Buyer Guides
Video API Security Checklist
Video data requires strong security controls. This checklist covers the security requirements you should verify before selecting a video enhancement vendor.
Data Protection
Encryption
- ☐ TLS 1.2+ for data in transit
- ☐ AES-256 for data at rest
- ☐ Encryption keys managed securely (HSM)
- ☐ Customer-managed keys available (enterprise)
Data Handling
- ☐ Clear retention policy (days, not indefinite)
- ☐ No training on customer data
- ☐ Data deletion on request
- ☐ Deletion verification available
Data Residency
- ☐ Processing region configurable
- ☐ No cross-border transfers (or documented)
- ☐ EU processing for EU data (GDPR)
Access Control
Authentication
- ☐ API key authentication
- ☐ Key rotation supported
- ☐ SSO/SAML available (enterprise)
- ☐ MFA for dashboard access
Authorization
- ☐ Role-based access control
- ☐ Least privilege principle
- ☐ Audit logs for access
API Security
- ☐ Rate limiting
- ☐ IP allowlisting available
- ☐ Request signing (HMAC)
- ☐ Webhook signature verification
Compliance
Certifications
- ☐ SOC 2 Type II
- ☐ ISO 27001 (optional but good)
- ☐ HIPAA BAA available (healthcare)
- ☐ GDPR compliant
Documentation
- ☐ Data Processing Agreement
- ☐ Security whitepaper
- ☐ Penetration test summary
- ☐ Incident response plan
Audit
- ☐ Audit logs available
- ☐ Log retention (90+ days)
- ☐ Log export available
Infrastructure Security
Cloud Security
- ☐ Major cloud provider (AWS, GCP, Azure)
- ☐ VPC isolation
- ☐ Security groups/firewalls
- ☐ DDoS protection
Container Security
- ☐ Ephemeral containers
- ☐ Container scanning
- ☐ No persistent storage
Monitoring
- ☐ Intrusion detection
- ☐ Anomaly detection
- ☐ 24/7 security monitoring
- ☐ Incident response procedures
Vendor Security Posture
Questions to Ask
- How do you handle a security incident?
- What's your breach notification timeline?
- Do you have cyber insurance?
- When was your last penetration test?
- Who has access to customer data?
Red Flags
- No SOC 2 certification
- Vague answers about data handling
- No written incident response plan
- Reluctance to sign DPA/BAA
- No penetration testing
Green Flags
- SOC 2 Type II (verified scope)
- Zero-retention architecture
- Detailed security documentation
- Quick DPA/BAA execution
- Transparent about practices
Frequently Asked Questions
TLS 1.2+ in transit, AES-256 at rest. HSM key management. Customer-managed keys for enterprise.
SOC 2 Type II is baseline. HIPAA BAA for healthcare. ISO 27001 is nice to have.
No SOC 2, vague data handling answers, no incident response plan, reluctance to sign DPA/BAA.
Ready to get started?
Try BetterVideo's privacy-first video enhancement API — free sandbox, no credit card required.