HeyGen Technology Inc. | Trust Center
HeyGen Security Portal
Welcome to HeyGen’s Security Portal. Creating videos with HeyGen's platform is a transformative experience, thanks to the power of AI. With the ability to produce videos in minutes using an extensive library of avatars and voices, our platform is reshaping the way businesses communicate. At HeyGen, we understand the profound impact of our technology on media, communication, and the broader digital landscape and the importance of data security to building trust in our services. This portal is designed to help you learn more about our commitment to data security. Here, you can view links to key terms and policies and request access to our SOC 2 certification. You can also see information about other security practices and policies at HeyGen. We may periodically update this page with additional resources so you are encouraged to review this page periodically and contact us at [email protected] if you have questions.
See Certifications

Resources

SOC 2 Type 2

Privacy

Terms of Service

Ethics

Moderation Policy

Penetration Test Report - Dec. 2023

Master SAAS Agreement

FAQs

Monitoring

Continuously monitored by Secureframe
View all

Compliance

SOC 2

Subprocessors

Amazon Web Services

Web hosting, data storage, image content moderation, video processing. User profile and identity data are stored and transmitted for account setup. Video/image/audio data are stored and transmitted for video processing. Location: 410 Terry Avenue North, Seattle, WA 98109-5210, U.S.A.

Microsoft Azure

Text to speech, data warehouse. Script data are transmitted for generating audio. Location: Virginia, United States of America

Intercom

Customer support, help center Location: 55 2nd Street, 4th Floor, San Francisco, CA 94105

Datadog

Application monitoring and alerting, logs storage and collecting Location: 620 8TH Ave FL 45 New York, NY, 10018-1741 United States

ElevenLabs

Text to speech Location: 169 Madison Ave #2484 New York, NY 10016 NYC

Cloudflare

DNS Location: 101 Townsend St., San Francisco, California 94107

OpenAI

Script rewriting when users create videos, script content moderation, text to speech. Data usage policy: https://openai.com/policies/api-data-usage-policies Location: 3180 18th St. San Francisco, California 94110

Assembly AI

Speech to text. Privacy policy: https://www.assemblyai.com/legal/privacy-policy Location: 2261 Market Street #4577, San Francisco, CA 94114

Lambda Labs

GPU Compute. Privacy policy: https://lambdalabs.com/legal/privacy-policy Location: 2510 Zanker Road San Jose, California 95131

Monitoring

Change Management

Secure Development Policy
A Secure Development Policy defines the requirements for secure software and system development and maintenance.
Change Management Policy
A Change Management Policy governs the documenting, tracking, testing, and approving of system, network, security, and infrastructure changes.
Production Data Use is Restricted
Production data is not used in the development and testing environments, unless required for debugging customer issues.
Configuration and Asset Management Policy
A Configuration and Asset Management Policy governs configurations for new sensitive systems

Availability

High Availability Configuration
The system is configured for high availability to support continuous availability, when applicable.
Uptime and Availability Monitoring
System tools monitors for uptime and availability based on predetermined criteria.
Business Continuity and Disaster Recovery Policy
Business Continuity and Disaster Recovery Policy governs required processes for restoring the service or supporting infrastructure after suffering a disaster or disruption.

Organizational Management

Code of Conduct
A Code of Conduct outlines ethical expectations, behavior standards, and ramifications of noncompliance.
Disciplinary Action
Personnel who violate information security policies are subject to disciplinary action and such disciplinary action is clearly documented in one or more policies.
Acceptable Use Policy
An Acceptable Use Policy defines standards for appropriate and secure use of company hardware and electronic systems including storage media, communication tools and internet access.
Internal Control Policy
An Internal Control Policy identifies how a system of controls should be maintained to safeguard assets, promote operational efficiency, and encourage adherence to prescribed managerial policies.
Information Security Program Review
Management is responsible for the design, implementation, and management of the organization’s security policies and procedures. The policies and procedures are reviewed by management at least annually.
Internal Control Monitoring
A continuous monitoring solution monitors internal controls used in the achievement of service commitments and system requirements.
Performance Review Policy
A Performance Review Policy provides personnel context and transparency into their performance and career development processes.
Information Security Policy
An Information Security Policy establishes the security requirements for maintaining the security, confidentiality, integrity, and availability of applications, systems, infrastructure, and data.
Background Checks
Background checks or their equivalent are performed before or promptly after a new hires start date, as permitted by local laws.

Confidentiality

Data Classification Policy
A Data Classification Policy details the security and handling protocols for sensitive data.
Data Retention and Disposal Policy
A Data Retention and Disposal Policy specifies how customer data is to be retained and disposed of based on compliance requirements and contractual obligations.

Vulnerability Management

Vulnerability and Patch Management Policy
A Vulnerability Management and Patch Management Policy outlines the processes to efficiently respond to identified vulnerabilities.

Incident Response

Incident Response Plan
An Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning and tracking confirmed incidents through to resolution.

Risk Assessment

Risk Assessment
Formal risk assessments are performed, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats.
Vendor Due Diligence Review
Vendor SOC 2 reports (or equivalent) are collected and reviewed on at least an annual basis.
Risk Assessment and Treatment Policy
A Risk Assessment and Treatment Policy governs the process for conducting risk assessments to account for threats, vulnerabilities, likelihood, and impact with respect to assets, team members, customers, vendors, suppliers, and partners. Risk tolerance and strategies are also defined in the policy.
Vendor Risk Management Policy
A Vendor Risk Management Policy defines a framework for the onboarding and management of the vendor relationship lifecycle.

Network Security

Network Security Policy
A Network Security Policy identifies the requirements for protecting information and systems within and across networks.
Automated Alerting for Security Events
Alerting software is used to notify impacted teams of potential security events.

Access Security

Encryption and Key Management Policy
An Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.
Asset Inventory
A list of system assets, components, and respective owners are maintained and reviewed at least annually
Access Control and Termination Policy
An Access Control and Termination Policy governs authentication and access to applicable systems, data, and networks.
Unique Access IDs
Personnel are assigned unique IDs to access sensitive systems, networks, and information

Physical Security

Physical Security Policy
A Physical Security Policy that details physical security requirements for the company facilities is in place.

Communications

Privacy Policy
A Privacy Policy to both external users and internal personnel. This policy details the company's privacy commitments.
Confidential Reporting Channel
A confidential reporting channel is made available to internal personnel and external parties to report security and other identified concerns.
Communication of Security Commitments
Security commitments and expectations are communicated to both internal personnel and external users via the company's website.
Terms of Service
Terms of Service or the equivalent are published or shared to external users.
Description of Services
Descriptions of the company's services and systems are available to both internal personnel and external users.