Video Data Is High-Value, High-Risk
Video interview recordings contain some of the most sensitive candidate data: faces, voices, body language, and often environmental context. A single breach can expose thousands of candidates and trigger GDPR fines up to EUR 20 million. The category is growing fast: USD 511 million in 2024 heading to USD 1.33 billion by 2035 at 9.2% CAGR (OMR Global, 2025). More attackers are paying attention, which makes architecture a competitive issue.
Encryption: The Non-Negotiable Foundation
Data in Transit
All video data transmitted between the candidate’s browser and the platform must use TLS 1.3 (or at minimum TLS 1.2). TLS 1.3 reduces handshake latency and eliminates legacy cipher suites vulnerable to attacks like BEAST and POODLE. Ensure your platform enforces HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.
Data at Rest
Stored video recordings should be encrypted using AES-256, the standard recommended by NIST and adopted by financial institutions worldwide. Key management is equally important:
- Use a dedicated Key Management Service (KMS) such as AWS KMS or Azure Key Vault
- Rotate encryption keys on a defined schedule (90 days is a common benchmark)
- Implement envelope encryption: data keys encrypt the video, and a master key encrypts the data keys
Storage Architecture
Where and how video data is stored matters as much as how it is encrypted:
- EU-based data centres: For GDPR compliance, ensure video data never leaves the EU/EEA. This eliminates the need for international transfer mechanisms like SCCs.
- Object storage with versioning disabled: Use object storage (e.g., S3-compatible) with versioning turned off to ensure deleted data is truly deleted.
- Separate storage for different data types: Video recordings, transcripts, and evaluation data should be stored in separate, access-controlled buckets.
- Signed URLs with short expiry: Never expose permanent URLs to video content. Use pre-signed URLs that expire within minutes.
Access Controls
Robust access controls prevent insider threats and limit blast radius:
- Role-based access control (RBAC): Only hiring managers for a specific role should access that role’s recordings.
- Multi-factor authentication (MFA): Require MFA for all admin and recruiter accounts.
- Audit logging: Record every access to video data, who, when, from where, and what action they took.
- Principle of least privilege: Default to no access; grant only what is needed.
Infrastructure Security
Beyond application-level security, the underlying infrastructure must be hardened:
- Regular penetration testing (at least annually, ideally quarterly)
- Vulnerability scanning of all dependencies
- DDoS protection for candidate-facing endpoints
- Network segmentation to isolate video processing services
- Incident response plan with defined RTOs and RPOs
StormInterview’s Security Architecture
StormInterview encrypts all data with AES-256 at rest and TLS 1.3 in transit. All infrastructure is hosted in EU data centres. RBAC, MFA, audit logging, and automatic retention-based deletion are included in every plan starting at €79/month. Annual penetration tests are conducted by independent third parties.