// Trust & Security Report
Synthesia Limited
AI video generation platform (Synthesia Studio) with AI avatars, voice cloning, screen recording, and translation; plans span Free/Starter/Creator (self-serve, API on Creator+) up to Enterprise (SSO, custom limits, dedicated CSM)
Certifications held
6
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on security.synthesia.io“We are SOC2 Type II compliant and fully certified within ISO/IEC 27001:2022, ISO/IEC 27701:2019, and ISO/IEC 42001:2023.”
Verify on synthesia.io“Synthesia undergoes a periodic ISO 42001, ISO 27001, and SOC2 Type II audit. The report is available here.”
Verify on security.synthesia.io“Synthesia has successfully achieved ISO/IEC 27701:2019 certification — the leading international standard for Privacy Information Management Systems (PIMS)... as validated by A-LIGN with zero nonconformities during the Stage 2 audit.”
Verify on security.synthesia.io“This achievement builds on our existing ISO/IEC 27001 and ISO/IEC 42001 certifications... Synthesia becomes first AI video platform to earn ISO 42001 certification (A-LIGN case study cross-check).”
Verify on security.synthesia.io“Compliance: ... GDPR. See our Data Processing Agreement... data currently stored within the European Union (EU), in data centers based in Ireland.”
> Show 4 unconfirmed / not-held certifications
source: synthesia.ioSynthesia is not a Business Associate or subcontractor (as those terms are defined in the Health Insurance Portability and Accountability Act...) and customers should not submit, collect or use any protected health information (PHI)... Synthesia cannot support and have no liability for PHI received from Customer.
source: security.synthesia.ioNo public evidence of a PCI DSS attestation on the trust center, security practices page, or compliance list; payments are handled by a third-party processor, not directly relevant to Synthesia's own scope.
source: security.synthesia.ioNo public evidence of FedRAMP authorization on the trust center or elsewhere on synthesia.io.
source: security.synthesia.ioTrust center lists a completed 'CAIQv4.0.2 STAR Security Questionnaire' available to customers as a resource, but no confirmed public CSA STAR Registry listing was found for Synthesia; a completed CAIQ questionnaire is not the same as a registry-listed STAR certification.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
EU (Ireland) primary storage; operational backups in Ireland; secondary backups in AWS Frankfurt (EU).
Vendor's AI Governance Practices page states directly: 'Synthesia does not use Customer Data, including inputs or outputs, to pre-train its AI Components.' AI components are instead trained on paid/commissioned actor performances, public performances, and licensed content. Any fine-tuning using customer data requires the customer's written instruction under their governing agreement. Custom avatars/voices require the depicted person's explicit consent before creation.
// Security controls
Penetration testing
Annual third-party penetration testing; 2026 executive summary and full report published as trust center resources
security.synthesia.ioSub-processors
Published sub-processor list; contractual obligations imposed on sub-processors for technical and organizational measures
synthesia.ioData deletion
Customer data deleted upon account/relationship end; avatar/voice deletion requests can take up to 90 days before permanent deletion, with confirmation provided
security.synthesia.ioBusiness continuity / DR
Continuity and Disaster Recovery plans established and tested; cybersecurity insurance maintained
security.synthesia.io// Products & data scope
data: Standard cloud multi-tenant; no SSO
10 min video/month, 9 stock avatars, no API
data: Standard cloud multi-tenant; no SSO
1 editor + 3 guests, 125+ avatars, no API
data: Standard cloud multi-tenant; no SSO; API access enabled
1 editor + 5 guests, 180+ avatars, live collaboration, API access
data: Custom configuration; SAML/SSO available; dedicated CSM; same underlying security/compliance program as other tiers
Unlimited video minutes, custom guest/editor limits, 240+ avatars, SSO
// What to watch
- Do not confuse this vendor (Synthesia Limited, UK, AI video company, synthesia.io) with the unrelated 'Synthesia LLC' piano/musical-notation software trademark holder in the US — different company, different product, no shared certifications.
- HIPAA is explicitly disclaimed by the vendor: customers are told not to submit PHI and Synthesia states it has no liability for PHI received; list as HIPAA: not supported / no BAA, not as an absence gap.
- CSA STAR: trust center offers a completed CAIQ v4.0.2 questionnaire to customers on request, but this is a self-assessment questionnaire, not a confirmed public CSA STAR Registry certification listing — listed as held=false to avoid over-claiming.
- SSO/SAML is Enterprise-tier only; lower tiers share the same certifications but not the same access controls, relevant for buyers on Basic/Starter/Creator plans.
// At a glance
Pricing model
Freemium + tiered subscription (Basic/Starter/Creator) plus custom Enterprise pricing; API access from Creator tier up
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Synthesia Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.synthesia.io