// Trust & Security Report
HeyGen Technology Inc.
AI video generation platform with avatars, voice cloning, and video translation
Certifications held
6
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on heygen.com“HeyGen is SOC 2 Type II certified, reflecting our ongoing commitment to robust cybersecurity practices”
Verify on heygen.com“As both a controller and processor of personal data, HeyGen acknowledges its legal obligations under the GDPR and takes every necessary measure to comply with them.”
Verify on heygen.com“meets rigorous compliance requirements for global standards, including SOC 2 Type II, GDPR, CCPA, the EU-US Data Privacy Framework (DPF), and the EU AI Act”
Verify on heygen.com“To safeguard the transfer of personal data from Europe to the US, we are certified for and rely on the EU-US Data Privacy Framework (DPF).”
Verify on heygen.com“meets rigorous compliance requirements for global standards, including SOC 2 Type II, GDPR, CCPA, the EU-US Data Privacy Framework (DPF), and the EU AI Act”
Verify on security.heygen.com“SOC 3 listed in the compliance section of HeyGen's trust center (security.heygen.com, Drata-powered), alongside SOC 2. SOC 3 is the general-use public attestation based on the same audit criteria as SOC 2 Type II.”
> Show 9 unconfirmed / not-held certifications
source: heygen.comNo public evidence found on any heygen.com domain page. Vendor security page and GDPR page list SOC 2 Type II, GDPR, CCPA, DPF, and EU AI Act but do not mention ISO 27001.
source: heygen.comNo public evidence found. Privacy policy contains no HIPAA references. No Business Associate Agreement (BAA) is offered. Vendor comparison sources as of March 2026 confirm HeyGen has not published HIPAA compliance documentation.
source: heygen.comNo public evidence found. EU AI Act compliance is claimed but ISO 42001 is not mentioned on any heygen.com page.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
United States only (AWS infrastructure); no EU data residency option. SCCs and DPF used for EU-to-US transfers.
Non-enterprise users' data is used to train and enhance HeyGen's AI models by default, with opt-out available only via email to privacy@heygen.com. The privacy policy states: 'To train and enhance the models that power our products and services, including to make our avatar creation models more accurate.' The legal basis cited is 'legitimate interest' rather than explicit consent, which is a weaker GDPR basis. Enterprise users' data is excluded from AI training by default, and the trust-and-safety page confirms: 'data is not used to train our AI systems, nor is it combined with any other data.' There is a meaningful tier difference: enterprise gets exclusion by default; non-enterprise must proactively opt out by email.
// Security controls
Encryption at rest
AES-256 or equivalent encryption standards for primary stores, backups, and archives
heygen.comInfrastructure
Amazon Web Services (AWS), United States; data isolated per customer tenant
heygen.comAccess control
MFA required for all production environment access; RBAC with least-privilege model
heygen.comIncident response
Detailed Security Incident Response Plan in place, regularly updated per GDPR and relevant privacy laws
heygen.comData Protection Officer (DPO)
Dedicated DPO based in Europe, reachable at privacy@heygen.com
heygen.comSubprocessor list
Comprehensive subprocessor list maintained and publicly available; contractual prohibitions on subprocessors training on customer data
heygen.comData backups
Daily automated backups; disaster recovery retention of 30 days then permanent erasure
help.heygen.com// Products & data scope
data: User-uploaded images, scripts, audio; AI-generated avatars and videos
AI training applies to user data by default. Opt-out available via email only. Limited credits per month. No DPA.
data: User-uploaded images, scripts, audio, brand assets; AI-generated avatars and videos
AI training applies to user data by default unless opted out via email. More credits and features than free tier. No DPA included by default.
data: User-uploaded images, scripts, audio, brand assets; AI-generated avatars and videos; biometric data (custom avatars)
AI training excluded by default. DPA available on request. SSO supported. Dedicated support. Admin controls. Enterprise data not used to train models or combined with other data.
data: Programmatic video generation inputs; avatar and voice clone data via API calls
Pay-per-use API. Separate pricing. AI training policy follows account type (enterprise API excluded by default). Documentation at heygen.com.
// What to watch
- AI training applies to non-enterprise users by default; opt-out is email-only (privacy@heygen.com), no in-app toggle, which may be a friction point for GDPR-conscious users
- Privacy policy cites 'legitimate interest' as legal basis for AI training rather than explicit consent, which is a weaker GDPR basis and may draw regulatory scrutiny
- Tier-based AI training disparity: enterprise gets exclusion by default; consumer and SMB tiers must proactively opt out, creating compliance risk for teams unaware of the difference
- No HIPAA BAA is available; HeyGen is not suitable for processing Protected Health Information (PHI)
- No ISO 27001 certification found on any heygen.com page despite vendor claims of 'enterprise-grade security'
- Processes biometric data (face/voice for custom avatars) with explicit consent required, but privacy policy note warrants review for EU/UK biometric data handling
- Trust center at security.heygen.com is dynamically loaded (Drata-powered) and could not be fully scraped; certification claims verified via heygen.com/security and heygen.com/gdpr-compliant instead
- Data stored exclusively in the United States; European customers relying on SCCs and DPF, not local data residency
// At a glance
Pricing model
Freemium with paid Creator, Team, and Enterprise tiers; pay-per-use API
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on HeyGen Technology Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.heygen.com