Secure Clinical Video for European Healthcare Institutions
For procurement and IT teams
March 2026
Videolab is a purpose-built, GDPR-compliant platform for video recording, sharing, and structured assessment in clinical skills training. Codific BV is a Belgian-registered software company and an EU-native data processor. The contracting institution acts as data controller; Codific acts as data processor under a signed Data Processing Agreement. All data remains within the institution’s dedicated instance, hosted on AWS infrastructure within the European Economic Area.
Compliance credentials
UK GDPR & Data Protection Act 2018
EU GDPR (Regulation 2016/679)
Codific operates as a data processor under Article 28.
Information Security
ISO/IEC 27001:2022
Certified October 2025
Third-party pentest early 2026: 0 critical, 0 high findings
Belgian Data Protection Authority (APD/GBA)
EU-native legal entity
Codific BV is registered under Belgian law and supervised by the Belgian Data Protection Authority. No data transfers outside the EEA.
Security Controls
NIS2 Directive Alignment
For digital service providers, including incident response, supply chain security, and vulnerability management.
Data security controls
AES-256 encryption at rest; TLS in transit with A+-grade SSL and HSTS
On-device video encryption within seconds of recording stop
Role-based access control (RBAC) across all functions
Automated retention and deletion — institution-configured at deployment
Institution-specific instances — no shared multi-tenant environment
AWS infrastructure · EU hosting region available
No advertising · No data monetisation · No third-party sharing
Data Processing Agreement signed with every institution per GDPR Article 28
Breach notification within 72 hours per UK GDPR Article 33
Sub-processor register maintained and disclosed on request
GDPR key articles — status
ARTICLE
REQUIREMENT
STATUS
Art. 5
Lawfulness, fairness, transparency
MET
Art. 13/14
Information obligations to data subjects
MET
Art. 17
Right to erasure
MET
Art. 20
Data portability
MET
Art. 24/25
Privacy by design and by default
MET
Art. 28
Data processor obligations
MET
Art. 32
Security of processing
MET
Art. 33
Breach notification (72-hour obligation)
MET
Art. 35
DPIA readiness and documentation
MET
Art. 44–49
No transfers outside the EEA
MET
Full GDPR compliance documentation with evidence references available on request.
Compliance enquiries
Supervisory authority
APD/GBA · Belgian Data Protection Authority
Platform
videolab.eu
Subprocessors
AWS EMEA SARL  · Codific Ltd. (BG102075166)