Synthesia acts as the data controller for individual users and as a data processor for business customers who use the platform on behalf of their own users or employees, with a separate legal agreement governing each relationship.
This analysis describes what Synthesia's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The distinction between controller and processor determines who is ultimately responsible for your data rights; if you are an employee or end user of a business that uses Synthesia, your data rights may need to be exercised through that business rather than directly with Synthesia.
If your employer or organization uses Synthesia and you interact with the platform through them, the business customer is likely the data controller and bears primary responsibility for your data, which may affect who you need to contact to exercise rights like access or deletion.
How other platforms handle this
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.
When you visit a website built on Squarespace, Squarespace acts as a service provider or data processor, meaning that we process your information on behalf of the website owner. In this case, the website owner is responsible for the information they collect through their website and you should conta...
Monitoring
Synthesia has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"In some cases, we act as a data controller in respect of your personal data. In other cases, particularly where we process data on behalf of our business customers, we act as a data processor. Where we act as a data processor, our processing activities are governed by a Data Processing Agreement with the relevant business customer.— Excerpt from Synthesia's Synthesia Privacy Policy
(1) REGULATORY LANDSCAPE: GDPR Articles 26, 28, and 29 govern the controller-processor relationship, requiring a written Data Processing Agreement that specifies the subject matter, duration, nature, and purpose of processing, as well as the obligations and rights of the controller. UK GDPR mirrors these requirements. CCPA and CPRA impose analogous service provider contract requirements on California-based businesses using processors. Failure to have an adequate DPA in place can expose both parties to regulatory liability. (2) GOVERNANCE EXPOSURE: Medium. The dual-role structure is standard in B2B SaaS but creates compliance complexity when personal data flows through multiple layers. Enterprise customers who fail to execute an adequate DPA with Synthesia, or who do not conduct appropriate due diligence on Synthesia as a processor, may face regulatory exposure under GDPR Article 28 for inadequate processor oversight. (3) JURISDICTION FLAGS: EU and UK enterprise customers face the most immediate exposure if DPAs are absent or inadequate. California enterprise customers must ensure Synthesia qualifies as a service provider under CPRA and that the contract prohibits sale or cross-context behavioral advertising use of the data. Organizations in regulated sectors such as healthcare or finance should assess whether additional sector-specific processor requirements apply. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request and review Synthesia's standard DPA before onboarding, verify that the sub-processor list is current and that sub-processor change notification obligations are contractually secured, and confirm that audit rights are available. The DPA should address breach notification timelines consistent with GDPR's 72-hour notification requirement. (5) COMPLIANCE CONSIDERATIONS: Legal teams should confirm that the executed DPA covers all processing activities including avatar data, analytics, and any data shared with sub-processors. Organizations should map which employees or end users interact with Synthesia and ensure appropriate privacy notices cover that processing. Annual vendor reviews should include reassessment of Synthesia's DPA and sub-processor list.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The distinction between controller and processor determines who is ultimately responsible for your data rights; if you are an employee or end user of a business that uses Synthesia, your data rights may need to be exercised through that business rather than directly with Synthesia.
If your employer or organization uses Synthesia and you interact with the platform through them, the business customer is likely the data controller and bears primary responsibility for your data, which may affect who you need to contact to exercise rights like access or deletion.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Synthesia.