HeyGen's GDPR Compliance Statement

At HeyGen, we are committed to providing top-tier services while strictly adhering to privacy and data protection regulations, especially the General Data Protection Regulation (GDPR), to safeguard the privacy and data rights of our users.

About HeyGen

HeyGen offers a platform that empowers users to transform photos and other content into lifelike videos, create dynamic presentations, and produce a variety of video content. By integrating services like AI voice cloning—provided by our trusted partners—we enable the generation of high-fidelity AI avatars, videos, and voices that closely resemble genuine images and sounds.

Our Commitment to Privacy, Data Protection and the GDPR

The EU and UK GDPR (GDPR) are regulations protecting the personal data and privacy of individuals within the European Union and United Kingdom. Its rudiments are also applicable in various different jurisdictions, making it a global standard for privacy and data protection. Therefore, we apply GDPR as the standard for all of our personal data processing operations.

GDPR outlines strict guidelines for the collection, processing, and storage of personal data and provides individuals with various rights concerning their data. The regulation emphasizes transparency, accountability, and security, ensuring that personal data is processed lawfully, fairly, and securely.

As both a controller and processor of personal data, HeyGen acknowledges its legal obligations under the GDPR and takes every necessary measure to comply with them. Protecting the privacy and data of our users is a fundamental priority for us.

HeyGen's GDPR Compliance Program

HeyGen complies with the GDPR and has implemented a comprehensive and proportionate compliance program, appropriate to its risk level, to ensure continuous oversight and improvements in our data protection practices. We closely monitor regulatory guidelines from relevant authorities and judicial decisions, making necessary adjustments to maintain the highest standards of data protection.

Our compliance program includes:

• Data Processing Inventory: We maintain a detailed inventory of all personal data processing activities, carefully categorizing and qualifying them according to their purposes and legal bases.
• Data Protection Principles: Our processing activities comply with all the data protection principles outlined in Article 5 of the GDPR, including purpose limitation, data minimization, and storage limitation.
• Legal Basis for Processing: For each processing activity, we ensure a valid legal basis is in place, as required by Article 6. Detailed information can be found in our Privacy Policy.
• Staff Training: Our staff undergo regular GDPR and security training to stay up-to-date with the data protection requirements.
• Data Rights Requests: We respect the rights of individuals under the GDPR and promptly respond to requests concerning their data. To exercise your rights, such as access, rectification, or erasure, you can contact us at [email protected].
• Incident Response and Breach Management: We have a detailed Security Incident Response Plan in place to address any suspected data breaches. This plan is regularly updated to comply with the GDPR and other relevant privacy laws.

Security Measures

HeyGen is SOC 2 Type II compliant, reflecting our commitment to maintaining robust cybersecurity measures. We also integrate data protection by design and by default into our processing activities.

Special Categories of Personal Data

We place a special emphasis on protecting sensitive data, including biometric data. We process such data only with explicit consent and implement additional security measures to protect these categories.

Data Protection Officer (DPO)

To ensure the highest standards of privacy protection, we have appointed a dedicated Data Protection Officer (DPO) based in Europe. Our DPO oversees all GDPR-related matters and is available to address any specific questions or concerns related to data protection. Should you need assistance, you can reach out to our DPO at [email protected].

Data Processing Agreements (DPAs)

HeyGen provides DPAs for controllers and maintains DPAs with all subprocessors. Our commitment to security extends to our third-party subprocessors, ensuring they meet stringent privacy and security standards. A comprehensive list of our third-party vendors and their respective processing activities is available here.

International Data Transfers

To safeguard the transfer of personal data from Europe to the US, we are certified for and rely on the EU-US Data Privacy Framework (DPF). All data is securely stored in the US, and we ensure compliance with applicable GDPR standards.

Opt-out of AI Training

For our enterprise users, data is by default excluded from AI training. All users can easily opt-out by contacting us at [email protected].

Ongoing Commitment

Our dedication to the GDPR compliance is ongoing. We continually monitor legal developments to ensure our practices remain up-to-date with the latest regulatory standards. Our goal is to offer exceptional services without compromising on legal and ethical responsibilities.

For more details on our data protection practices, please review our Privacy Policy. For further information or inquiries about our compliance efforts, please feel free to reach out to us.