Security
At HeyGen, security and trust are the foundation of our AI video platform. As a leader in AI video generation, we understand that handling sensitive content and data requires the highest standards. We believe powerful AI technology must integrate security and ethics from its inception, not as an afterthought. This core philosophy guides everything we do, from our infrastructure to our company policies, ensuring we protect your content while fostering innovation.
We implement comprehensive safeguards throughout the entire video generation lifecycle. Your data is protected by industry-leading security protocols from the moment you upload content until the final delivery of your AI-generated videos. We are dedicated to continuously evolving our security practices to stay ahead of emerging threats, all while maintaining the seamless, user-friendly experience HeyGen is known for.
HeyGen meets rigorous compliance requirements for global standards, including SOC 2 Type II, GDPR, CCPA, the EU-US Data Privacy Framework (DPF), and the EU AI Act. To ensure the highest standards of privacy protection, we have appointed a dedicated Data Protection Officer (DPO) based in Europe. Our DPO oversees all GDPR-related matters and is available to address any specific questions or concerns related to data protection. Should you need assistance, you can reach out to our DPO at privacy@heygen.com.
HeyGen Platform Controls
Architecture and Data Segregation
HeyGen's platform is designed to maintain strict logical separation of customer data. Each customer's data is isolated to prevent unauthorized access across tenants. Our infrastructure is designed so that data is accessible only to authorized users and systems, with access governed by a comprehensive system access control policy.
Public Cloud Infrastructure
HeyGen's services are hosted on Amazon Web Services (AWS) in the United States. Our cloud infrastructure is configured with restricted access controls, ensuring that data storage and processing remain secure and auditable. We leverage AWS's enterprise-grade physical and environmental security controls as part of our layered security approach.
Audits
HeyGen undergoes regular third-party security audits to validate the effectiveness of our controls. We are SOC 2 Type II certified, reflecting our ongoing commitment to robust cybersecurity practices. Annual penetration testing is conducted by an independent third-party security firm to identify and remediate vulnerabilities before they can be exploited. Audit results inform our continuous improvement cycle and are made available to customers upon request via our Security Portal.
Subprocessors
HeyGen maintains a list of approved subprocessors who may process customer data to provide the HeyGen service. This list is available at: https://security.heygen.com/. HeyGen ensures all subprocessors meet the same rigorous security and privacy standards to which HeyGen adheres.
Security Controls
Access Control & Authentication
Access to HeyGen's systems and customer data is governed by a strict least-privilege model. All internal access to production environments requires multi-factor authentication (MFA). HeyGen supports SSO (Single Sign-On) for enterprise customers, enabling organizations to enforce their own identity and access policies. HeyGen also supports SCIM provisioning, allowing IT teams to automate user lifecycle management, including onboarding, role changes, and offboarding, directly from their identity provider. Role-based access controls (RBAC) ensure that employees and systems can only access the data and functions necessary for their role. Access rights are reviewed regularly and revoked promptly upon role change or departure.
Intrusion Detection
HeyGen employs network-level and application-level monitoring to detect and respond to suspicious activity. Our systems are protected by firewalls and continuous monitoring tools that alert our security team to potential threats in real time.
Security Logs
All system activity is logged and retained for security analysis and incident investigation. HeyGen maintains audit logs of user activity and administrative actions, giving enterprise customers visibility into how their accounts and data are being accessed and managed. Log collection and storage is managed through a SIEM solution, which provides centralized visibility into application behavior, infrastructure events, and potential anomalies. Logs are protected against unauthorized access and tampering.
Incident Management
HeyGen maintains a documented Security Incident Response Plan that is regularly reviewed and updated to comply with GDPR and other relevant privacy laws. Our dedicated incident response team follows structured procedures to detect, contain, eradicate, and recover from security incidents. Customers are notified in accordance with contractual and regulatory obligations in the event of a breach affecting their data.
Data Encryption
All customer data in transit is secured using Transport Layer Security (TLS) 1.2 or higher. Data at rest is encrypted using AES-256 or equivalent encryption standards. This applies to all primary data stores, backups, and archives, ensuring customer data is protected at all times.
Reliability, Backup, and Business Continuity
HeyGen's infrastructure is designed for high availability and reliability, employing redundant systems and automatic failover mechanisms. We maintain a robust backup and disaster recovery plan. Backups are performed regularly, encrypted, and tested to ensure rapid restoration of services and customer data in the event of a disaster. Our Business Continuity Plan (BCP) ensures minimal disruption to service.
Data Residency
All HeyGen customer data is stored in the United States on AWS infrastructure. For customers subject to data residency requirements, HeyGen is certified for the EU-US Data Privacy Framework (DPF), enabling lawful transfer of personal data from Europe to the US in compliance with applicable GDPR standards. For EU, UK, and Swiss customers, data transfers to the US are also governed by EU-approved Standard Contractual Clauses (SCCs), providing an additional layer of legal protection.
Return of Customer Data
Upon termination of a customer's contract, HeyGen is committed to assisting in the return of all customer data in a commonly used format, as detailed in the contract terms.
Deletion of Customer Data
Following the contracted retention period or upon a customer's request, HeyGen securely deletes all customer data from its systems and backups in accordance with industry best practices and legal requirements.
Vulnerability Disclosure
HeyGen is committed to working with the security community to identify and resolve vulnerabilities responsibly. If you believe you have discovered a security issue affecting HeyGen's platform or infrastructure, we encourage you to report it to us at security@heygen.com. We ask that you provide sufficient detail to reproduce the issue and allow us reasonable time to investigate and remediate before any public disclosure. HeyGen will not pursue legal action against researchers who act in good faith in accordance with this policy.
Personnel Practices
HeyGen maintains stringent personnel security policies. All employees undergo background checks relevant to their location and role and participate in mandatory, regular security and privacy training. Access to customer data and production environments is granted on a strict "need-to-know" basis, following the principle of least privilege.
Network Security
HeyGen's network infrastructure is protected by multiple layers of controls. Firewalls and network segmentation limit exposure between systems and restrict lateral movement in the event of a compromise. DDoS protection is provided through Cloudflare, which sits in front of our public-facing services. All internal and external traffic is monitored continuously, and anomalous activity triggers automated alerts to our security team. Unnecessary ports and services are disabled by default across all infrastructure.
AI Model Training
Enterprise customers' data is excluded from AI model training by default. Non-enterprise customers may opt out at any time by contacting privacy@heygen.com. HeyGen has contractual agreements in place with all AI subprocessors that explicitly prohibit the use of customer data to train their models.
Ready to try our AI video platform?
HeyGen's enterprise-grade security means your team can create powerful AI video content with confidence. Our platform is trusted by businesses worldwide to handle sensitive data with care, transparency, and full regulatory compliance.