StormInterView
GDPR & Compliance

Video Interview Security: Encryption, Storage, and Infrastructure Best Practices

8 min readMarch 6, 2026

This is what StormInterview does. Async video interviews, AI cheating detection, structured scoring. One link to a candidate, done.

Free for 14 days. No card.

Try it

Video Data Is High-Value, High-Risk

Video interview recordings contain some of the most sensitive candidate data: faces, voices, body language, and often environmental context. A single breach can expose thousands of candidates and trigger GDPR fines up to EUR 20 million. The category is growing fast: USD 511 million in 2024 heading to USD 1.33 billion by 2035 at 9.2% CAGR (OMR Global, 2025). More attackers are paying attention, which makes architecture a competitive issue.

Encryption: The Non-Negotiable Foundation

Data in Transit

All video data transmitted between the candidate’s browser and the platform must use TLS 1.3 (or at minimum TLS 1.2). TLS 1.3 reduces handshake latency and eliminates legacy cipher suites vulnerable to attacks like BEAST and POODLE. Ensure your platform enforces HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.

Data at Rest

Stored video recordings should be encrypted using AES-256, the standard recommended by NIST and adopted by financial institutions worldwide. Key management is equally important:

  • Use a dedicated Key Management Service (KMS) such as AWS KMS or Azure Key Vault
  • Rotate encryption keys on a defined schedule (90 days is a common benchmark)
  • Implement envelope encryption: data keys encrypt the video, and a master key encrypts the data keys

Storage Architecture

Where and how video data is stored matters as much as how it is encrypted:

  • EU-based data centres: For GDPR compliance, ensure video data never leaves the EU/EEA. This eliminates the need for international transfer mechanisms like SCCs.
  • Object storage with versioning disabled: Use object storage (e.g., S3-compatible) with versioning turned off to ensure deleted data is truly deleted.
  • Separate storage for different data types: Video recordings, transcripts, and evaluation data should be stored in separate, access-controlled buckets.
  • Signed URLs with short expiry: Never expose permanent URLs to video content. Use pre-signed URLs that expire within minutes.

Access Controls

Robust access controls prevent insider threats and limit blast radius:

  • Role-based access control (RBAC): Only hiring managers for a specific role should access that role’s recordings.
  • Multi-factor authentication (MFA): Require MFA for all admin and recruiter accounts.
  • Audit logging: Record every access to video data, who, when, from where, and what action they took.
  • Principle of least privilege: Default to no access; grant only what is needed.

Infrastructure Security

Beyond application-level security, the underlying infrastructure must be hardened:

  • Regular penetration testing (at least annually, ideally quarterly)
  • Vulnerability scanning of all dependencies
  • DDoS protection for candidate-facing endpoints
  • Network segmentation to isolate video processing services
  • Incident response plan with defined RTOs and RPOs

StormInterview’s Security Architecture

StormInterview encrypts all data with AES-256 at rest and TLS 1.3 in transit. All infrastructure is hosted in EU data centres. RBAC, MFA, audit logging, and automatic retention-based deletion are included in every plan starting at €79/month. Annual penetration tests are conducted by independent third parties.

Start a free trial.

Read enough. See it in action.

Create an interview in 5 minutes. 14 days free. We don't ask for a card.

Start free

Cancel anytime.

Related articles

GDPR & Compliance

EU AI Act for Recruiters: Seven Questions to Ask Your Tools Before August 2026

August 2026 is three months away. If your interview platform uses AI scoring, transcription, or automated screening, these seven questions tell you whether your vendor is ready.

7 min read
GDPR & Compliance

How to Handle Candidate Data Requests Under GDPR: A Step-by-Step SAR Guide

Under GDPR Article 15, every candidate can request a copy of all personal data you hold about them. With SAR complaints rising 36% year-over-year, here is how to handle them properly.

7 min read
GDPR & Compliance

EU Data Privacy Laws and Recruitment Technology: What You Need to Know in 2026

European recruitment technology operates under a growing web of regulations. Beyond GDPR, the EU AI Act now classifies AI in employment decisions as high-risk. Understanding these overlapping frameworks is critical.

9 min read