Buyer Guides

Video API Security Checklist

Video data requires strong security controls. This checklist covers the security requirements you should verify before selecting a video enhancement vendor.

Data Protection

Encryption

  • ☐ TLS 1.2+ for data in transit
  • ☐ AES-256 for data at rest
  • ☐ Encryption keys managed securely (HSM)
  • ☐ Customer-managed keys available (enterprise)

Data Handling

  • ☐ Clear retention policy (days, not indefinite)
  • ☐ No training on customer data
  • ☐ Data deletion on request
  • ☐ Deletion verification available

Data Residency

  • ☐ Processing region configurable
  • ☐ No cross-border transfers (or documented)
  • ☐ EU processing for EU data (GDPR)

Access Control

Authentication

  • ☐ API key authentication
  • ☐ Key rotation supported
  • ☐ SSO/SAML available (enterprise)
  • ☐ MFA for dashboard access

Authorization

  • ☐ Role-based access control
  • ☐ Least privilege principle
  • ☐ Audit logs for access

API Security

  • ☐ Rate limiting
  • ☐ IP allowlisting available
  • ☐ Request signing (HMAC)
  • ☐ Webhook signature verification

Compliance

Certifications

  • ☐ SOC 2 Type II
  • ☐ ISO 27001 (optional but good)
  • ☐ HIPAA BAA available (healthcare)
  • ☐ GDPR compliant

Documentation

  • ☐ Data Processing Agreement
  • ☐ Security whitepaper
  • ☐ Penetration test summary
  • ☐ Incident response plan

Audit

  • ☐ Audit logs available
  • ☐ Log retention (90+ days)
  • ☐ Log export available

Infrastructure Security

Cloud Security

  • ☐ Major cloud provider (AWS, GCP, Azure)
  • ☐ VPC isolation
  • ☐ Security groups/firewalls
  • ☐ DDoS protection

Container Security

  • ☐ Ephemeral containers
  • ☐ Container scanning
  • ☐ No persistent storage

Monitoring

  • ☐ Intrusion detection
  • ☐ Anomaly detection
  • ☐ 24/7 security monitoring
  • ☐ Incident response procedures

Vendor Security Posture

Questions to Ask

  1. How do you handle a security incident?
  2. What's your breach notification timeline?
  3. Do you have cyber insurance?
  4. When was your last penetration test?
  5. Who has access to customer data?

Red Flags

  • No SOC 2 certification
  • Vague answers about data handling
  • No written incident response plan
  • Reluctance to sign DPA/BAA
  • No penetration testing

Green Flags

  • SOC 2 Type II (verified scope)
  • Zero-retention architecture
  • Detailed security documentation
  • Quick DPA/BAA execution
  • Transparent about practices

Frequently Asked Questions

TLS 1.2+ in transit, AES-256 at rest. HSM key management. Customer-managed keys for enterprise.

SOC 2 Type II is baseline. HIPAA BAA for healthcare. ISO 27001 is nice to have.

No SOC 2, vague data handling answers, no incident response plan, reluctance to sign DPA/BAA.

Ready to get started?

Try BetterVideo's privacy-first video enhancement API — free sandbox, no credit card required.