Zero-Retention Video Processing Architecture
Zero-retention isn't a policy — it's an architecture. When your system is incapable of retaining video beyond processing, you've eliminated entire categories of compliance risk. This guide covers how to implement true zero-retention video processing.
What Zero-Retention Actually Means
Many vendors claim "zero-retention" but implement it as policy rather than architecture. True zero-retention means:
- No persistent storage: Video is never written to disk during processing
- Ephemeral infrastructure: Processing containers are destroyed after each job
- No backups: There's no backup system that could retain video
- No training: Video isn't aggregated for model training
- Verifiable deletion: You can prove video was deleted
The difference: if an engineer wanted to retain video, could they? With policy-based zero-retention, yes. With architectural zero-retention, no — there's nowhere for data to persist.
Ephemeral Container Architecture
The foundation of zero-retention is ephemeral processing infrastructure:
Container Lifecycle
- Job arrives: A fresh container is spun up
- Video streams in: Directly to container memory
- Processing occurs: In RAM, never touching disk
- Output streams out: To time-limited signed URL
- Container destroyed: Including all memory
There's no persistent filesystem in the container. Even if processing fails midway, the container is destroyed — there's no "retry from checkpoint."
Memory Isolation
Each job runs in isolated memory space. Even on shared GPU infrastructure:
- Separate process space per job
- GPU memory cleared between jobs
- No shared state between customers
Implementation Patterns
Stream-Based Processing
Don't download-process-upload. Stream through:
# Pseudocode - stream processing
async def process_video(input_url, output_url):
async with stream_from(input_url) as input_stream:
async with stream_to(output_url) as output_stream:
async for frame in decode(input_stream):
enhanced = enhance_frame(frame)
await encode_write(enhanced, output_stream)
# Nothing persisted - streams are now closed
Signed URL Delivery
Output goes to time-limited signed URLs, not persistent storage:
- URLs expire after 24 hours (configurable shorter)
- Single-use option for sensitive content
- Automatic cleanup of expired outputs
Cryptographic Deletion Certificates
On the Secure tier, you get signed proof of deletion:
{
"job_id": "job_abc123",
"deleted_at": "2026-07-11T14:30:00Z",
"input_hash": "sha256:a1b2c3...",
"output_hash": "sha256:d4e5f6...",
"signature": "BetterVideo-signed:xyz...",
"certificate_url": "https://api.bettervideo.io/certs/..."
}
Compliance Benefits
Zero-retention architecture simplifies compliance across frameworks:
GDPR
- Storage limitation: Built-in — no storage beyond processing
- Right to erasure: Automatic — nothing to erase
- Data minimization: Architectural — can't retain what you don't need
HIPAA
- Minimum necessary: Only process what's submitted
- Audit controls: Every job is logged, every deletion is verified
- Breach risk: Drastically reduced — no data to breach
Insurance & Legal
- Chain of custody: Clear start and end points
- Deletion proof: Certificates for legal defense
- No discovery risk: Video doesn't exist to be discovered
When Zero-Retention Isn't Enough
Sometimes you need to retain output — but even then, apply zero-retention principles:
- Customer-controlled storage: Output goes to customer's S3, not vendor's
- Configurable retention: 7 days, 30 days, customer choice
- Automatic cleanup: Deletion happens automatically at expiry
- On-demand deletion: API endpoint to delete immediately
The principle: even when retention is required, minimize it and make deletion automatic.
Frequently Asked Questions
Thirty-day deletion is a policy. Zero-retention is an architecture where video physically cannot persist beyond processing — there's no disk to write to, no backup to retain.
Only via the time-limited signed URL. Once the URL expires (24h default), the output is gone. We don't have a copy.
The job fails, the container is destroyed, and you're notified. There's no mid-job checkpoint to resume from — this is by design.
The Secure tier provides signed deletion certificates with cryptographic hashes, timestamps, and audit logs.
Ready to get started?
Try BetterVideo's privacy-first video enhancement API — free sandbox, no credit card required.