is your obligation to ensure you have researched and reviewed your consent-gathering processes. Given that using HeyGen you may process special categories or sensitive data, obtaining explicit consent for such processing is very important. The following does not constitute legal or compliance advice but provides suggestions as to how other Data Controllers manage consent:
As a customer of HeyGen based in the EU you are able to access, update, retrieve and remove your own or other personal data you uploaded.
You may edit the data you have provided to HeyGen open by managing your HeyGen account. If you would like an export of such data you can download it yourself any time. For other related requests contact us at email@example.com.
At this moment we do not offer data storage in the EU and all data you process using HeyGen is transferred to the United States and processed with the use of our cloud providers’ servers located therein.
We have implemented the newest and relevant Standard Contractual Clauses approved by the European Commission to our DPA. You can access our DPA here. In case of any questions you can reach us at firstname.lastname@example.org.