Synthesia acts as the data controller for individual users and as a data processor for business customers who use the platform on behalf of their own users or employees, with a separate legal agreement governing each relationship.
This analysis describes what Synthesia's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The distinction between controller and processor determines who is ultimately responsible for your data rights; if you are an employee or end user of a business that uses Synthesia, your data rights may need to be exercised through that business rather than directly with Synthesia.
If your employer or organization uses Synthesia and you interact with the platform through them, the business customer is likely the data controller and bears primary responsibility for your data, which may affect who you need to contact to exercise rights like access or deletion.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Synthesia has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"In some cases, we act as a data controller in respect of your personal data. In other cases, particularly where we process data on behalf of our business customers, we act as a data processor. Where we act as a data processor, our processing activities are governed by a Data Processing Agreement with the relevant business customer.— Excerpt from Synthesia's Synthesia Privacy Policy
(1) REGULATORY LANDSCAPE: GDPR Articles 26, 28, and 29 govern the controller-processor relationship, requiring a written Data Processing Agreement that specifies the subject matter, duration, nature, and purpose of processing, as well as the obligations and rights of the controller. UK GDPR mirrors these requirements. CCPA and CPRA impose analogous service provider contract requirements on California-based businesses using processors. Failure to have an adequate DPA in place can expose both parties to regulatory liability. (2) GOVERNANCE EXPOSURE: Medium. The dual-role structure is standard in B2B SaaS but creates compliance complexity when personal data flows through multiple layers. Enterprise customers who fail to execute an adequate DPA with Synthesia, or who do not conduct appropriate due diligence on Synthesia as a processor, may face regulatory exposure under GDPR Article 28 for inadequate processor oversight. (3) JURISDICTION FLAGS: EU and UK enterprise customers face the most immediate exposure if DPAs are absent or inadequate. California enterprise customers must ensure Synthesia qualifies as a service provider under CPRA and that the contract prohibits sale or cross-context behavioral advertising use of the data. Organizations in regulated sectors such as healthcare or finance should assess whether additional sector-specific processor requirements apply. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request and review Synthesia's standard DPA before onboarding, verify that the sub-processor list is current and that sub-processor change notification obligations are contractually secured, and confirm that audit rights are available. The DPA should address breach notification timelines consistent with GDPR's 72-hour notification requirement. (5) COMPLIANCE CONSIDERATIONS: Legal teams should confirm that the executed DPA covers all processing activities including avatar data, analytics, and any data shared with sub-processors. Organizations should map which employees or end users interact with Synthesia and ensure appropriate privacy notices cover that processing. Annual vendor reviews should include reassessment of Synthesia's DPA and sub-processor list.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The distinction between controller and processor determines who is ultimately responsible for your data rights; if you are an employee or end user of a business that uses Synthesia, your data rights may need to be exercised through that business rather than directly with Synthesia.
If your employer or organization uses Synthesia and you interact with the platform through them, the business customer is likely the data controller and bears primary responsibility for your data, which may affect who you need to contact to exercise rights like access or deletion.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Synthesia.