Yet Another GDPR Blog Post!

TL;DR

• We care deeply about the privacy and protection of data.
• Cloudinary is ready for GDPR
• We have updated our Privacy Policy ✅, we participate in the EU-US Privacy Shield ✅and have a DPA (Data Protection Agreements) available ✅, and implemented many new internal procedures ✅
• We also have new features for data flexibility: more backup targets, different image processing data centers and CDN control.
• We are committed to a higher standard for integrity – we already publish all service disruptions, participate in a security bug bounty program and support Server-Timing.
• Our business is based on paid usage, not on selling personal data.

Yay! We’ve done it! Gold-Star for us! We’ve talked with all the people, made all the changes, paid all the lawyers and checked all the boxes. GDPR? ✅Done!

Not so fast. Of course, conforming to the GDPR regulations introduced in Europe is just the beginning. This is a process and a state of mind that must become part of our long-term cultural ethos.

I’m happy to announce that, like many companies, Cloudinary is GDPR ready! We take data privacy and data security very seriously. Last year, we shared with your our GDPR plans. We are now on the other side. We have spent thousands of hours and thousands of dollars reviewing policies, reviewing architectures, making changes to our privacy policy, building new features, talking with lawyers, talking some more with lawyers, debating internally amongst ourselves and enhancing our services.

As we went through this process, we realized that it isn’t enough for us to be ready for GDPR – we also need to be ready to support your business’ interpretation of GDPR as well.

Yes. I said it, your interpretation. That’s the thing about GDPR: it is very comprehensive and very broad. At its core, GDPR is designed to protect Sally Q Public’s personal data from abuse. It is in place to ensure that your personal data is yours. This sounds simple – don’t be evil. Yet, there are nuances and complications for the internet that have not yet been tested, so there is ambiguity in how to implement these nuances of protecting personal data.

Don’t worry. We’ve thought long and hard about data protection. We want to make sure that we can help you – as a developer, as a business owner – to be compliant, regardless of your interpretation.

As always, it depends.

As our customer, yes, we need to treat your data – your name, your email address, your billing address and other personal information – with respect. This is your data, and in this respect we are, in GDPR vernacular, a data controller. We have updated our privacy policy to reflect our obligations as a controller to you as a customer.

Where it likely becomes more relevant to you, is where we are the steward of your customer’s data through the content you upload to Cloudinary. In this regard, Cloudinary is a data processor.

This is a difficult question. Personal data has many definitions. Really comes down to you, or your customers. If this data is personal to you, then it is personal data.

It becomes tricky as a processor, where we might not have all the context to know that this data is personal. As a parent, we’ve all cleaned up our children’s room and “accidentally” discarded that piece of paper – only to find out that this was a very important note for your child. Oops!

Context is important. For this reason, we assume that any data that you upload to the Cloudinary platform is personal data. Specifically, all images and videos that you, or your users, upload to us (Cloudinary) are treated as personal data..

We have fantastic APIs that will enable you to purge content from our CDNs and delete resources from your account. If you are unsure, we also have search APIs. You can programmatically search and delete, or if in doubt, you can use the new media library.

This is one of the areas that can be confusing with GDPR. The goal of GDPR is to ensure that your data is treated as private. Not only should it be protected, but it also must live geographically in a location where it can’t be stolen.

Depending on how you interpret GDPR for your business, you likely have one of two requirements for a data-processor like Cloudinary: Participation and commitment to the EU-US Privacy Shield – This provides a legal framework for any personal data that might be stored in the US. It also ensures a level of compliance with GDPRs requirements. OR guarantee that all personal-data is stored in the EU – This would sidestep any debate about jurisdiction and compliance with GDPR.

Cloudinary is built on tier-1 public cloud providers – primarily located in the United States. Since 2015, we have been operating under a 3rd-party audited and certified information security framework based on ISO/IEC 27001. Since 2017 we have been an active participant in the EU-US Privacy Shield. We have structured our DPA and our policies with these certifications in mind.

We recognize and respect that each business might set different expectations to ensure protection for your user’s personal data. For this reason, we are working hard to provide you with new ways to manage where your data is stored.

Cloudinary has long supported the ability to backup your data to your own S3 bucket in any region. We recently enhanced this service so you also can also backup your data to Google Cloud Platform. This puts your backup and long-term storage in your control in your desired geography.

In the very near future, we will be launching a data center in Europe. This will allow you to have absolute confidence that your images and video are not only stored in Europe, but also transformed and manipulated in Europe. This will allow you to have end-to-end media management in the geography of your choosing. More details to come. Stay tuned!

As with all of our vendors, we have worked hard to ensure that each technology partner is likewise also GDPR ready. This includes our CDN (Content Delivery Network) partners.

That’s the good news.

But this does raise some interesting questions. As a processor, we are responsible for ‘disclosure by transmission’ of personal data. On the internet, where does this line stop? Can you use a CDN, which has HTTP caches across the globe? Are you required to establish DPAs with every ISP and geography that could cache your HTTP traffic? What about TCP/IP level and packet retransmissions – is that a form of caching and storage? Are we responsible for each TCP Packet as it journeys through the internet?

This is very confusing. Many hours and beers have been counted debating these topics.

The question ultimately comes down to you and your interpretation of GDPR. For this reason we again offer you many ways to utilize our great service – all of which we believe conform to GDPRs requirements:

• You can use our CDNs as you do today (recommended default). We have verified that the CDNs we depend on provide the necessary GDPR assurances.
• We also offer bring-your-own-CDN or “origin” plans, for those who want more control on how to utilize our services. Contact our support or your account team to discuss options.

As always, we are focusing on providing you many ways to ensure that you are compliant with GDPR.

Being GDPR (and ISO 27001) compliant means that we have established policies and processes to ensure that we are transparent about any potential data breach. This includes providing notifications and taking immediate response to any security threat.

This is why we have also set the bar higher for ourselves. In the last year we have made a number of additional commitments to increase our transparency. This includes:

• Creation of a security bug bounty program
• We continue to publish all system disruptions and outages to create transparency in our service
• Exposing more data transparency of our systems through our early experimentation Server-Timing

We want to hold ourselves to a higher standard in ensuring we are transparent about how we conduct our business and how we help you be successful.

Here we are. GDPR has finally arrived! Cloudinary has invested a lot of time and energy to ensure that we are protecting your personal data and your users’ personal data. This is day-1 of the journey. We will certainly have many more debates in the future. In the end, users personal data will be better protected. The internet will be a better place.