Tutorials

Your AI Video Vendor Passed the Demo. Will It Pass Security Review?

A polished AI-video demo does not answer procurement's questions about data flow, retention, deletion, model training, subprocessors, encryption, access controls, incident response, residency, or contracts. Use this evidence-led checklist to evaluate any AI video vendor—and to separate what Golpo documents publicly from what still requires vendor confirmation.

Mira Chen8 min read
A polished AI video demo approaching an enterprise security checkpoint with a shield, evidence folder, and procurement checklist

The demo answers whether an AI video tool can turn your material into a useful video. Security review asks a different question: what happens to the material before, during, and after that render? A policy document, unreleased product brief, customer recording, executive narration, or employee-training script can contain information the organization is not allowed to treat casually.

Mira ChenMira ChenProduct marketing lead at Golpo AI covering AI video tooling for technical audiences.Published July 17, 2026

A responsible review separates published evidence, contractual commitments, customer configuration, and unanswered questions. A feature page is not an audit report. Encryption in transit does not answer retention. A soft-delete endpoint does not explain backups. A privacy policy does not establish SOC 2, HIPAA, Section 508, GDPR compliance for every use, or any other certification.

This checklist can be used for any AI video vendor. The Golpo section deliberately reports only what current public pages support and labels the rest as questions for the vendor.

Start with a data-flow diagram, not a questionnaire

Draw the actual proposed workflow:

source system → customer automation → vendor upload/storage
→ extraction and generation services → generated media
→ customer storage → LMS/help center/portal → end user

Annotate each boundary with data types, identities, regions, encryption, retention, and subprocessors. Include source documents, prompts, extracted text, scripts, narration, uploaded media, generated frames, final video, metadata, API logs, analytics, and support access. A generic vendor answer becomes testable only when mapped to the data you intend to send.

1. Data classification and allowed use

  • Which classifications may be uploaded: public, internal, confidential, restricted?
  • Are personal data, customer data, employee data, health data, financial data, source code, or secrets prohibited?
  • Who approves an exception?
  • Can the workflow redact or tokenize sensitive fields before upload?
  • Does the vendor contract restrict use of customer content to delivering the service?
  • Does any product-improvement clause include model training, human review, or evaluation?

Do not approve the tool for “company data” as one category. A marketing blog and an incident-response runbook have different risk.

2. Collection, purpose, and ownership

Request an inventory of what the service collects and why. Distinguish account and billing data from uploaded content and generated artifacts. Confirm ownership of inputs and outputs, the license granted to the vendor, and whether the vendor can use content for service improvement, analytics, safety review, or model development.

Ask how these commitments differ by free, paid, API, enterprise, and integration surfaces. A policy that applies to the main application may not fully describe an Atlassian app, API upload flow, or third-party model.

3. Retention and deletion

“We delete your files” is not specific enough. Ask separately about:

  • Original uploaded files.
  • Extracted text and intermediate scripts.
  • Uploaded voices, audio, video, images, and logos.
  • Generated frames, audio, podcasts, and final videos.
  • Application databases and object storage.
  • Logs, analytics, support tickets, and diagnostic copies.
  • Backups, replication, caches, and subprocessor copies.

For each, record the default retention period, configurable options, deletion trigger, backup-aging period, legal-hold behavior, and evidence of completion. Determine whether API delete means soft delete, hard delete, visibility change, or only removal from the application.

4. Subprocessors and AI model providers

Request the current subprocessor list, purpose, processing location, data categories, transfer mechanism, and notification process for changes. Ask which AI models receive prompts, source text, images, voice, or video and whether providers retain inputs or outputs. Contractual flow-down matters: the primary vendor's promise is incomplete if a subprocessor has broader rights.

5. Encryption and key management

  • Is transport protected for browser, API, upload, storage, and delivery paths?
  • Which stored data is encrypted and with what service?
  • Who controls and rotates keys?
  • Are tenant keys separated or shared?
  • Are backups and logs encrypted?
  • Is customer-managed key support available if required?

Do not accept “industry-standard encryption” without scope and evidence.

6. Identity, access, and tenant separation

Evaluate SSO, MFA, SCIM, roles, least privilege, workspace separation, session controls, API-key scope and rotation, service accounts, offboarding, privileged support access, break-glass procedures, and auditability. For API use, ensure keys remain server-side and that logs never capture them.

Ask how the platform prevents one tenant from reading another tenant's source, job metadata, or media URL. Confirm whether generated links are public, private, signed, or guessable and how visibility settings interact with external storage.

7. Logging, monitoring, and incident response

  • Which administrator and user actions are logged?
  • Can customers export audit events?
  • How long are audit records retained?
  • What security monitoring covers uploads, access, model calls, and downloads?
  • What is the incident-notification commitment?
  • Which support and forensic processes may access customer content?
  • How are vulnerabilities reported, triaged, and remediated?

Determine where account data, uploaded content, intermediate data, generated media, logs, backups, and subprocessors are located. Request the DPA, transfer terms, service agreement, security exhibit, breach language, deletion commitments, confidentiality terms, audit rights, insurance, liability terms, and order-of-precedence rules.

“GDPR-ready” or “compliant” marketing language is not a substitute for establishing roles, lawful basis, instructions, data-subject processes, transfers, and contractual commitments for the actual use case.

9. Business continuity and exit

  • Published uptime target and support escalation.
  • Backup and disaster-recovery objectives.
  • Export formats for videos, scripts, and metadata.
  • How customers retrieve assets before termination.
  • Deletion timing after termination.
  • How production continues if the service or API is unavailable.

A good architecture stores approved outputs and provenance in customer-controlled systems rather than making a generation service the only archive. See the enterprise automation architecture for that boundary.

What Golpo documents publicly—and what buyers should still ask

TopicCurrent public evidenceProcurement follow-up
Privacy data categoriesThe Golpo privacy policy lists personal, device, cookie, approximate geolocation, and analytics data and describes service-provider sharing.Request a service-specific data inventory covering uploaded and generated content.
Content ownership and licenseThe terms state that users retain original-content ownership and grant a limited license to process content to operate, maintain, and improve the services, subject to the privacy policy.Clarify model-training use, evaluation, human access, and enterprise contract overrides in writing.
Transport and API authenticationAPI v2 documentation requires HTTPS and x-api-key authentication.Request at-rest encryption, key management, API-key scope, rotation, and audit evidence.
Uploaded API documentsThe current v2 endpoint reference says uploaded document URLs are single-use and the document is deleted from that storage after text extraction.Ask about extracted text, temporary files, logs, backups, generated assets, and other upload types.
API deletionAPI v2 documents DELETE as soft delete.Ask what remains, for how long, in which systems, and how hard deletion is requested and verified.
Atlassian contentThe Golpo Jira/Confluence guide links to app policies and states that selected issue/page content is not retained beyond rendering.Verify the current app policy, hosting, scopes, subprocessors, and whether the statement applies only to Atlassian workflows.
Certifications and auditsThe public pages reviewed for this article do not state SOC 2, HIPAA, ISO 27001, or another security certification.Request current evidence; treat absence of a public claim as unknown, not failure or certification.
Residency, audit logs, SSO, SCIM, incident SLANot established by the public pages reviewed for this article.Ask the vendor and require applicable commitments in the order form or security exhibit.

This table is not a permanent representation of Golpo's controls. Public documentation and private enterprise evidence can change. Re-verify it during each procurement cycle.

A practical decision record

For every finding, record: requirement, evidence link or document, evidence date, scope, owner, risk, compensating control, decision, contract reference, and re-review date. Use four findings rather than yes/no:

  • Verified: evidence directly supports the scoped requirement.
  • Partially verified: evidence covers only part of the data or service.
  • Open: the vendor must answer or provide evidence.
  • Not acceptable: the requirement is unmet and no approved control exists.

FAQ

Does a privacy policy prove enterprise security?

No. It is one source. A review also needs scoped architecture, controls, evidence, retention, deletion, subprocessors, incidents, access, contracts, and customer configuration.

Is Golpo SOC 2 certified?

The public Golpo pages reviewed for this guide do not state that certification. Ask Golpo for current evidence and do not infer status from features or marketing.

Does Golpo train models on customer content?

The public terms provide a limited service license but the reviewed pages do not establish a sufficiently specific universal model-training commitment. Request a written answer and applicable contract language.

What should deletion review cover?

Sources, extracted text, scripts, audio, images, video, generated media, logs, backups, support copies, caches, and subprocessors—each with timing, triggers, and verification.

Does completing this checklist prove compliance?

No. It organizes due diligence. The decision depends on applicable law and contracts, the use case, configuration, evidence, and qualified review.

Need to map security controls onto an API workflow? Use the document-to-video pipeline guide and the API access guide.

Request current Golpo security and procurement information · Book an enterprise workflow discussion