Privacy & Compliance

Enterprise Video Encryption Standards

Video requires encryption at every stage: when it's moving (transit), when it's stored (rest), and ideally when it's being processed (in use). This guide covers encryption standards for enterprise video processing.

Encryption in Transit

All video moving over networks must be encrypted:

TLS Requirements

  • TLS 1.3: Required for all connections
  • TLS 1.2: Supported with strong cipher suites only
  • TLS 1.1 and below: Not supported

Cipher Suites

We support only modern, secure ciphers:

  • TLS_AES_256_GCM_SHA384 (TLS 1.3)
  • TLS_CHACHA20_POLY1305_SHA256 (TLS 1.3)
  • ECDHE + AES-256-GCM (TLS 1.2)

Certificate Pinning

SDKs implement certificate pinning to prevent MITM attacks. Even if a CA is compromised, our SDK won't accept a fraudulent certificate.

Upload Integrity

Chunked uploads include:

  • Per-chunk checksums
  • Resume capability without re-upload
  • Final hash verification

Encryption at Rest

Any video that touches storage is encrypted:

Standard: AES-256-GCM

  • 256-bit keys
  • Galois/Counter Mode for authenticated encryption
  • NIST-approved, FIPS 140-2 validated

Key Hierarchy

Root Key (HSM)
  └── Data Encryption Key (per customer)
        └── File Key (per video)

Each video has its own key, derived from your customer key, derived from the root.

Key Management

  • HSM storage: Root keys never leave hardware security module
  • Key rotation: Automatic rotation on schedule
  • Key destruction: On customer deletion, keys are destroyed

Customer-Managed Keys (Enterprise)

On enterprise tiers, bring your own keys:

  • Keys stored in your cloud KMS (AWS KMS, Azure Key Vault, GCP KMS)
  • We request decryption permission per-job
  • You can revoke access instantly
  • Full key lifecycle in your control

Encryption in Use (Confidential Computing)

The hardest problem: protecting video while it's being processed.

The Challenge

Traditional processing requires decrypted video in memory. Anyone with memory access (compromised server, malicious insider) could access it.

BetterVideo's Approach

We mitigate this through:

  • Ephemeral processing: Video is in memory briefly, then gone
  • Memory isolation: Each job runs in isolated process space
  • Container destruction: Processing containers destroyed after job
  • GPU memory clearing: GPU memory wiped between jobs

True Confidential Computing (Enterprise)

For maximum protection, enterprise tiers offer:

  • AMD SEV-SNP: Encrypted memory, hardware-attested
  • Intel SGX: Encrypted enclaves for sensitive processing
  • Attestation: Cryptographic proof of processing environment

Frequently Asked Questions

TLS 1.3 for transit, AES-256-GCM for storage. Per-customer keys, HSM management, and optional customer-managed keys on enterprise tiers.

Yes — enterprise tiers support customer-managed keys through AWS KMS, Azure Key Vault, or GCP KMS.

We use ephemeral containers and memory isolation. For maximum protection, enterprise tiers offer confidential computing with AMD SEV-SNP or Intel SGX.

Ready to get started?

Try BetterVideo's privacy-first video enhancement API — free sandbox, no credit card required.