Cloudinary Blog
Improve Customer Data Protection with GDPR Implementation

TL;DR

  • We care deeply about the privacy and protection of data.
  • Cloudinary is ready for GDPR
  • We have updated our Privacy Policy ✅, we participate in the EU-US Privacy Shield ✅and have a DPA (Data Protection Agreements) available ✅, and implemented many new internal procedures ✅
  • We also have new features for data flexibility: more backup targets, different image processing data centers and CDN control.
  • We are committed to a higher standard for integrity - we already publish all service disruptions, participate in a security bug bounty program and support Server-Timing.
  • Our business is based on paid usage, not on selling personal data.

Overview

Yay! We've done it! Gold-Star for us! We've talked with all the people, made all the changes, paid all the lawyers and checked all the boxes. GDPR? ✅Done!

Not so fast. Of course, conforming to the GDPR regulations introduced in Europe is just the beginning. This is a process and a state of mind that must become part of our long-term cultural ethos.

I'm happy to announce that, like many companies, Cloudinary is GDPR ready! We take data privacy and data security very seriously. Last year, we shared with your our GDPR plans. We are now on the other side. We have spent thousands of hours and thousands of dollars reviewing policies, reviewing architectures, making changes to our privacy policy, building new features, talking with lawyers, talking some more with lawyers, debating internally amongst ourselves and enhancing our services.

As we went through this process, we realized that it isn’t enough for us to be ready for GDPR -- we also need to be ready to support your business' interpretation of GDPR as well.

Yes. I said it, your interpretation. That's the thing about GDPR: it is very comprehensive and very broad. At its core, GDPR is designed to protect Sally Q Public's personal data from abuse. It is in place to ensure that your personal data is yours. This sounds simple - don't be evil. Yet, there are nuances and complications for the internet that have not yet been tested, so there is ambiguity in how to implement these nuances of protecting personal data.

Don't worry. We've thought long and hard about data protection. We want to make sure that we can help you - as a developer, as a business owner - to be compliant, regardless of your interpretation.

Do I even need to care about GDPR with Cloudinary?

As always, it depends.

As our customer, yes, we need to treat your data - your name, your email address, your billing address and other personal information - with respect. This is your data, and in this respect we are, in GDPR vernacular, a data controller. We have updated our privacy policy to reflect our obligations as a controller to you as a customer.

Note
Do you care about data privacy for yourself? Yes? Please read our updated privacy policy and our DPA. [Short version - your data is yours, we keep it safe but we do need to keep financial records.]

Where it likely becomes more relevant to you, is where we are the steward of your customer's data through the content you upload to Cloudinary. In this regard, Cloudinary is a data processor.

Note
Does your business need to be GDPR compliant as a processor or a controller? Yes? We have a DPA that is available for you. We also have additional features coming that you might want to explore.

What data does Cloudinary consider personal data?

This is a difficult question. Personal data has many definitions. Really comes down to you, or your customers. If this data is personal to you, then it is personal data.

It becomes tricky as a processor, where we might not have all the context to know that this data is personal. As a parent, we’ve all cleaned up our children’s room and “accidentally” discarded that piece of paper -- only to find out that this was a very important note for your child. Oops!

Context is important. For this reason, we assume that any data that you upload to the Cloudinary platform is personal data. Specifically, all images and videos that you, or your users, upload to us (Cloudinary) are treated as personal data..

If I have a customer that wants to be forgotten, how can Cloudinary help me remove this media?

We have fantastic APIs that will enable you to purge content from our CDNs and delete resources from your account. If you are unsure, we also have search APIs. You can programmatically search and delete, or if in doubt, you can use the new media library.

Where are your servers? More importantly, where is my data stored?

This is one of the areas that can be confusing with GDPR. The goal of GDPR is to ensure that your data is treated as private. Not only should it be protected, but it also must live geographically in a location where it can't be stolen.

Depending on how you interpret GDPR for your business, you likely have one of two requirements for a data-processor like Cloudinary: Participation and commitment to the EU-US Privacy Shield -- This provides a legal framework for any personal data that might be stored in the US. It also ensures a level of compliance with GDPRs requirements. OR guarantee that all personal-data is stored in the EU -- This would sidestep any debate about jurisdiction and compliance with GDPR.

Cloudinary is built on tier-1 public cloud providers - primarily located in the United States. Since 2015, we have been operating under a 3rd-party audited and certified information security framework based on ISO/IEC 27001. Since 2017 we have been an active participant in the EU-US Privacy Shield. We have structured our DPA and our policies with these certifications in mind.

Note
Review Cloudinary’s DPA

We recognize and respect that each business might set different expectations to ensure protection for your user’s personal data. For this reason, we are working hard to provide you with new ways to manage where your data is stored.

Storage & backup targets

Cloudinary has long supported the ability to backup your data to your own S3 bucket in any region. We recently enhanced this service so you also can also backup your data to Google Cloud Platform. This puts your backup and long-term storage in your control in your desired geography.

Note
Configure storage backup for your images and video in an S3 or Google Cloud location of your choosing

Geographic isolation

In the very near future, we will be launching a data center in Europe. This will allow you to have absolute confidence that your images and video are not only stored in Europe, but also transformed and manipulated in Europe. This will allow you to have end-to-end media management in the geography of your choosing. More details to come. Stay tuned!

Are Cloudinary’s CDN partners GDPR compliant?

As with all of our vendors, we have worked hard to ensure that each technology partner is likewise also GDPR ready. This includes our CDN (Content Delivery Network) partners.

That's the good news.

But this does raise some interesting questions. As a processor, we are responsible for 'disclosure by transmission' of personal data. On the internet, where does this line stop? Can you use a CDN, which has HTTP caches across the globe? Are you required to establish DPAs with every ISP and geography that could cache your HTTP traffic? What about TCP/IP level and packet retransmissions - is that a form of caching and storage? Are we responsible for each TCP Packet as it journeys through the internet?

This is very confusing. Many hours and beers have been counted debating these topics.

The question ultimately comes down to you and your interpretation of GDPR. For this reason we again offer you many ways to utilize our great service - all of which we believe conform to GDPRs requirements:

  • You can use our CDNs as you do today (recommended default). We have verified that the CDNs we depend on provide the necessary GDPR assurances.
  • We also offer bring-your-own-CDN or “origin” plans, for those who want more control on how to utilize our services. Contact our support or your account team to discuss options.

As always, we are focusing on providing you many ways to ensure that you are compliant with GDPR.

What about the other parts of GDPR? What about notification and alerts?

Being GDPR (and ISO 27001) compliant means that we have established policies and processes to ensure that we are transparent about any potential data breach. This includes providing notifications and taking immediate response to any security threat.

This is why we have also set the bar higher for ourselves. In the last year we have made a number of additional commitments to increase our transparency. This includes:

We want to hold ourselves to a higher standard in ensuring we are transparent about how we conduct our business and how we help you be successful.

Summary

Here we are. GDPR has finally arrived! Cloudinary has invested a lot of time and energy to ensure that we are protecting your personal data and your users’ personal data. This is day-1 of the journey. We will certainly have many more debates in the future. In the end, users personal data will be better protected. The internet will be a better place.

Recent Blog Posts

10 Website Videos Mistakes and How to Solve Them

It should come as no surprise that video use on the internet is exploding. You can see the dramatic growth of video on the average site in this SpeedCurve blog post.

With the growth in video comes greater bandwidth use, which is not only costly for your IT budget, but for your visitors as well. Beyond the expense, there is the user experience to consider. The heavier the page, the longer it will take to load, and the greater likelihood visitors will abandon your site. Page load speed is also an important factor in SEO ranking, so clearly video is something we need to take seriously and get right. Video is challenging, presenting terms still unfamiliar to developers - like codecs, bitrate and adaptive bitrate streaming. As a result, mistakes are being made in video implementation.

Read more
Android Data Saver: Optimizing Mobile Data Usage with Cloudinary

Over the life of a mobile device, the cost of a cellular data plan often exceeds that of the device itself. To optimize data usage and purge useless data on their mobile devices, users can enable Data Saver from Android 7.0 (API level 24). To do so, users toggle Data Saver in quick settings under the Notification shade or under Settings > Data usage. With Data Saver enabled, apps that aren't whitelisted cannot use cellular data in the background. They are also directed to consume less data while active.

Read more
Introducing the Cloudinary Upload Widget v2

At Cloudinary, we manage the entire pipeline of media assets for thousands of customers of varying sizes from numerous verticals. Cloudinary is an end-to-end solution for all your image and video needs, including upload, storage, administration, manipulation, optimization and dynamic delivery.

Read more
Convert an Image to a 3D Canvas With Cloudinary

Note
This post was cowritten with Daniel Mendoza.
Note
This post was cowritten with Daniel Mendoza.
Note

Famed American poet Henry David Thoreau once said, “This world is but a canvas to our imagination.” And, like your imagination, the transformations you can apply to images with Cloudinary are practically endless. You can even render any flat image to appear three-dimensional and framed on a canvas.

Read more
Mobile Optimization: Optimize Your Mobile-Web User Experience

TL;DR

We live in a visual world, often while on the go, and consumers expect media-rich web content. Accordingly, the loading speed of images and videos is a big factor in user experience. To optimize customer satisfaction with your mobile content, you must focus on the quality, format, and size of your digital assets. With Cloudinary, optimization is simple, not only enhancing your mobile web and app performance, but also upping your SEO game and boosting customer experience.

Read more