Cloudinary Blog
Improve Customer Data Protection with GDPR Implementation

TL;DR

  • We care deeply about the privacy and protection of data.
  • Cloudinary is ready for GDPR
  • We have updated our Privacy Policy ✅, we participate in the EU-US Privacy Shield ✅and have a DPA (Data Protection Agreements) available ✅, and implemented many new internal procedures ✅
  • We also have new features for data flexibility: more backup targets, different image processing data centers and CDN control.
  • We are committed to a higher standard for integrity - we already publish all service disruptions, participate in a security bug bounty program and support Server-Timing.
  • Our business is based on paid usage, not on selling personal data.

Overview

Yay! We've done it! Gold-Star for us! We've talked with all the people, made all the changes, paid all the lawyers and checked all the boxes. GDPR? ✅Done!

Not so fast. Of course, conforming to the GDPR regulations introduced in Europe is just the beginning. This is a process and a state of mind that must become part of our long-term cultural ethos.

I'm happy to announce that, like many companies, Cloudinary is GDPR ready! We take data privacy and data security very seriously. Last year, we shared with your our GDPR plans. We are now on the other side. We have spent thousands of hours and thousands of dollars reviewing policies, reviewing architectures, making changes to our privacy policy, building new features, talking with lawyers, talking some more with lawyers, debating internally amongst ourselves and enhancing our services.

As we went through this process, we realized that it isn’t enough for us to be ready for GDPR -- we also need to be ready to support your business' interpretation of GDPR as well.

Yes. I said it, your interpretation. That's the thing about GDPR: it is very comprehensive and very broad. At its core, GDPR is designed to protect Sally Q Public's personal data from abuse. It is in place to ensure that your personal data is yours. This sounds simple - don't be evil. Yet, there are nuances and complications for the internet that have not yet been tested, so there is ambiguity in how to implement these nuances of protecting personal data.

Don't worry. We've thought long and hard about data protection. We want to make sure that we can help you - as a developer, as a business owner - to be compliant, regardless of your interpretation.

Do I even need to care about GDPR with Cloudinary?

As always, it depends.

As our customer, yes, we need to treat your data - your name, your email address, your billing address and other personal information - with respect. This is your data, and in this respect we are, in GDPR vernacular, a data controller. We have updated our privacy policy to reflect our obligations as a controller to you as a customer.

Note
Do you care about data privacy for yourself? Yes? Please read our updated privacy policy and our DPA. [Short version - your data is yours, we keep it safe but we do need to keep financial records.]

Where it likely becomes more relevant to you, is where we are the steward of your customer's data through the content you upload to Cloudinary. In this regard, Cloudinary is a data processor.

Note
Does your business need to be GDPR compliant as a processor or a controller? Yes? We have a DPA that is available for you. We also have additional features coming that you might want to explore.

What data does Cloudinary consider personal data?

This is a difficult question. Personal data has many definitions. Really comes down to you, or your customers. If this data is personal to you, then it is personal data.

It becomes tricky as a processor, where we might not have all the context to know that this data is personal. As a parent, we’ve all cleaned up our children’s room and “accidentally” discarded that piece of paper -- only to find out that this was a very important note for your child. Oops!

Context is important. For this reason, we assume that any data that you upload to the Cloudinary platform is personal data. Specifically, all images and videos that you, or your users, upload to us (Cloudinary) are treated as personal data..

If I have a customer that wants to be forgotten, how can Cloudinary help me remove this media?

We have fantastic APIs that will enable you to purge content from our CDNs and delete resources from your account. If you are unsure, we also have search APIs. You can programmatically search and delete, or if in doubt, you can use the new media library.

Where are your servers? More importantly, where is my data stored?

This is one of the areas that can be confusing with GDPR. The goal of GDPR is to ensure that your data is treated as private. Not only should it be protected, but it also must live geographically in a location where it can't be stolen.

Depending on how you interpret GDPR for your business, you likely have one of two requirements for a data-processor like Cloudinary: Participation and commitment to the EU-US Privacy Shield -- This provides a legal framework for any personal data that might be stored in the US. It also ensures a level of compliance with GDPRs requirements. OR guarantee that all personal-data is stored in the EU -- This would sidestep any debate about jurisdiction and compliance with GDPR.

Cloudinary is built on tier-1 public cloud providers - primarily located in the United States. Since 2015, we have been operating under a 3rd-party audited and certified information security framework based on ISO/IEC 27001. Since 2017 we have been an active participant in the EU-US Privacy Shield. We have structured our DPA and our policies with these certifications in mind.

Note
Review Cloudinary’s DPA

We recognize and respect that each business might set different expectations to ensure protection for your user’s personal data. For this reason, we are working hard to provide you with new ways to manage where your data is stored.

Storage & backup targets

Cloudinary has long supported the ability to backup your data to your own S3 bucket in any region. We recently enhanced this service so you also can also backup your data to Google Cloud Platform. This puts your backup and long-term storage in your control in your desired geography.

Note
Configure storage backup for your images and video in an S3 or Google Cloud location of your choosing

Geographic isolation

In the very near future, we will be launching a data center in Europe. This will allow you to have absolute confidence that your images and video are not only stored in Europe, but also transformed and manipulated in Europe. This will allow you to have end-to-end media management in the geography of your choosing. More details to come. Stay tuned!

Are Cloudinary’s CDN partners GDPR compliant?

As with all of our vendors, we have worked hard to ensure that each technology partner is likewise also GDPR ready. This includes our CDN (Content Delivery Network) partners.

That's the good news.

But this does raise some interesting questions. As a processor, we are responsible for 'disclosure by transmission' of personal data. On the internet, where does this line stop? Can you use a CDN, which has HTTP caches across the globe? Are you required to establish DPAs with every ISP and geography that could cache your HTTP traffic? What about TCP/IP level and packet retransmissions - is that a form of caching and storage? Are we responsible for each TCP Packet as it journeys through the internet?

This is very confusing. Many hours and beers have been counted debating these topics.

The question ultimately comes down to you and your interpretation of GDPR. For this reason we again offer you many ways to utilize our great service - all of which we believe conform to GDPRs requirements:

  • You can use our CDNs as you do today (recommended default). We have verified that the CDNs we depend on provide the necessary GDPR assurances.
  • We also offer bring-your-own-CDN or “origin” plans, for those who want more control on how to utilize our services. Contact our support or your account team to discuss options.

As always, we are focusing on providing you many ways to ensure that you are compliant with GDPR.

What about the other parts of GDPR? What about notification and alerts?

Being GDPR (and ISO 27001) compliant means that we have established policies and processes to ensure that we are transparent about any potential data breach. This includes providing notifications and taking immediate response to any security threat.

This is why we have also set the bar higher for ourselves. In the last year we have made a number of additional commitments to increase our transparency. This includes:

We want to hold ourselves to a higher standard in ensuring we are transparent about how we conduct our business and how we help you be successful.

Summary

Here we are. GDPR has finally arrived! Cloudinary has invested a lot of time and energy to ensure that we are protecting your personal data and your users’ personal data. This is day-1 of the journey. We will certainly have many more debates in the future. In the end, users personal data will be better protected. The internet will be a better place.

About Cloudinary

Cloudinary provides easy-to-use, cloud-based media management solutions for the world’s top brands. With offices in the US, UK and Israel, Cloudinary has quickly become the de facto solution used by developers and marketers at major companies around the world to streamline rich media management and deliver optimal end-user experiences.

For more information, visit www.cloudinary.com or follow us on Twitter

Recent Blog Posts

How to Use the Cloudinary Media Editor Widget

At Cloudinary, we manage the entire pipeline of media assets for thousands of customers of varying sizes from numerous verticals.

As part of our commitment to support the entire flow of media assets, we are now introducing an intuitive media editing widget: an out­-of­-the-­box, interactive UI providing your users with a set of common image editing actions for immediate use on your website or web app. The widget is interactive and simple, built on Cloudinary's transformation capabilities, and requiring only a few lines of code to integrate. Afterwards, you can seamlessly and effortlessly add content to your site or app with no need for in-house image editing capabilities.

Read more
Shoppable Video Is Becoming Popular in E-Commerce

As pandemic restrictions necessitated, many shopping trips in 2020 took place outside the traditional brick-and-mortar store, or at least void of the physical aisle-browsing experience. Same-day curbside pickup became a safe and convenient alternative, and e-commerce transactions skyrocketed as consumers shopped online. In fact, Digital Commerce 360 estimates that, compared to 2019, e-commerce transactions grew by more than 40% last year.

Read more
Enhance Your Travel Site With Cloudinary in Anticipation of a Return to New Normal

Read more
The Benefits of Headless DAMs

Headless is not a buzzword anymore. In fact, the concept of headless architecture is gaining momentum due to the flexibility it offers for composing new experiences and for tackling the undue complexity of an ever-evolving technology stack. That’s because while the evolution of the martech landscape has enabled disruptive, digital innovations, the approach of buying point solutions for solving specific challenges can expose companies to the complicated nature of new technologies, systems, and platforms.

Read more

Building Display Ads With Transparent Video

By Afzaal Ahmad Zeeshan
Build Web Ads With Transparent Video to Attract User Engagement

Billions of views on the Internet every day drive one of the biggest industries on the planet: advertising. The sheer size of that market and the competitive nature of vying for consumer attention results in a constant need for innovation. Readers are jaded, and display ads are blind spots.

Read more