Synthesia · Synthesia Terms of Service

Data Processing Agreement Incorporation

High severity
Share 𝕏 Share in Share 🔒 PDF

What it is

Synthesia's handling of personal data belonging to your employees, customers, or users is governed by a separate Data Processing Agreement that is legally part of this contract.

Consumer impact (what this means for users)

Business customers must ensure the incorporated DPA is properly executed and that it meets the requirements of GDPR Article 28, particularly where avatar creation involves processing biometric or sensitive personal data of EU/UK residents.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Export Your Data
    Request a copy of Synthesia's current Data Processing Agreement and review it against GDPR Article 28 requirements before executing any service contract. Contact Synthesia's privacy team to discuss any required amendments.

Cross-platform context

See how other platforms handle Data Processing Agreement Incorporation and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

The DPA defines Synthesia's obligations as a data processor under GDPR and equivalent laws — if it is not reviewed and signed properly, your organisation may be in breach of GDPR Article 28 requirements for controller-processor contracts.

View original clause language
To the extent that Synthesia processes any personal data on your behalf in connection with the Services, such processing shall be governed by the Data Processing Agreement ('DPA') available at [Synthesia DPA URL], which is incorporated into these Terms by reference and forms part of this agreement.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: GDPR Article 28 mandates a binding written contract between controllers and processors specifying the subject matter, duration, nature, and purpose of processing, and the type of personal data and categories of data subjects. UK GDPR imposes identical requirements. Where processing involves special category data (biometric data under Article 9), additional safeguards and explicit consent are required. CCPA §1798.140(ag) requires service provider agreements to prohibit processing personal information beyond the stated business purpose.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC has jurisdiction over deficient data processor agreements where they result in unfair or deceptive data handling practices affecting US consumers under Section 5 of the FTC Act.
    File a complaint →

Provision details

Document information
Document
Synthesia Terms of Service
Entity
Synthesia
Document last updated
April 29, 2026
Tracking information
First tracked
April 30, 2026
Last verified
April 30, 2026
Record ID
CA-P-004394
Document ID
CA-D-00471
Evidence Provenance
Source URL
https://www.synthesia.io/terms-of-service
Wayback Machine
View archived versions →
SHA-256
c160c307398b191d34823085b7d2f7605405571da01ba21c03580602a3cc6c1d
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Synthesia | Document: Synthesia Terms of Service | Record: CA-P-004394
Captured: 2026-04-30 09:49:49 UTC | SHA-256: c160c307398b191d…
URL: https://conductatlas.com/platform/synthesia/synthesia-terms-of-service/data-processing-agreement-incorporation/
Accessed: May 2, 2026
Classification
Severity
High
Categories
Unknown

Other provisions in this document