HeyGen’s GDPR Commitment

Effective as of 25 of January 2024

The GDPR is the European Union law that safeguards the privacy and data protection of EU citizens. It applies to all companies handling the personal data of the EU citizens, even if the company is not located in the EU. The GDPR is effective from May 25, 2018. Its purpose is to give EU citizens and residents more control over their personal data and to make the data protection rules clearer for international businesses operating in the EU, to facilitate secure personal data flows.

The GDPR describes different requirements depending on how an organization handles data subjects' personal data:

  • Data Controllers are businesses or individuals that collect customer data and also decide how, when and why that data is processed.
  • Data Processors are businesses or individuals that carry out the processing of data on behalf of a Data Controller.

HeyGen is both a Data Controller in our relationship to the data of our users that we use for our own purposes, such as analytics and service improvement. However, for the majority of the data processed through the HeyGen platform and service, we are Data Processor since our role is to  help users to process their data and achieve their purposes using the HeyGen platform.

Our users are in full control of their data and decide what data and when to upload and delete from our platform. HeyGen only processes users data on behalf of the user and only upon its command, either through the interface or via verbal or written communication. We do not use your data for other purposes than delivering the best quality and suited service for you. For more detailed information about our data processing see our Privacy Policy.

HeyGen's GDPR compliance

In line with our commitment to GDPR compliance we developed, reviewed, updated and modified many of our internal practices and policies to ensure we meet GDPR requirements as both Data Controller and Data Processor. Below is an overview of several key things we put in place and maintain to ensure such compliance.

We also monitor the guidance around GDPR compliance from privacy-related regulatory bodies, and update our product features and contractual commitments accordingly. We’ll provide you with regular updates so that you’re always current.

HeyGen’s GDPR awareness

Since HeyGen’s core business consists of data processing, it is paramount that all of our team is aware about the personal data protection related duties and compliance.  Therefore, all of our team went through the suitable GDPR training. In this way we are dedicated to building the GDPR compliant culture in HeyGen.

Data Processing Agreement for Enterprise Users

We offer a data processing agreement (DPA) for our enterprise users who collect data from data subjects in the EU. Our DPA offers contractual terms that meet GDPR requirements.

Our DPA is available and transparent. Enterprise users that require a DPA agreement with HeyGen in our role as the processor can download and execute a copy of our DPA here.

To ensure that no terms are imposed on HeyGen beyond what is reflected in our DPA and Terms of Service, in most scenarios we cannot agree to sign users' facilitated DPAs. If you are unable to comply with our standard DPA, please email us at privacy@heygen.com. We are happy to discuss your concerns and our options.

Data Inventory and Data Protection Principles

We maintain an internal data map and other relevant documentation identifying all categories of data subjects with which HeyGen interacts and the categories of data collected about each category of these data subjects. This documentation was drafted and built in response to the GDPR requirements and is updated whenever changes to HeyGen's product, infrastructure,  marketing functions or any other data processing occur.

These documents enable us to ascertain and validate the legal basis and legitimate purposes for collecting and processing personal data. We also constantly evaluate potential risks personal data processing may pose to fundamental rights and ensure that we have in place the appropriate and proportional security and privacy safeguards across our infrastructure and software ecosystem. We only store and process data for as long as necessary to achieve relevant purposes.

Refer to our Privacy Policy for further information regarding the collection, storage and management of personal data provided to us.

Data Protection by Design and by Default

Protecting personal data is a process requiring appropriate technical and organizational safeguards, as well as a privacy protection dedicated mindset. Therefore we take our cybersecurity seriously, by implementing and complying with SOC 2 Type I or II certificates. You can request our certificate here.

If you’d like to learn more about Heygen’s security policies and procedures, please see our security page. It provides detailed information on how we approach security, including our technical and organizational measures as well as our encryption standards.

Third party Subprocessors

We maintain a list of third-party vendors on our website here. We have signed DPAs with each of these subprocessors. We engage only subprocessors meeting high privacy protection and security standards, that are appropriate and proportional to the type of data processing.

Incident response and breach management

We maintain an internal Security Incident Response Plan that outlines the process our team follows in the event of a suspected data breach. We updated this document in response to the GDPR and other relevant data privacy regulations.

A note on consent

Under the GDPR you must have a legal basis for all data processing. As a Data Controller using HeyGen, it is likely that consent will be one of the legal bases used to ensure compliance for the data you upload to our platform.

In order to be valid, consent must be verifiable. As the Data Controller, it is your obligation to ensure you have researched and reviewed your consent-gathering processes. Given that using HeyGen you may process special categories or sensitive data, obtaining explicit consent for such processing is very important. The following does not constitute legal or compliance advice but provides suggestions as to how other Data Controllers manage consent:

  • Verifiable consent requires a stored record of how and when a customer agreed to let you process their data.
  • Unambiguous and explicit consent requires that data subjects must affirmatively consent to their data being processed. An example of this is actively ticking a box as part of a signup or subscription process. This opt-in process must provide a message that clearly (in plain language) states the ways in which the data subject's personal data will be used.
  • If you rely on consent to process personal data, double check where and why you collected data to make sure that the consent you obtained meets the standards for consent set out in the GDPR.

Data Subject Rights in our role as Processor and Controller

As a customer of HeyGen based in the EU you are able to access, update, retrieve and remove your own or other personal data you uploaded.

You may edit the data you have provided to HeyGen open by managing your HeyGen account. If you would like an export of such data you can download it yourself any time. For other related requests contact us at privacy@heygen.com.

You control the data uploaded to HeyGen and therefore they are stored as long as you have your account. When you cancel your account we will dispose of provided data in accordance with our Terms of Service  and Privacy Policy.

International Data Transfers

At this moment we do not offer data storage in the EU and all data you process using HeyGen is transferred to the United States and processed with the use of our cloud providers’ servers located therein.

We have implemented the newest and relevant Standard Contractual Clauses approved by the European Commission to our DPA. You can access our DPA here. In case of any questions you can reach us at privacy@heygen.com.

HeyGen Privacy Counsel and Further Assistance

In order to safeguard the highest possible standard of data protection we have hired a dedicated Privacy Counsel and GDPR representative to internally oversee our compliance. In case of a specific privacy and data protection questions, to which answers you can’t find the answer here or in the Privacy Policy, you can contact him through privacy@heygen.com.