Security Practices

Security is integral to Synthesia’s core principles of Control, Consent, and Collaboration and so we take it seriously. This Security Practices page describes the organizational, technical, and physical controls applicable to Synthesia, including our Services, as more specifically described in your governing agreement with Synthesia. For real-time monitoring of key controls, access to important security documents such as our SOC2 report, and answers to frequently asked security questions, please visit https://security.synthesia.io.

These policies and practices may change as the Services and industry evolve, so please check back regularly for updates. Capitalized terms used below but not defined in this policy have the meaning set forth in the governing agreement.

Synthesia Platform Controls

Architecture and Data Segregation

Synthesia operates a multi-tenant software-as-a-service system, using a shared infrastructure for all users. We have implemented measures designed to ensure the logical separation of Customer Data, as more specifically defined in your governing agreement with Synthesia covering the use of the Services. These measures include the use of access lists and association of Customer Data with unique customer IDs.

Public Cloud Infrastructure

Synthesia utilizes Amazon Web Services (AWS) for its public cloud infrastructure. The services provided by AWS include web hosting, user management, backend API, compute, database, monitoring, and automation. Synthesia does not use a private or hybrid cloud.

Audits

Synthesia has a robust audit system in place designed to continuously monitor for vulnerabilities, instances of non-compliance, and misconfigurations. Auditing is performed by internal parties as well as respected and accredited external firms. Synthesia undergoes a periodic SOC2 Type II audit. The report is available here.

Security Controls

Synthesia has established a comprehensive security control framework aligned to our defined security policies, risk management program, and industry-leading best practices and standards. This rigorous approach is designed to safeguard the confidentiality, integrity, and availability of any Customer Data that is processed, transmitted, or stored by Synthesia.

The security controls that we have put in place encompass a wide range of measures, including:

• Access Management: Synthesia uses a centralized system for managing identities, governing access to all key systems and physical access to sensitive office locations. Administrators and incident responders can use this to easily terminate and disable all authenticated sessions. All access is granted based on approved requests and we conduct quarterly reviews of access to any sensitive system.
  
• Company-wide multi-factor authentication: To protect Synthesia staff identities, we employ industry leading security practices, such as requiring all staff members to use a FIDO2 compliant authentication factor, such as a physical security key or WebAuthn.
  
• Audit Logging: We meticulously log every access and action taken by Synthesia staff, as well as all customer authentication-related events. This includes recording details such as the type of device used, IP addresses, and any registered abnormalities such as impossible travel.
  
• Host Management: We enforce stringent security requirements such as screen lockouts, full disk encryption, installed anti-malware and endpoint detection and response software, remote wiping & locking capabilities, and the use of up-to-date software.
  
• Network Protection: We employ network abnormality detection software, multi-factor authentication based access to servers and databases in the production environment (with a requirement to use a FIDO2 compliant authentication factor), firewalls configured according to best practices, and encrypted communications channels utilizing Transport Layer Security 1.2+ (TLS 1.2+) at a minimum.
  
• Cloud Security Posture Management: We continuously monitor our cloud infrastructure for misconfigurations, as well as exposure, vulnerability, and patch management issues.
  
• Application Security: We have implemented a secure software development lifecycle policy. New features and significant changes undergo a threat modeling and review process. We also utilize continuous static code scanning and software composition analysis to detect and mitigate any potential vulnerabilities in our applications as early as possible. In addition, we run a private bug bounty program in collaboration with HackerOne, enabling security researchers around the world to help us identify and rectify potential security flaws and contract with security services vendors to perform annual penetration testing.
• Change Management: All application code changes go through our change management process, which is designed to track changes in the system to help ensure that modifications are necessary, safe, and improve the system's functioning. Further, code changes are peer reviewed prior to being deployed to production.

It's important to note that the protection of Customer Data is a shared responsibility. Customers have responsibility and control over various measures, including:

• Data sharing: Customers have control over the nature of content they submit to the Services and the sharing of videos, templates, avatars, voices, and assets.
  
• Content generation: Customers can enable or disable the use of AI-assisted generation of content.
  
• Single Sign-On: Customers have control over how Single Sign-On (SSO) is governed on their end.‍
• Workspace access: Customers can manage access to their workspace by inviting other users or guests.

Intrusion Detection

Synthesia employs a robust intrusion detection system around its infrastructure. Synthesia partners with 24/7 managed detection and response providers that specialize in identifying and addressing security threats across endpoints, cloud infrastructure, and identities. This proactive approach underpins our commitment to robust system security and data protection.

Security Logs

Security-relevant events originating from Synthesia infrastructure, including events related to authentication and actions taken by staff, are logged and audited. These logs are stored for up to 4 years and are protected from unauthorized access. Logs cannot be deleted or modified, even by an administrator.

Incident Management

Synthesia has a well-established and documented incident response plan for managing incidents. This plan is reviewed at least annually and is communicated to all relevant parties. We also have an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality.

All incidents are documented in Synthesia's security incident register, and all actions taken during an incident are documented and reviewed once the emergency is over. Synthesia notifies impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data by Synthesia or its agents of which Synthesia becomes aware, to the extent permitted by law.

Data Encryption

Synthesia employs robust encryption mechanisms designed to protect Customer Data. All stored Customer Data is encrypted using the 256-bit Advanced Encryption Standard (AES-256). The encryption keys are stored and managed within the Amazon Key Management Service (KMS) and are rotated periodically. Amazon KMS uses hardware security modules (HSMs) that have been validated under the Federal Information Processing Standard 140-2 (FIPS 140-2). Amazon KMS is designed so that no one, including AWS employees, can retrieve the plaintext KMS keys from the service.

All communication is encrypted in transit using TLS 1.2+. We have a cryptography policy in place, which outlines encryption and key management policies and procedures.

Reliability, Backup, and Business Continuity

Synthesia has a robust system in place designed to improve reliability, backup, and business continuity.

Our infrastructure uses AWS services, which offer resilience against natural disasters in multiple availability zones. The target for full system recovery is set at 72 hours with a recovery point objective of 24 hours. We perform daily backups of the production databases for point-in-time recovery and daily snapshots, retaining these backups for at least three months. Backups are stored securely using AWS services, encrypted, and access-controlled, following the principle of least privilege. The backup recovery and deployment protocols are tested at least annually.

Redundant architecture exists such that resources are distributed across geographically dispersed data centers to help support continuous availability, as described in the data residency section below.

Additionally, our business continuity and disaster recovery plans are tested at least annually.

Data Residency

Storage and processing is performed within the cloud infrastructure provided by Amazon Web Services (AWS). Customer Data is currently stored within the European Union (EU), in data centers based in Ireland. Operational backups are also stored in Ireland and secondary backups are stored in the AWS Frankfurt region. Storage facilities use multiple availability zones, each with redundant power and networking, and physically separated by a number of miles. Video processing is performed in the United States of America (USA), specifically in Northern Virginia. The transfer of data from the EU to the USA within AWS services is safeguarded by EU approved Standard Contractual Clauses (SCCs) contained in the AWS’ Data Processing Addendum. Data processing within the USA has the same level of protection as within the European Economic Area (EEA). Synthesia has performed a transfer impact assessment regarding this transfer, which customers may access at https://security.synthesia.io/documents.

Return of Customer Data

During the term of a customer’s subscription, the customer is able to export generated videos from the Services via download onto an MP4 format. After the termination of a customer’s governing agreement with Synthesia, we are able to assist them in retrieving any generated videos in MP4 format for up to 90 days following the end of the relationship.

Deletion of Customer Data

Customers manage the content they create using the Services and can request that Synthesia delete it from the platform. Following a request, it can take up to 90 days for Customer Data to be permanently deleted from Synthesia's system, including backups. If a request is made to delete such Customer Data upon termination of an account, Synthesia will delete all copies permanently and provide confirmation of deletion. If no request for deletion is made after termination of an account, the information will automatically be deleted within 90 days. Synthesia uses AWS services for data erasure and relies on AWS for physical security controls, including ensuring proper data disposal.

Personnel Practices

Synthesia has robust personnel practices in place to help Synthesia exercise appropriate control and supervision over its personnel, including strict hiring policies with background checks and scrutiny based on job function and location. All employees are trained on information security and privacy policies as part of the onboarding process, with ongoing periodic security training provided at least annually. Employees must agree to our security policies.

All employees are bound to our internal policies, including:

• Role-based access limitations designed around the principle of least privilege with a monitored approval process
• Execution of a Non Disclosure Agreement or similar confidentiality agreements
• Comprehensive privacy and security trainings
• Immediate termination of access upon conclusion of employment
• Physical access restrictions, such as key cards and video monitoring
• Full audit logging of all access to our backend infrastructure, including actions taken
• Proactive threat intelligence management, such as dark web monitoring
• Use of FIDO2 compliant biometric or security keys, strong password complexity, default multi-factor authentication, and a password manager

Infrastructure

Subprocessors

Synthesia uses third party entities (each, a “Subprocessor”) to process Customer Data on behalf of our Customers. You can read more information about specific Subprocessors and how they interact with our Services at https://www.synthesia.io/legal/subprocessors.

We carry out compliance reviews of our Subprocessors, and where required by applicable law, Synthesia conducts Transfer Impact Assessments covering cross-border transfers of Customer Data. You may find these reports at https://security.synthesia.io/.

Synthesia additionally imposes obligations on its Subprocessors to implement appropriate technical and organizational measures around the sub-processing of Customer Data, in accordance with the standards required by applicable data protection laws.

Open Source Software

Certain components of the Services may contain open source software governed by licensing agreements. Synthesia has implemented a vulnerability management program designed to detect and remediate vulnerabilities in our codebase and infrastructure.

{{security-practises-table="/legal-security-practises-table"}}

The Services do not contain any open source software that is subject to license terms requiring Customers’ intellectual property rights be: (a) disclosed or distributed in source code or object code form or distributed in source code or object code form, (b) licensed for the purpose of creating derivative works, or (c) redistributable by third parties.