Flipbase

Developer docs

Security and data residency

Where videos are stored, how they are encrypted, who can access them, and what the legal contract covers.

Flipbase stores video moments on EU infrastructure. Data is encrypted in transit and at rest. Each customer's data sits in a logically isolated workspace tied to their organization id.

Hosting and residency

  • Video files, thumbnails, and metadata are stored on EU infrastructure.
  • Player playback is served via EU CDN edge nodes. Videos do not transit outside the EU.
  • Database metadata (status, duration, dimensions, candidate name if supplied) is held in the same EU region.

Procurement and security teams typically ask for the specific region, sub-processor list, and infrastructure provider. Those details are covered in the DPA below and in the Trust Pack available on request.

Read the Data Processor Agreement

Encryption

  • In transit: industry-standard TLS for all browser-to-Flipbase and partner-to-API traffic.
  • At rest: video files and metadata are encrypted on the underlying storage.
  • Player playback: signed URLs with short expiry (default 3600s). Direct file access without a current signed URL returns 403.

Access control

Collections (the grouping of videos in your account) can be set to secure_mode = true. Videos in a secure collection require a per-request signature to play, generated by your backend using your API secret. This is the recommended posture for any candidate-facing video.

API access is gated by an api_key + api_secret pair. Every authenticated request includes a signature derived from the secret, the request body, and a timestamp. See the API reference for the exact signing scheme.

Retention

Default retention is set per collection via delete_after_days. Videos older than the threshold are hard-deleted from object storage and removed from the database. You set the value, Flipbase honors it.

For GDPR right-to-erasure requests, a single API call deletes the video record and the underlying file. The deletion is irreversible and happens within minutes.

Legal contract

Flipbase signs a Data Processing Agreement with every customer before any production traffic. Standard contractual clauses and the sub-processor list are part of the agreement.

Read the full DPA:

Data processor agreement

What we don't do

  • We do not score, rank, or profile candidates. There is no AI evaluation layer on the platform.
  • We do not train AI models on customer videos.
  • We do not sell anonymised aggregates of candidate data.
  • We do not share video moments with anyone outside the customer's organization without an explicit signed authorization.

Ready to call the API?

The full reference is on Postman. To actually call it you need an api_key + api_secret + sandbox organization. Reply within one working day.

Open the API referenceRequest API credentials