Your Users' Videos Aren't Safe. Here's How We Designed Ours to Be.

TL;DR

• Most video recording APIs store files in shared buckets with long-lived or permanent public URLs
• VIDTREO stores every video in private encrypted storage with zero public access — files are only reachable via presigned URLs that expire in minutes
• Customer storage credentials are encrypted at rest with industry-standard authenticated encryption before touching the database
• Bring Your Own Bucket — connect your own R2 or S3-compatible storage for full data sovereignty
• Every API request is scoped to a specific environment + API key — no cross-tenant access, ever

The Problem Nobody Talks About

When you add video recording to your app, your users trust you with something personal: their face, their voice, their identity. A candidate recording a job interview. A patient describing symptoms. A student submitting an assignment.

Where do those videos end up?

With most video APIs, the answer is: a shared bucket with a permanent URL. Anyone with the link can access the file. Forever. No expiration. No access control. The URL is the security model.

That’s not security. That’s a liability.

How VIDTREO Handles Storage

We designed our storage layer assuming every video contains sensitive data. Not because compliance requires it (though it does), but because it’s the right default.

Layer 1: No Public Access

Videos uploaded through the VIDTREO SDK land in private storage buckets with no public access enabled. There’s no CDN URL. No public endpoint. The bucket is invisible to the internet.

To access a video, your application requests a presigned URL generated server-side. That URL works for a few minutes. After that, it’s dead. No caching, no sharing, no accidental exposure.

This means even if a URL leaks — in a log, in a Slack message, in a browser history — it’s already expired by the time anyone could misuse it.

Layer 2: Environment Isolation

Every VIDTREO account can create multiple environments (production, staging, testing). Each environment is a complete isolation boundary:

• Separate storage namespace — videos from one environment cannot be accessed from another
• Separate API keys — each environment has its own scoped keys
• Separate configuration — storage type, encoding presets, webhooks — all per-environment

A request with a staging API key cannot access production videos. The isolation is architectural, not just permission-based.

Layer 3: Credential Encryption

When customers connect their own storage (more on that below), they provide credentials: access keys, secret keys, account IDs. This is sensitive material.

We encrypt every credential field using authenticated encryption before it reaches the database. The encryption uses the Web Crypto API natively on Cloudflare Workers — no third-party libraries, no external KMS calls. Key derivation is designed to make brute-force attacks computationally expensive even if the database were compromised.

Credentials are decrypted only at the moment of use, in memory, for the duration of the storage operation. They’re never logged, never cached in plaintext, never returned in API responses.

Layer 4: API Key Scoping

Every SDK request goes through API key authentication. But VIDTREO API keys aren’t just bearer tokens — they’re scoped to a specific environment with granular permissions.

The system validates:

1. The API key exists and is active
2. The key has permission for the requested operation (upload, list, read, delete)
3. The key’s environment matches the requested resource

A valid API key for Environment A cannot read videos from Environment B. The correct storage backend and credentials are resolved per-environment at runtime.

Bring Your Own Bucket

Default VIDTREO storage works for most teams. But some organizations — healthcare, finance, government, enterprise — need videos stored in infrastructure they control.

VIDTREO supports three storage modes per environment:

Mode	Description	Use Case
Default	VIDTREO-managed storage	Most teams — zero config
Your R2	Your own Cloudflare R2 bucket	Teams already on Cloudflare
Your S3	Any S3-compatible storage (AWS, MinIO, Backblaze)	Enterprise, on-prem, multi-cloud

How It Works

In your VIDTREO dashboard, configure custom storage per environment. Provide your bucket credentials, and VIDTREO validates them before saving. From that point forward, every video recorded in that environment goes directly to your bucket.

The path structure is configurable — use our default organization or define your own prefix to match your existing storage conventions.

What This Means in Practice

With BYOB enabled, your videos never touch VIDTREO storage. The upload path is:

VIDTREO Recorder → VIDTREO Edge API → Your Bucket

VIDTREO acts as the processing layer — handling encoding, duration extraction, billing, and metadata — but the video file itself lands in storage you own. You control retention policies, geographic location, backup schedules, and access logs.

If you stop using VIDTREO tomorrow, your videos are already in your bucket. No migration, no export, no data hostage situation.

What’s Coming Next

We’re actively evaluating additional storage backends based on customer demand:

• Google Cloud Storage — for teams on GCP
• Azure Blob Storage — for enterprise Microsoft environments
• SFTP — for legacy systems and air-gapped networks

These will follow the same pattern: encrypted credentials, per-environment configuration, validated at setup time.

The Security Model, Summarized

Every component in our storage pipeline is designed with zero-trust assumptions:

Principle	How We Apply It
No permanent URLs	Presigned URLs expire in minutes — no long-lived access tokens
No shared buckets	Each environment has its own isolated storage namespace
No plaintext credentials	Customer storage secrets are encrypted at rest with authenticated encryption
No cross-tenant access	API keys are scoped per-environment with granular permissions
No vendor lock-in	BYOB lets you own your data from day one

Getting Started

Every VIDTREO account gets secure storage by default:

• $1 free credit — enough for ~100 HD minutes with full encryption and presigned URL delivery
• $0.01/min for HD — recording + transcoding + encrypted storage + presigned delivery
• BYOB available on all plans — connect your own R2 or S3 bucket with zero markup

Your users trust you with their most personal data. Don’t store it in a bucket with a permanent public URL.

Start Building Free → View Storage Documentation → See Security Architecture →