Independent, self-managed infrastructure Read the production requirements

Data lifecycle

BigBlueButton recordings and privacy

The red recording indicator is only the visible part of the lifecycle. Responsible operation begins with what the server captures, continues through processing and publication, and ends only after verified deletion.

01 Capture Meeting media and events on the BBB node
02 Process Formats generated after the meeting
03 Publish Frontend or API exposes authorised playback
04 Retain / delete Policy applied to published and raw data
Treat recordings as a lifecycle with named owners at every stage.

Executive brief

What matters

  1. 01

    A recordable meeting may capture underlying media and events beyond the segments users see marked for publication.

  2. 02

    Publication status is not the same as access control, and deletion must cover every retained copy.

  3. 03

    Document purpose, notice, access, retention, legal basis and incident response before recording classes.

01

Understand capture and processing

BigBlueButton records events and media, then processes them into playback formats after a meeting. Official privacy guidance warns that when a meeting is created with recording enabled, the underlying session data may be captured even if a moderator marks only portions as recorded. That distinction should appear in user notices and administrator training.

02

Control publication and access

The BigBlueButton API can list, publish, unpublish, update and delete recordings. A frontend such as Moodle or Greenlight determines how users discover them. “Unpublished” generally controls visibility through that workflow; it should not be treated as encryption or proof that no operator can access stored files. Apply least privilege to API secrets, storage and administrative accounts.

03

Set retention by data class

Separate published playback, unpublished processed output, raw capture, backups and application metadata. Each can have a different technical cleanup path. Use configuration overrides that survive upgrades, monitor disk consumption and test deletion against backups and external storage. Legal holds need an explicit exception process.

04

Make consent and rights operational

Give notice before entry and again when recording starts where required. Provide a channel for access, correction or deletion requests under applicable law. Restrict downloads when the policy requires it, but be honest that authorised viewers may still capture content externally. Privacy is a governance system, not a single toggle.

Evidence base

Sources and further reading

We prefer project documentation and first-party product guidance. Community links are included where they reveal recurring operational questions rather than establish product guarantees.

  1. BigBlueButton privacy documentation (opens in a new tab)
  2. BigBlueButton recording architecture (opens in a new tab)
  3. BigBlueButton API recording methods (opens in a new tab)
  4. BigBlueButton customisation and retention settings (opens in a new tab)

Practical answers

Questions teams ask

Does pausing a BigBlueButton recording stop all server capture?

Do not assume that it does. Official privacy documentation explains that recordable meetings may capture underlying media and events for later processing. Validate the exact version and configuration.

Does deleting a recording remove every copy?

Only if your deletion procedure also addresses raw data, backups, exports, shared storage and any LMS or CDN copies. Test and document the result.

Can recordings be private?

They can be access-controlled through the surrounding application and infrastructure, but the operator must configure authentication, authorisation, storage permissions and retention correctly.