Privacy Checklist Before Uploading
Sensitive Video to AI Tools

Why a Pre-Upload Checklist Matters

In the rush to get a useful enhancement of important footage, it is easy to skip the due diligence that distinguishes responsible professional use of AI tools from careless exposure of sensitive information. The consequences of that skip can be severe: a HIPAA violation with civil monetary penalties, an ethics complaint to a state bar, a breach notification obligation affecting dozens of clients, or evidentiary challenges that undermine the value of the very footage you were trying to improve.

This checklist is designed to take no more than 15-30 minutes to complete for a new vendor and 5 minutes for a vendor you have already evaluated. It covers four categories: the content itself, the vendor, the technical process, and the documentation you need afterward. Use it every time you upload sensitive footage to any AI tool, and use it when evaluating new vendors before making them part of your workflow.

Section 1: Content Assessment (Before You Upload Anything)

Start with the footage itself. Understanding what you have determines what protections apply and what your obligations are.

• Classify the content: Does the video contain any of the following? Identifiable individuals (faces visible), protected health information (medical context), attorney-client privileged communications, corporate trade secrets or proprietary processes, footage of minors, confidential investigation material, or personally identifiable information that is regulated by privacy law (GDPR, CCPA, biometric data laws). If any of these apply, the video is sensitive.
• Identify applicable regulations: For healthcare footage — HIPAA. For footage of EU residents — GDPR. For footage of California residents — CCPA. For footage of employees in many states — various state biometric privacy laws. For attorney work product — professional conduct rules. For investigation evidence — applicable evidentiary rules.
• Assess consent status: Do the individuals in the footage have notice that their footage may be processed by third-party tools? Is there a consent form, employment agreement, or client engagement that covers this? If not, determine whether your jurisdiction requires consent for the specific use you're contemplating.
• Consider anonymization: Is any portion of the footage more sensitive than the rest? Could you redact or blur the most sensitive portions before uploading, reducing the exposure window while still getting the enhancement benefit for the portions you need?

Section 2: Vendor Evaluation

Not every AI video tool is appropriate for every type of footage. This section ensures the vendor meets your minimum requirements before any footage is shared.

• AI training policy: Has the vendor explicitly confirmed, in writing, that uploaded videos are not used to train, fine-tune, or update AI models? If yes, document the confirmation. If the vendor cannot or will not confirm this, do not upload sensitive footage.
• Data retention policy: What is the maximum period the vendor retains your video? This includes primary storage, backup copies, and disaster recovery snapshots. Is there automatic deletion? Is the deletion policy contractually binding?
• Encryption: Does the vendor use TLS for data transmission and AES-256 (or equivalent) for storage? Ask directly; do not assume.
• Access controls: Who at the vendor can access your uploaded footage? Is access logged? Is it limited to automated processing or can vendor employees access it? For sensitive content, the answer should be: automated processing only, with documented exceptions.
• Subprocessors: Does the vendor use third-party services (GPU providers, storage vendors, analytics tools) that also process your content? What are their policies? Are they bound by the same confidentiality obligations as the primary vendor?
• Data Processing Agreement: Is the vendor willing to sign a DPA that establishes your requirements contractually? For professional use, consumer terms of service are not adequate.
• Breach notification: Does the vendor have a documented breach notification process? What is their notification timeline?

Section 3: Pre-Upload Technical Process

Before the footage leaves your systems, take these technical steps to protect its integrity and establish a foundation for documentation.

• Preserve the original: Create a copy of the original, unmodified footage on a separate storage medium (external drive, separate secure cloud storage). Verify that the copy is complete and intact. This copy must remain unmodified throughout the enhancement process.
• Compute and record a file hash: Compute the SHA-256 hash of the original file and record it along with the file name, size, format, duration, and creation date. This will be used to verify the original was not modified.
• Redact if necessary: If any portion of the footage should not be shared with the vendor, redact it before uploading. Use a video editing tool that does not re-encode the non-redacted portions if possible, to minimize quality loss.
• Prepare upload documentation: Record the date, time, vendor name, upload URL, and user account used for the upload. This is part of the chain of custody record.
• Verify your connection: Ensure you are uploading from a secure network (not public Wi-Fi). Verify that the upload URL uses HTTPS.

Section 4: Post-Processing Documentation

After the enhancement is complete and you have downloaded the output, document the process immediately while the details are fresh.

• Record enhancement details: The name of the tool used, the version or build number, the date and time of processing, the specific enhancement settings applied, and who performed the enhancement.
• Hash the output: Compute the SHA-256 hash of the enhanced output file and record it.
• Document the changes: Create a written description of what the enhancement did to the footage — what was improved, how, and using what AI models. For evidence use, this description should be understandable to a non-technical audience.
• Prepare comparison materials: Create a side-by-side comparison of representative frames from original and enhanced footage. Label each clearly.
• Schedule deletion: Record when you expect the vendor to delete your footage based on their stated retention policy. If the vendor offers manual deletion, delete the footage immediately after downloading if you will not need to re-access it through the platform.
• Retain documentation: Keep all of the above documentation for at least as long as the underlying matter requires. For evidence-related footage, retain through final resolution plus applicable appeal periods.

Quick Reference: The Complete Checklist

Content:

• ☐ Content classified: identified all sensitive elements (PII, PHI, privilege, trade secrets, minors)
• ☐ Applicable regulations identified (HIPAA, GDPR, CCPA, bar rules, evidentiary rules)
• ☐ Consent status assessed for identifiable individuals in footage
• ☐ Anonymization or partial redaction considered where appropriate

Vendor:

• ☐ Written confirmation that uploads are not used for AI training
• ☐ Specific data retention periods confirmed for all data types
• ☐ Encryption in transit (TLS) and at rest (AES-256) confirmed
• ☐ Access controls: who can access footage and under what circumstances
• ☐ Subprocessor list reviewed
• ☐ DPA signed or reviewed
• ☐ Breach notification process reviewed

Technical process:

• ☐ Original preserved on separate storage
• ☐ SHA-256 hash computed and recorded for original
• ☐ Sensitive portions redacted if necessary
• ☐ Upload documentation prepared (date, time, vendor, account)
• ☐ Secure network used for upload

Post-processing:

• ☐ Enhancement details recorded (tool, version, date, settings)
• ☐ SHA-256 hash computed and recorded for enhanced output
• ☐ Written description of enhancement prepared
• ☐ Comparison materials created
• ☐ Deletion scheduled or manual deletion performed
• ☐ Documentation retained appropriately