Privacy & Compliance

Zero-Retention Video Processing Architecture

Zero-retention isn't a policy — it's an architecture. When your system is incapable of retaining video beyond processing, you've eliminated entire categories of compliance risk. This guide covers how to implement true zero-retention video processing.

What Zero-Retention Actually Means

Many vendors claim "zero-retention" but implement it as policy rather than architecture. True zero-retention means:

  • No persistent storage: Video is never written to disk during processing
  • Ephemeral infrastructure: Processing containers are destroyed after each job
  • No backups: There's no backup system that could retain video
  • No training: Video isn't aggregated for model training
  • Verifiable deletion: You can prove video was deleted

The difference: if an engineer wanted to retain video, could they? With policy-based zero-retention, yes. With architectural zero-retention, no — there's nowhere for data to persist.

Ephemeral Container Architecture

The foundation of zero-retention is ephemeral processing infrastructure:

Container Lifecycle

  1. Job arrives: A fresh container is spun up
  2. Video streams in: Directly to container memory
  3. Processing occurs: In RAM, never touching disk
  4. Output streams out: To time-limited signed URL
  5. Container destroyed: Including all memory

There's no persistent filesystem in the container. Even if processing fails midway, the container is destroyed — there's no "retry from checkpoint."

Memory Isolation

Each job runs in isolated memory space. Even on shared GPU infrastructure:

  • Separate process space per job
  • GPU memory cleared between jobs
  • No shared state between customers

Implementation Patterns

Stream-Based Processing

Don't download-process-upload. Stream through:

# Pseudocode - stream processing
async def process_video(input_url, output_url):
    async with stream_from(input_url) as input_stream:
        async with stream_to(output_url) as output_stream:
            async for frame in decode(input_stream):
                enhanced = enhance_frame(frame)
                await encode_write(enhanced, output_stream)
    # Nothing persisted - streams are now closed

Signed URL Delivery

Output goes to time-limited signed URLs, not persistent storage:

  • URLs expire after 24 hours (configurable shorter)
  • Single-use option for sensitive content
  • Automatic cleanup of expired outputs

Cryptographic Deletion Certificates

On the Secure tier, you get signed proof of deletion:

{
  "job_id": "job_abc123",
  "deleted_at": "2026-07-11T14:30:00Z",
  "input_hash": "sha256:a1b2c3...",
  "output_hash": "sha256:d4e5f6...",
  "signature": "BetterVideo-signed:xyz...",
  "certificate_url": "https://api.bettervideo.io/certs/..."
}

Compliance Benefits

Zero-retention architecture simplifies compliance across frameworks:

GDPR

  • Storage limitation: Built-in — no storage beyond processing
  • Right to erasure: Automatic — nothing to erase
  • Data minimization: Architectural — can't retain what you don't need

HIPAA

  • Minimum necessary: Only process what's submitted
  • Audit controls: Every job is logged, every deletion is verified
  • Breach risk: Drastically reduced — no data to breach

Insurance & Legal

  • Chain of custody: Clear start and end points
  • Deletion proof: Certificates for legal defense
  • No discovery risk: Video doesn't exist to be discovered

When Zero-Retention Isn't Enough

Sometimes you need to retain output — but even then, apply zero-retention principles:

  • Customer-controlled storage: Output goes to customer's S3, not vendor's
  • Configurable retention: 7 days, 30 days, customer choice
  • Automatic cleanup: Deletion happens automatically at expiry
  • On-demand deletion: API endpoint to delete immediately

The principle: even when retention is required, minimize it and make deletion automatic.

Frequently Asked Questions

Thirty-day deletion is a policy. Zero-retention is an architecture where video physically cannot persist beyond processing — there's no disk to write to, no backup to retain.

Only via the time-limited signed URL. Once the URL expires (24h default), the output is gone. We don't have a copy.

The job fails, the container is destroyed, and you're notified. There's no mid-job checkpoint to resume from — this is by design.

The Secure tier provides signed deletion certificates with cryptographic hashes, timestamps, and audit logs.

Ready to get started?

Try BetterVideo's privacy-first video enhancement API — free sandbox, no credit card required.