Platform overview

Everything you need to know about Gobi, in one place.

Below we've gathered the information we're typically asked about during procurement and vendor review — what the product does, how it's built, how data and security are handled, and what the commercial terms look like.

Whether you're evaluating the product as an HR or marketing lead, reviewing the technical stack as an IT or security reviewer, assessing vendor risk as part of a procurement or compliance workflow, or mapping commercial terms as a finance or legal contact — you'll find what you need below. Start from the beginning, or jump to the section relevant to your role.

GDPR-compliant DPA available WCAG 2.1 AA No cookies in player Norwegian company
At a glance

Gobi lets your employees show candidates what it's really like to work at your organisation — through video stories that are simple to record, feel authentic to the viewer, and still stay on-brand thanks to our approach.

The stories are published through our own video player, embedded directly on career pages and job listings.

The value lies in the combination: we remove the barriers to producing real employee video (no film crew, no studio, no editing skills) and we integrate with the tools recruiters already use, so content appears exactly where candidates are.

The player is fully GDPR-compliant and loads independently of visitors' cookie choices, meeting Norwegian and European requirements. That's why Gobi has become the clear first choice for Nordic organisations.

Examples

See Gobi Stories in action

Here's how video stories look when published with Gobi Player — embedded directly on your website, using real content shared on the platform.

Circles in a row, like stories on Instagram. Perfect for career pages and job listings.

Cards with previews. Great for grids and content-rich pages.

1. About the company

Gobi Stories AS is a Norwegian video technology company building tools for employer branding and recruitment. Oslo-based, profitable, and backed by Norwegian investors, we work with more than 100 Nordic organizations.

Organization number915 752 381
Founded2015
HeadquartersOslo, Norway
Company typeNorwegian private limited company (AS)
ProfitabilityProfitable
FundingOver NOK 30M raised from Norwegian investors
Governing lawNorwegian law, Oslo District Court
Customers100+ Nordic organizations including DNB, Widerøe, NTNU, Hafslund and Deloitte

2. Product

Gobi is a video platform purpose-built for recruitment and employer branding. It lets your organization produce authentic employee stories at scale, manage them centrally, and distribute them where candidates spend time — with compliance built in by default.

What Gobi does

Gobi gives you two ways to create employee videos for your recruitment and employer branding work — matched to how much work you want to do — and then makes it easy to manage, distribute and reuse the content across your channels.

  • Let Gobi do it. With Autopilot, you order stories from the relevant employees. We agree a time to interview each of them, they film themselves on their own phone while being guided through the process, and we edit the footage and add your branding before delivering the finished stories.
  • Or produce them with your employees. Gobi Studio is a guided editing suite where your team films, edits and publishes stories featuring the relevant employees. Built around a "can't fail" principle — anyone without prior video experience can produce polished, GDPR- and WCAG-compliant videos.

Once content is ready, it's managed centrally from Gobi Studio. Publish through Gobi Player on career pages, job listings and ATS integrations, and track performance with built-in analytics. The same stories can also be exported for use on social media channels such as LinkedIn, Instagram and Snapchat, where the vertical format fits natively (analytics apply to Gobi Player views only).

The three modules

Gobi Autopilot

End-to-end story production. You order stories from relevant employees; we schedule the interviews, guide them as they record on their own phone, then edit the footage and add your branding. You get ready-to-publish stories without touching a timeline.

Gobi Studio

A guided editing suite plus a central workspace. Designed so anyone without prior video experience can produce polished, GDPR- and WCAG-compliant videos. Your brand (logo, colors and fonts) is applied automatically, so everything stays consistent with your company's visual identity — and you manage and publish from one place.

Gobi Player

Mobile-first video player built for the vertical story format candidates are used to from social media. Purpose-built for recruitment, with out-of-the-box integrations to the CMS platforms and ATS systems recruitment teams rely on to distribute content.

Built compliance-first

Gobi is designed so your compliance work doesn't grow when you add Gobi:

  • The Player does not use cookies or store personal data in the viewer's browser — it does not need to be added to your cookie consent banner or privacy policy.
  • Videos are captioned automatically and meet WCAG 2.1 AA.
  • A ready-to-sign Data Processing Agreement (GDPR Art. 28) is available at gobistories.com/dpa.
  • We are transparent about sub-processors, data locations and international transfer mechanisms.

Details are in sections 4 Security and 5 Privacy & data protection.

Typical use cases

  • Career pages and employer branding: authentic employee stories as part of your recruitment front door.
  • Job listings: role-specific stories embedded in individual ads so candidates hear from the people they'd be working with.
  • Social media reuse: export the same content for LinkedIn, Instagram and Snapchat — one story, many channels.
  • Internal communication: CEO or leadership updates, onboarding materials, cross-team announcements.

Who uses it

Primarily HR, recruitment and employer branding teams. Individual users include recruiters, hiring managers, communications staff, and — through Autopilot — the employees who appear in the videos.

3. Technical implementation

Gobi is a modern SaaS platform built on Google Cloud and Supabase, delivered over standard HTTPS, with flexible integration options that slot into most existing ATS and CMS setups.

Architecture at a glance

Hosting and data storage

Gobi Studio and Gobi Player: Google Cloud Platform (GCP), EU region. Encrypted at rest using Google-managed keys (Cloud KMS).

Gobi Autopilot: Supabase (EU: eu-west-1 / eu-central-1), with Vercel for application hosting.

Video delivery: Cloudinary, which operates globally and delivers content from the closest edge. The only personal data Cloudinary processes in this flow is the end user's IP address, needed to deliver the video to the viewer's browser. Transfer is covered by the EU-U.S. Data Privacy Framework, supplemented by appropriate technical and organizational safeguards (encryption in transit and at rest, logical separation). A Transfer Impact Assessment (TIA) has been performed and is available for customers who need it.

Integrations

Gobi integrates with the systems where candidates and recruiters already spend time. Ready-made integrations cover the most common ATS and CMS platforms out of the box — and for any system that isn't on the list, you can either build a simple integration or paste the embed code directly into the page, the same way you would with any other video solution.

Applicant Tracking Systems (ATS)

Ready-made: Teamtailor, Jobylon, Webcruiter, Jobbnorge, Reachmee, Nuu, Onecruiter, SAP SuccessFactors, Headly, and more.

Websites and CMS

Ready-made: WordPress, Webflow, Optimizely, HubSpot Websites, Enonic, Squarespace and custom HTML pages. For systems like Sanity, Episerver, Drupal or Umbraco, you can either build a simple integration (typically 4–8 dev hours) or paste the embed code directly into your template.

Embed and performance

  • Single embed tag, asynchronous, non-blocking.
  • Responsive, mobile-first (67% of career-page traffic is mobile).
  • No iframes, no heavy frameworks loaded on your page.
  • Custom branding (logo, colors, fonts) applied server-side.
  • ShadowDOM isolation by default; can be disabled for CSS customization.

No cookies. No consent banner needed on your site.

The Gobi Player does not set cookies or store personal data in the viewer's browser. It does not need to be included in your site's cookie consent or privacy policy, and it does not change your cookie-banner obligations. This removes a recurring compliance task for Customers who embed the player on career pages or job listings.

Supported file types and limits

All formats supported by Cloudinary. Individual file size up to 2 GB. Video is transcoded automatically to web-optimized formats (SDR; HDR input is converted).

Browser and device support

All modern browsers (Chrome, Safari, Firefox, Edge) on desktop and mobile. The player is designed for mobile-first delivery.

APIs and custom integrations

API access and custom integration support is available on the Enterprise plan. Our integration guides at gobistories.com/integration-guides describe how to build a Gobi integration for systems not yet covered out of the box.

4. Security

Gobi is built on principles of least privilege, strong encryption and continuous verification. Data is encrypted in transit and at rest, access is tightly controlled, and our development process integrates automated security checks.

Encryption

In transit: TLS (HTTPS) on all traffic.

At rest: Encrypted by our cloud providers using industry-standard algorithms and managed cryptographic keys. Google Cloud KMS follows recognized standards including FIPS 140-2.

Secrets: API keys and third-party credentials stored in Google Secret Manager. No credentials in source code.

Passwords: Hashed using industry-standard algorithms. Never stored in plaintext.

Access control

  • Only authorized Gobi staff have access to production systems, each with a signed confidentiality agreement.
  • Access is granted on the principle of least privilege — access is limited to what is needed to provide, support and improve the Service.
  • Role-based access controls within the platform separate Customer organizations from one another.
  • Two-factor authentication (2FA) is supported for Customer users in Gobi Studio.
  • Access changes are logged and reviewed.

Secure software development

  • SAST and dependency scanning: Continuous scanning of source code and third-party dependencies using Snyk.
  • Code review: All changes are subject to peer review before merging to production.
  • OWASP: We follow industry guidance such as the OWASP Top 10 in our development practices.

Backup and recovery

  • Gobi Studio and Gobi Player: Daily scheduled backups via Google Cloud; additional manual backups before significant data migrations.
  • Gobi Autopilot: Supabase Pro, which includes daily automated backups with 7-day retention.
  • On deletion, data is removed from active storage; backup copies are purged in line with the applicable retention window.

Certifications and third-party testing

Status Gobi is not currently ISO 27001 or SOC 2 certified, and we don't commission regular third-party penetration tests.

This is a deliberate product decision. The data we actually handle is low-sensitivity: employee videos that are created to be published on our customers' public websites. We weighed this against the time, cost and operational overhead formal certification requires, and concluded that our customers are better served by investing in the controls that actually affect the risk profile of that data — strong encryption, principle of least privilege, automated vulnerability and dependency scanning, peer code review, and managed cloud infrastructure — rather than in certification that wouldn't meaningfully change it.

We reassess this regularly as the product grows. Customers with specific certification requirements are welcome to raise this as part of their procurement process.

Incident response

In the event of a security incident or personal data breach, Gobi notifies affected Customers without undue delay, providing the information needed for the Customer to meet its own notification obligations under GDPR article 33. For breaches likely to result in a high risk to a data subject's rights, Gobi will also notify affected data subjects where required under GDPR article 34.

5. Privacy & data protection

Gobi is built to make GDPR compliance simple for our Customers. We process minimal personal data, are transparent about what we do with it, and offer clear contractual commitments through our Data Processing Agreement.

Our roles per module

ScenarioData controllerGobi's role
Content uploaded to Gobi StudioCustomerData processor
Recordings collected through Gobi AutopilotCustomerData processor
End user connection data via Gobi PlayerWebsite operatorData processor
Account and billing data for CustomerGobiData controller

Data categories we process

  • Studio: Name, email, hashed password, uploaded content (video, images, text), billing details, usage analytics.
  • Autopilot: Name, email, video recording, acceptance of notice, consent to content use (with version and timestamp for audit), technical metadata for error reporting.
  • Player: IP address and connection information of end users, solely for delivery. Aggregated, anonymous viewing analytics.

Retention

  • Content in Gobi Studio: until deletion by the Customer + up to 30 days in backups.
  • Autopilot recordings: until deletion + up to 7 days in Supabase backups.
  • Billing records: active customer relationship + 5 years (Norwegian Bookkeeping Act).

International transfers

Most data is stored within the EU/EEA. Where personal data is transferred outside the EU/EEA (primarily to U.S. sub-processors), the transfer is covered by the EU-U.S. Data Privacy Framework — the European Commission's adequacy decision adopted on 10 July 2023 and effective from 10 October 2023 — supplemented by appropriate technical and organizational safeguards (encryption in transit and at rest, logical separation). All of our current U.S.-based sub-processors are active participants in the EU-U.S. DPF; the specific transfer basis for each provider is documented on our sub-processors page.

Cloudinary in particular

Cloudinary — our video delivery sub-processor — is the only third-country transfer that touches end-user data. The only personal data Cloudinary processes is the IP address needed to deliver video content to the viewer's browser; it is not stored or used for any other purpose. The transfer is covered by the EU-U.S. Data Privacy Framework, supplemented by encryption in transit and at rest.

A Transfer Impact Assessment (TIA) for Cloudinary is available for customers who need it as part of their own DPIA or ROS.

↓ Download the Cloudinary TIA (PDF)

A complete, up-to-date list of sub-processors with their locations and transfer mechanisms is available at gobistories.com/sub-processors.

Data subject rights

Individuals have the right under GDPR to request access, rectification, erasure, restriction, portability, and to object to processing. Requests can be sent to contact@gobistories.com. Where Gobi processes data on behalf of a Customer, the request is forwarded to the Customer as the controller.

Data Processing Agreement

A ready-made DPA compliant with GDPR article 28 is available for all Customers at gobistories.com/dpa, including a pre-signed PDF version that Customers can countersign.

6. Business continuity & risk

We design for resilience through managed infrastructure, redundant storage, and clear recovery processes. We're also honest about our dependencies and about what is and isn't guaranteed today.

Availability

Gobi targets high availability through managed cloud infrastructure (Google Cloud, Supabase, Cloudinary). The Distribution Tool (Gobi Player) is designed to fail gracefully — if our service is momentarily unavailable, the rest of your website continues to function and the player recovers automatically when the service returns.

Formal uptime commitments (SLA) are available on the Enterprise plan upon request.

Key dependencies

Our most important third-party dependencies are:

  • Google Cloud — primary storage and compute for Studio and Player.
  • Cloudinary — video processing and delivery.

Both are established, widely used infrastructure providers with their own strong availability guarantees.

Disaster recovery

Customer content and account data are backed up daily. In the event of a major incident, recovery is performed by our team from the most recent backup. Recovery time and recovery point targets are available on request for Enterprise customers.

Incident response

Security and privacy incidents are handled by the Gobi team with defined escalation paths. Customers are notified as described in the Security section above and in our DPA.

7. Accessibility

Gobi is designed to meet WCAG 2.1 AA. The player supports captions, keyboard navigation and screen readers, so everyone can experience the content.

Features

  • Captions: Automatically generated for all videos; editable by the Customer.
  • Keyboard navigation: Full control via keyboard.
  • Screen reader support: Proper semantic markup and ARIA attributes.
  • Color contrast: Our defaults meet WCAG AA contrast ratios. Customers can apply their own branding; responsibility for the final contrast of customer-chosen colors rests with the customer.
  • No autoplay with sound while scrolling: Videos never start with sound when a visitor is simply scrolling past the player. Sound is played only after the visitor actively opens a story — which makes the experience feel deliberate rather than intrusive, while still giving a full, engaging playback the moment they choose to watch.

Testing and statement

We test regularly using automated tools (WAVE, axe) and have an accessibility statement in line with Norwegian and EU accessibility legislation (the Equality and Anti-Discrimination Act and the EAA).

8. Commercial terms

Transparent B2B pricing, annual billing in advance, Norwegian VAT handling including EHF invoicing, and flexibility to grow or exit without friction.

Plans and pricing

PlanStoriesMonthly price*Support and onboarding
Starter5NOK 1,990Email support, onboarding
Premium30NOK 3,990Email + chat support, onboarding
EnterpriseUnlimitedNOK 7,990Dedicated customer success, extended onboarding, SLA (upon request), API, white-label

* Prices are excluding VAT and based on annual billing. Monthly billing is available at a 20% premium. Current pricing is at gobistories.com/pricing.

What "number of stories" means

The number of stories defines how many published stories the Customer may hold in its library at any time. Each published story may be embedded on any number of job listings, career pages or other pages at the Customer's discretion.

Billing and payment

  • Invoiced annually in advance. Payment terms: 14 days from invoice date.
  • Prices are exclusive of VAT. Norwegian VAT is added where applicable.
  • EHF (Elektronisk Handelsformat) invoicing is supported.
  • Late payments incur interest under the Norwegian Late Payment Interest Act.

Contract term and cancellation

  • Initial term: 12 months, auto-renewing for equivalent periods.
  • Annual subscriptions: cancel with at least 90 days' written notice before renewal.
  • Monthly subscriptions: cancel at any time, effective end of current month.
  • Price changes on renewal require at least 90 days' advance written notice.

Data at termination

Customer Content can be exported at any time during the subscription. On termination, the Customer may choose deletion or extended retention under a separately agreed fee. Full details in the Terms of Service and DPA.

9. Onboarding & support

Fast onboarding, clear support channels, and documentation designed so your team can self-serve without waiting on a helpdesk.

Onboarding

Starter and Premium include a structured onboarding session where we walk through the platform, integrations and the best practices we've seen across 100+ Nordic customers. Enterprise customers receive extended onboarding tailored to their environment, including integration support and brand setup.

Support

Email and chat

Support via contact@gobistories.com (response within one business day) and in-product chat (typical response within 1–2 minutes during working hours).

Documentation

Integration guides, story production guides and troubleshooting at gobistories.com/documentation.

Dedicated support (Enterprise)

Enterprise customers get a dedicated customer success contact, quarterly business reviews to optimize content performance, extended onboarding and an SLA (upon request).

10. Frequently asked questions

The questions we get most often during security and procurement reviews. If yours isn't here, send it to contact@gobistories.com and we'll add it.

Security and compliance

Is Gobi ISO 27001 or SOC 2 certified?

No. We are not currently ISO 27001 or SOC 2 certified. We have prioritized strong technical controls (encryption, access control, secure development, logging) over formal certification in our current stage. Customers with specific certification requirements are welcome to discuss alternatives during procurement.

How do you handle security during development (OWASP Top 10, SAST/DAST, code review)?

We use Snyk for SAST and third-party dependency scanning on all code. All changes are subject to peer code review before reaching production. We follow industry guidance such as the OWASP Top 10 in our development practices. We apply the principle of least privilege to our resources and data access, and we handle as little sensitive data as we can.

How does Gobi encrypt data?

All personal data is encrypted in transit using TLS (HTTPS). All personal data is encrypted at rest by our cloud providers using industry-standard algorithms and managed cryptographic keys — including keys managed by Google Cloud KMS, which follows recognized standards such as FIPS 140-2.

Do you perform third-party penetration tests?

Not at the moment. Our continuous scanning with Snyk covers dependency vulnerabilities and SAST, and we follow secure development practices including code review. Enterprise customers with specific pentest requirements can discuss this during procurement.

What's your backup strategy?

Gobi Studio and Gobi Player run daily scheduled backups via Google Cloud, with additional manual backups before significant data migrations. Gobi Autopilot uses Supabase Pro, which includes daily automated backups with 7-day retention.

How are encryption keys managed?

We use Google Cloud managed encryption keys (Google-managed keys). Google handles secure management, rotation and protection of keys. Google Secret Manager is used for API keys and third-party credentials. Internally we apply the principle of least privilege for access to keys and secrets. Key management follows recognized standards including FIPS 140-2 where applicable.

Privacy and GDPR

Who is the controller and who is the processor?

For content uploaded to Gobi Studio, recordings collected through Gobi Autopilot and end-user data processed by Gobi Player, you (or the operator of the website embedding the player) are the controller and Gobi is the processor — this is governed by our DPA. For your account and billing data, Gobi is the controller, governed by our Privacy Policy.

Where is data stored?

Most data is stored in the EU. Gobi Studio and Gobi Player data is in Google Cloud (EU). Autopilot data is in Supabase (eu-west-1 and eu-central-1). Video delivery uses Cloudinary, which may serve content from U.S. edges — this transfer is covered by the EU-U.S. Data Privacy Framework. A full list with transfer mechanisms is at gobistories.com/sub-processors.

What sub-processors do you use?

Our sub-processors span hosting, storage, email, CRM, analytics, support and invoicing. The live list — with purpose, data categories, location, transfer basis and Gobi's role (processor or controller) for each provider — is maintained at gobistories.com/sub-processors. We give 30 days' written notice before adding or changing sub-processors that process Customer personal data, per our DPA.

How do you notify us of data breaches?

Without undue delay after becoming aware. We provide the information needed for you to meet your own notification obligations under GDPR article 33 (72 hours to the supervisory authority). Where Gobi is controller, we also notify affected data subjects under article 34 where required.

How do employees give consent to be filmed?

Through Gobi Autopilot, each employee accepts the privacy policy before they can submit a recording. In addition, they go through a separate consent step for the use of their recording before the video is uploaded — this consent is stored together with the clip. Employees can easily withdraw consent afterwards.

Product and integrations

Can I share stories on my website / CMS / ATS?

Yes. The Gobi Player embeds with a single script tag on most websites and CMS platforms, and works out of the box with a long list of ATS providers. Custom integrations for less-common systems typically take 4–8 dev hours.

What file types and size limits apply?

All formats supported by Cloudinary. Individual files up to 2 GB. Video is transcoded automatically to web-optimized formats. HDR input is converted to SDR.

Can I customize branding?

Yes. Custom branding (logo, colors, fonts) is included on Starter, Premium and Enterprise. White-label (removing Gobi branding from the player) is included on Enterprise or available as an add-on on other plans.

Commercial

How does billing work in Norway?

Annual invoicing in advance, 14-day payment terms, prices excluding VAT. We support EHF (Elektronisk Handelsformat) invoicing. Norwegian VAT is added where applicable.

What happens to our data when we cancel?

Your content can be exported at any time during the subscription. On termination you can choose deletion (data removed from active systems; backups purged in line with retention windows) or extended retention at an agreed fee. Billing records are retained for the period required under the Norwegian Bookkeeping Act (5 years).

Is there a free trial or free plan?

Yes. The Free plan (2 stories) lets you try the platform with full access to Studio, Autopilot and Player. Only one free account per legal entity. See gobistories.com/pricing.

Is there a lock-in period?

No. The initial term is 12 months, auto-renewing for equivalent periods, and you can cancel with 90 days' written notice before each renewal. You keep access through the end of the period you've paid for.

11. Reference documents

All the legal and operational documents you may need during review, in one place.

Terms of Service

gobistories.com/terms-of-service

Privacy Policy

gobistories.com/privacy-policy

Data Processing Agreement (DPA)

gobistories.com/dpa

Sub-processors List

gobistories.com/sub-processors

Pricing

gobistories.com/pricing

Integration guides

gobistories.com/integration-guides

Still have questions?

We'd rather answer them directly than have you guess. Reach us at contact@gobistories.com — questions from security, legal, procurement or IT teams are all welcome.