// Trust & Security Report

    HeyGen Technology Inc. logo

    HeyGen Technology Inc.

    AI video generation platform with avatars, voice cloning, and video translation

    Certifications held

    6

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    HeyGen is SOC 2 Type II certified, reflecting our ongoing commitment to robust cybersecurity practices

    Verify on heygen.com
    GDPR
    HELD

    As both a controller and processor of personal data, HeyGen acknowledges its legal obligations under the GDPR and takes every necessary measure to comply with them.

    Verify on heygen.com
    CCPA
    HELD

    meets rigorous compliance requirements for global standards, including SOC 2 Type II, GDPR, CCPA, the EU-US Data Privacy Framework (DPF), and the EU AI Act

    Verify on heygen.com
    EU-US Data Privacy Framework (DPF)
    HELD

    To safeguard the transfer of personal data from Europe to the US, we are certified for and rely on the EU-US Data Privacy Framework (DPF).

    Verify on heygen.com
    EU AI Act
    HELD

    meets rigorous compliance requirements for global standards, including SOC 2 Type II, GDPR, CCPA, the EU-US Data Privacy Framework (DPF), and the EU AI Act

    Verify on heygen.com
    SOC 3
    HELD

    SOC 3 listed in the compliance section of HeyGen's trust center (security.heygen.com, Drata-powered), alongside SOC 2. SOC 3 is the general-use public attestation based on the same audit criteria as SOC 2 Type II.

    Verify on security.heygen.com
    > Show 9 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence found on any heygen.com domain page. Vendor security page and GDPR page list SOC 2 Type II, GDPR, CCPA, DPF, and EU AI Act but do not mention ISO 27001.

    source: heygen.com
    HIPAA
    NOT CONFIRMED

    No public evidence found. Privacy policy contains no HIPAA references. No Business Associate Agreement (BAA) is offered. Vendor comparison sources as of March 2026 confirm HeyGen has not published HIPAA compliance documentation.

    source: heygen.com
    PCI DSS
    NOT CONFIRMED

    No public evidence found on any heygen.com domain page.

    source: heygen.com
    ISO 27017
    NOT CONFIRMED

    No public evidence found on any heygen.com domain page.

    source: heygen.com
    ISO 27018
    NOT CONFIRMED

    No public evidence found on any heygen.com domain page.

    source: heygen.com
    ISO 27701
    NOT CONFIRMED

    No public evidence found on any heygen.com domain page.

    source: heygen.com
    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    No public evidence found. EU AI Act compliance is claimed but ISO 42001 is not mentioned on any heygen.com page.

    source: heygen.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any heygen.com domain page.

    source: heygen.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found on any heygen.com domain page.

    source: heygen.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    United States only (AWS infrastructure); no EU data residency option. SCCs and DPF used for EU-to-US transfers.

    Non-enterprise users' data is used to train and enhance HeyGen's AI models by default, with opt-out available only via email to privacy@heygen.com. The privacy policy states: 'To train and enhance the models that power our products and services, including to make our avatar creation models more accurate.' The legal basis cited is 'legitimate interest' rather than explicit consent, which is a weaker GDPR basis. Enterprise users' data is excluded from AI training by default, and the trust-and-safety page confirms: 'data is not used to train our AI systems, nor is it combined with any other data.' There is a meaningful tier difference: enterprise gets exclusion by default; non-enterprise must proactively opt out by email.

    // Security controls

    Encryption in transit

    TLS 1.2 or higher

    heygen.com

    Encryption at rest

    AES-256 or equivalent encryption standards for primary stores, backups, and archives

    heygen.com

    Infrastructure

    Amazon Web Services (AWS), United States; data isolated per customer tenant

    heygen.com

    Access control

    MFA required for all production environment access; RBAC with least-privilege model

    heygen.com

    Penetration testing

    Annual third-party penetration testing by independent security firm

    heygen.com

    DDoS protection

    Cloudflare DDoS protection

    heygen.com

    Logging and monitoring

    SIEM solution for centralized logging and monitoring

    heygen.com

    Incident response

    Detailed Security Incident Response Plan in place, regularly updated per GDPR and relevant privacy laws

    heygen.com

    Data Protection Officer (DPO)

    Dedicated DPO based in Europe, reachable at privacy@heygen.com

    heygen.com

    Subprocessor list

    Comprehensive subprocessor list maintained and publicly available; contractual prohibitions on subprocessors training on customer data

    heygen.com

    Data backups

    Daily automated backups; disaster recovery retention of 30 days then permanent erasure

    help.heygen.com

    // Products & data scope

    HeyGen FreeAI video generation (consumer)

    data: User-uploaded images, scripts, audio; AI-generated avatars and videos

    AI training applies to user data by default. Opt-out available via email only. Limited credits per month. No DPA.

    HeyGen Creator / Team (paid tiers)AI video generation (SMB/professional)

    data: User-uploaded images, scripts, audio, brand assets; AI-generated avatars and videos

    AI training applies to user data by default unless opted out via email. More credits and features than free tier. No DPA included by default.

    HeyGen EnterpriseAI video generation (enterprise)

    data: User-uploaded images, scripts, audio, brand assets; AI-generated avatars and videos; biometric data (custom avatars)

    AI training excluded by default. DPA available on request. SSO supported. Dedicated support. Admin controls. Enterprise data not used to train models or combined with other data.

    HeyGen APIAI video generation API

    data: Programmatic video generation inputs; avatar and voice clone data via API calls

    Pay-per-use API. Separate pricing. AI training policy follows account type (enterprise API excluded by default). Documentation at heygen.com.

    // What to watch

    • AI training applies to non-enterprise users by default; opt-out is email-only (privacy@heygen.com), no in-app toggle, which may be a friction point for GDPR-conscious users
    • Privacy policy cites 'legitimate interest' as legal basis for AI training rather than explicit consent, which is a weaker GDPR basis and may draw regulatory scrutiny
    • Tier-based AI training disparity: enterprise gets exclusion by default; consumer and SMB tiers must proactively opt out, creating compliance risk for teams unaware of the difference
    • No HIPAA BAA is available; HeyGen is not suitable for processing Protected Health Information (PHI)
    • No ISO 27001 certification found on any heygen.com page despite vendor claims of 'enterprise-grade security'
    • Processes biometric data (face/voice for custom avatars) with explicit consent required, but privacy policy note warrants review for EU/UK biometric data handling
    • Trust center at security.heygen.com is dynamically loaded (Drata-powered) and could not be fully scraped; certification claims verified via heygen.com/security and heygen.com/gdpr-compliant instead
    • Data stored exclusively in the United States; European customers relying on SCCs and DPF, not local data residency

    // At a glance

    Pricing model

    Freemium with paid Creator, Team, and Enterprise tiers; pay-per-use API

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on HeyGen Technology Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.heygen.com

    > Browse all vendor trust reports