Security

Encryption

TLS 1.3 for all data in transit
AES-256-GCM encryption at rest via KMS envelope encryption
Each file encrypted with a unique Data Encryption Key (DEK) generated by AWS KMS
Master keys managed by AWS KMS — automatic annual rotation, full audit trail
Plaintext keys never written to disk or logs
Presigned URLs with time-limited access
API keys stored as SHA-256 hashes — plaintext never persisted
Webhook secrets hashed; signing uses HMAC-SHA256

Key Management (KMS)

Envelope encryption: KMS encrypts data keys, data keys encrypt content
Per-file unique DEKs — compromise of one file doesn't expose others
Automatic annual key rotation with zero downtime
All key operations logged in CloudTrail for compliance auditing
Enterprise: Customer-Managed Encryption Keys (CMEK) — bring your own KMS key ARN
Enterprise: Separate encryption keys per tenant for data isolation

Authentication & Access

Dual auth: JWT tokens (session) + API keys (machine-to-machine)
Granular permissions per API key (compress, read)
Per-key rate limiting (RPM configurable)
Key prefix identification (vd_live_ / vd_test_)
Soft revocation — revoked keys rejected instantly

Data Handling

Files auto-deleted after configurable retention period
Upload chunks cleaned up on completion or expiry
User data isolated — queries always scoped to authenticated user
No third-party analytics on uploaded content
Database connection pooling with SSL enforcement

Audit & Monitoring

Full audit log for all API key and webhook operations
Request ID tracking on every API call
Response timing headers for performance monitoring
Webhook delivery logs with retry history
Usage tracking by codec, period, and user

Incident Response

Incident Response Plan

Four-tier severity classification (P1–P4) with defined SLAs — P1 acknowledged in 15 minutes
72-hour breach notification aligned with GDPR Article 33 and CCPA requirements
Dedicated Incident Response Team: Incident Commander, Technical Lead, Communications Lead
Runbooks for data breach, DDoS, unauthorized access, and service outage scenarios
Blameless post-incident reviews within 48 hours of all P1/P2 incidents
Quarterly tabletop exercises and annual red team assessments

Full Incident Response Plan available under NDA. Contact security@viding.ai to request.

Sub-Processors

Sub-Processor List

VIDing.AI engages the following sub-processors to deliver our services. This list is maintained per GDPR Article 28 requirements and updated when changes occur.

Sub-Processor	Purpose	Location	Data Processed
Render Inc.	Application hosting, database, compute	USA (Oregon)	Video files, user accounts, job metadata
Cloudflare Inc.	CDN, R2 object storage, DDoS protection	Global (edge)	Video files (encrypted at rest)
Amazon Web Services	Key Management Service (KMS)	USA (selected region)	Encryption keys only (no video content)
Stripe Inc.	Payment processing	USA	Payment details (PCI DSS Level 1)

Customers are notified 30 days in advance of any sub-processor changes. Subscribe to updates at security@viding.ai.

Data Processing Agreement (DPA)

Standard Contractual Clauses (SCCs) for international data transfers
GDPR Article 28 compliant processor terms
Defines data categories, processing purposes, and retention periods
Includes technical and organizational security measures (TOMs)
Audit rights and sub-processor notification obligations

Request a pre-signed DPA at legal@viding.ai or contact your account manager. Enterprise customers receive a DPA as part of onboarding.

Data Residency

Regional Data Controls

Choose your data region: US-West (Oregon), US-East (Virginia), or EU-West (Frankfurt)
All video uploads, processing, and storage remain within your selected region
Region selection available in Account Settings — takes effect on next upload
Current region displayed on your dashboard for full transparency
Supports GDPR data localization requirements for EU customers

US-West

Oregon (us-west-2)

US-East

Virginia (us-east-1)

EU-West

Frankfurt (eu-central-1)

Compliance

SOC 2 Type II

Infrastructure hosted on SOC 2 compliant providers

GDPR

EU data processing with DPA available on request

CCPA

California Consumer Privacy Act compliance

BAA Available

Business Associate Agreements for enterprise plans