Effective as of 14th of July 2023
HeyGen is committed to protecting the confidentiality, integrity, and availability of our customers' data. This policy outlines the information security measures that we have implemented to ensure that our product is secure and reliable. This policy applies to all employees, contractors, vendors, and third-party providers who have access to our company's systems, applications, and data.
Access control measures are implemented to ensure that only authorized individuals have access to our company's systems, applications, and data. The access control measures include the following:
1. User authentication: all users must be authenticated with a unique username and password.
2. Password policy: passwords must be complex, and users are required to change their passwords periodically.
3. Account management: user accounts are created and managed by our IT department. Access to sensitive data and systems is restricted to only those users who require it to perform their job functions.
4. Multi-factor authentication: we implement multi-factor authentication for sensitive systems and applications.
We store user data in AWS RDS in the US-East-2 region. In terms of Machine Learning models, user assets and videos, we store them on AWS S3 in the US-East-2 Region.
Our servers are located in AWS US-East-2 region and Microsoft Azure US-East and South-Central-US regions where we host our website and do video processing.
We take measures to protect the confidentiality, integrity, and availability of our customers' data. The data protection measures include the following:
1. Encryption: we use encryption technologies to protect sensitive data in transit and at rest.
2. Data backup: we regularly back up our data to prevent data loss due to hardware failures or disasters.
3. Data retention: we retain data only as long as necessary and in accordance with relevant laws, regulations, and industry standards.
4. Data destruction: we dispose of data securely and in accordance with relevant laws, regulations, and industry standards.
We have established an incident management process to detect, investigate, and respond to security incidents. The incident management process includes the following:
1. Incident response plan: we have developed a comprehensive incident response plan that outlines the procedures to be followed in the event of a security incident.
2. Incident reporting: all employees, contractors, vendors, and third-party providers are required to report security incidents immediately to our IT department.
3. Incident investigation: we investigate security incidents promptly to determine the cause and scope of the incident.
4. Incident communication: we communicate with affected parties, such as customers and law enforcement, as necessary and in accordance with relevant laws, regulations, and industry standards.
We comply with relevant laws, regulations, and industry standards related to information security. The compliance measures include the following:
1. Regulatory compliance: we comply with all relevant laws, regulations, and industry standards related to information security. We are currently in the process of Soc 2 type 1 and expected to be complete by the end of June.
2. Third-party compliance: we require our vendors and third-party providers to comply with our information security policies and procedures.
3. Audit and assessment: we regularly assess and audit our information security controls to ensure that they are effective and compliant.
We takes information security seriously and is committed to ensuring that our product is secure and reliable. We implement robust information security measures, including access control, data protection, incident management, and compliance. All employees, contractors, vendors, and third-party providers are required to comply with our information security policies and procedures.
