Secure Clinical Video for US Healthcare & Medical Education Institutions
For healthcare and university procurement teams
July 2026
Videolab is a purpose-built platform for video recording, sharing, and structured assessment in clinical skills training. Codific BV is a Belgian-registered software company with no US establishment. Where Videolab is used to create, receive, maintain, or transmit protected health information (PHI), the contracting institution acts as Covered Entity and Codific acts as Business Associate under a signed Business Associate Agreement (BAA). Data hosting jurisdiction, including US-based AWS regions, is confirmed with each institution individually before go-live.
Compliance credentials
HIPAA / HITECH
Business Associate Agreement (BAA)
Available for execution with every US institution, covering the HIPAA Privacy, Security, and Breach Notification Rules (45 CFR Parts 160 and 164)
Information Security
ISO/IEC 27001:2022
Certified October 2025
Third-party pentest early 2026: 0 critical, 0 high findings
Data Hosting & Residency
AWS infrastructure, US-based regions available
Hosting jurisdiction fixed per institution in the BAA before execution
Security Controls
NIS2 Directive Alignment
For digital service providers, including incident response, supply chain security, and vulnerability management.
Data security controls
AES-256 encryption at rest; TLS in transit with A+-grade SSL and HSTS
On-device video encryption within seconds of recording completion
Multi-factor authentication (MFA) across all platform access
Role-based access control (RBAC) — users access only the PHI necessary for their role
Full audit log with 3-month retention, recording access to and actions taken on PHI
Dedicated, institution-specific server instances — no shared multi-tenant environment
Automated retention and deletion at institution-defined intervals; two-man rule for any glass-break master key access
Annual third-party penetration testing and continuous internal red-team review
Web application firewall (Codific Secure Patrol) with AI-assisted and human-monitored threat detection
Real-time platform monitoring (Codana) with immediate internal alerting on anomalous activity
No advertising · No data monetisation · No third-party sharing
Business Associate Agreement available for every US institution
Breach notification within 60 calendar days, per HIPAA/HITECH (45 CFR §164.410)
GDPR key articles — status
AREA
CONTROL
STATUS
Security Rule
Administrative, physical & technical safeguards (45 CFR 164 Subpart C)
MET
Encryption
AES-256 at rest; TLS/A+ SSL in transit
MET
Access Control
MFA + RBAC on all platform access
MET
Audit Controls
Full audit logging, 3-month retention
MET
Breach Notification
≤60-day notification per 45 CFR 164.410
MET
Minimum Necessary
Access limited to role-necessary PHI (45 CFR 164.514(d))
MET
Individual Rights Support
PHI access, amendment & accounting of disclosures (45 CFR 164.524/526/528)
MET
Subcontractor Flow-Down
Subcontractor BAAs per 45 CFR 164.308(b)(3)
MET
Data Hosting Jurisdiction
Configurable per institution, including US-based AWS regions
CONFIGURABLE
BAA Execution
Available for every contracting US institution
ON REQUEST
Full Business Associate Agreement, with Schedule A for hosting jurisdiction and deployment details, available on request.
Compliance enquiries
Supervisory authority
APD/GBA · Belgian Data Protection Authority
Platform
videolab.eu
Subprocessors
AWS EMEA SARL  · Codific Ltd. (BG102075166)
