// Trust & Security Report

    Synthesia Limited logo

    Synthesia Limited

    AI video generation platform (Synthesia Studio) with AI avatars, voice cloning, screen recording, and translation; plans span Free/Starter/Creator (self-serve, API on Creator+) up to Enterprise (SSO, custom limits, dedicated CSM)

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    We are SOC2 Type II compliant and fully certified within ISO/IEC 27001:2022, ISO/IEC 27701:2019, and ISO/IEC 42001:2023.

    Verify on security.synthesia.io
    ISO/IEC 27001:2022
    HELD

    Synthesia undergoes a periodic ISO 42001, ISO 27001, and SOC2 Type II audit. The report is available here.

    Verify on synthesia.io
    ISO/IEC 27701:2019
    HELD

    Synthesia has successfully achieved ISO/IEC 27701:2019 certification — the leading international standard for Privacy Information Management Systems (PIMS)... as validated by A-LIGN with zero nonconformities during the Stage 2 audit.

    Verify on security.synthesia.io
    ISO/IEC 42001:2023 (AI Management System)
    HELD

    This achievement builds on our existing ISO/IEC 27001 and ISO/IEC 42001 certifications... Synthesia becomes first AI video platform to earn ISO 42001 certification (A-LIGN case study cross-check).

    Verify on security.synthesia.io
    GDPR
    HELD

    Compliance: ... GDPR. See our Data Processing Agreement... data currently stored within the European Union (EU), in data centers based in Ireland.

    Verify on security.synthesia.io
    UK Cyber Essentials
    HELD

    Compliance ... UK Cyber Essentials

    Verify on security.synthesia.io
    > Show 4 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    Synthesia is not a Business Associate or subcontractor (as those terms are defined in the Health Insurance Portability and Accountability Act...) and customers should not submit, collect or use any protected health information (PHI)... Synthesia cannot support and have no liability for PHI received from Customer.

    source: synthesia.io
    PCI DSS
    NOT CONFIRMED

    No public evidence of a PCI DSS attestation on the trust center, security practices page, or compliance list; payments are handled by a third-party processor, not directly relevant to Synthesia's own scope.

    source: security.synthesia.io
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on the trust center or elsewhere on synthesia.io.

    source: security.synthesia.io
    CSA STAR (registry listing)
    NOT CONFIRMED

    Trust center lists a completed 'CAIQv4.0.2 STAR Security Questionnaire' available to customers as a resource, but no confirmed public CSA STAR Registry listing was found for Synthesia; a completed CAIQ questionnaire is not the same as a registry-listed STAR certification.

    source: security.synthesia.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    EU (Ireland) primary storage; operational backups in Ireland; secondary backups in AWS Frankfurt (EU).

    Vendor's AI Governance Practices page states directly: 'Synthesia does not use Customer Data, including inputs or outputs, to pre-train its AI Components.' AI components are instead trained on paid/commissioned actor performances, public performances, and licensed content. Any fine-tuning using customer data requires the customer's written instruction under their governing agreement. Custom avatars/voices require the depicted person's explicit consent before creation.

    // Security controls

    Encryption in transit

    TLS 1.2+

    synthesia.io

    Encryption at rest

    AES-256 for all stored Customer Data

    synthesia.io

    Penetration testing

    Annual third-party penetration testing; 2026 executive summary and full report published as trust center resources

    security.synthesia.io

    SSO / SAML

    Available on Enterprise plan only (not on Free/Starter/Creator)

    synthesia.io

    Sub-processors

    Published sub-processor list; contractual obligations imposed on sub-processors for technical and organizational measures

    synthesia.io

    Data deletion

    Customer data deleted upon account/relationship end; avatar/voice deletion requests can take up to 90 days before permanent deletion, with confirmation provided

    security.synthesia.io

    Business continuity / DR

    Continuity and Disaster Recovery plans established and tested; cybersecurity insurance maintained

    security.synthesia.io

    // Products & data scope

    Basic (Free)Individual / self-serve

    data: Standard cloud multi-tenant; no SSO

    10 min video/month, 9 stock avatars, no API

    StarterIndividual / small team

    data: Standard cloud multi-tenant; no SSO

    1 editor + 3 guests, 125+ avatars, no API

    CreatorTeam

    data: Standard cloud multi-tenant; no SSO; API access enabled

    1 editor + 5 guests, 180+ avatars, live collaboration, API access

    EnterpriseEnterprise / API

    data: Custom configuration; SAML/SSO available; dedicated CSM; same underlying security/compliance program as other tiers

    Unlimited video minutes, custom guest/editor limits, 240+ avatars, SSO

    // What to watch

    • Do not confuse this vendor (Synthesia Limited, UK, AI video company, synthesia.io) with the unrelated 'Synthesia LLC' piano/musical-notation software trademark holder in the US — different company, different product, no shared certifications.
    • HIPAA is explicitly disclaimed by the vendor: customers are told not to submit PHI and Synthesia states it has no liability for PHI received; list as HIPAA: not supported / no BAA, not as an absence gap.
    • CSA STAR: trust center offers a completed CAIQ v4.0.2 questionnaire to customers on request, but this is a self-assessment questionnaire, not a confirmed public CSA STAR Registry certification listing — listed as held=false to avoid over-claiming.
    • SSO/SAML is Enterprise-tier only; lower tiers share the same certifications but not the same access controls, relevant for buyers on Basic/Starter/Creator plans.

    // At a glance

    Pricing model

    Freemium + tiered subscription (Basic/Starter/Creator) plus custom Enterprise pricing; API access from Creator tier up

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Synthesia Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.synthesia.io

    > Browse all vendor trust reports