Cloudinary Blog
Improve Customer Data Protection with GDPR Implementation

TL;DR

  • We care deeply about the privacy and protection of data.
  • Cloudinary is ready for GDPR
  • We have updated our Privacy Policy ✅, we participate in the EU-US Privacy Shield ✅and have a DPA (Data Protection Agreements) available ✅, and implemented many new internal procedures ✅
  • We also have new features for data flexibility: more backup targets, different image processing data centers and CDN control.
  • We are committed to a higher standard for integrity - we already publish all service disruptions, participate in a security bug bounty program and support Server-Timing.
  • Our business is based on paid usage, not on selling personal data.

Overview

Yay! We've done it! Gold-Star for us! We've talked with all the people, made all the changes, paid all the lawyers and checked all the boxes. GDPR? ✅Done!

Not so fast. Of course, conforming to the GDPR regulations introduced in Europe is just the beginning. This is a process and a state of mind that must become part of our long-term cultural ethos.

I'm happy to announce that, like many companies, Cloudinary is GDPR ready! We take data privacy and data security very seriously. Last year, we shared with your our GDPR plans. We are now on the other side. We have spent thousands of hours and thousands of dollars reviewing policies, reviewing architectures, making changes to our privacy policy, building new features, talking with lawyers, talking some more with lawyers, debating internally amongst ourselves and enhancing our services.

As we went through this process, we realized that it isn’t enough for us to be ready for GDPR -- we also need to be ready to support your business' interpretation of GDPR as well.

Yes. I said it, your interpretation. That's the thing about GDPR: it is very comprehensive and very broad. At its core, GDPR is designed to protect Sally Q Public's personal data from abuse. It is in place to ensure that your personal data is yours. This sounds simple - don't be evil. Yet, there are nuances and complications for the internet that have not yet been tested, so there is ambiguity in how to implement these nuances of protecting personal data.

Don't worry. We've thought long and hard about data protection. We want to make sure that we can help you - as a developer, as a business owner - to be compliant, regardless of your interpretation.

Do I even need to care about GDPR with Cloudinary?

As always, it depends.

As our customer, yes, we need to treat your data - your name, your email address, your billing address and other personal information - with respect. This is your data, and in this respect we are, in GDPR vernacular, a data controller. We have updated our privacy policy to reflect our obligations as a controller to you as a customer.

Note
Do you care about data privacy for yourself? Yes? Please read our updated privacy policy and our DPA. [Short version - your data is yours, we keep it safe but we do need to keep financial records.]

Where it likely becomes more relevant to you, is where we are the steward of your customer's data through the content you upload to Cloudinary. In this regard, Cloudinary is a data processor.

Note
Does your business need to be GDPR compliant as a processor or a controller? Yes? We have a DPA that is available for you. We also have additional features coming that you might want to explore.

What data does Cloudinary consider personal data?

This is a difficult question. Personal data has many definitions. Really comes down to you, or your customers. If this data is personal to you, then it is personal data.

It becomes tricky as a processor, where we might not have all the context to know that this data is personal. As a parent, we’ve all cleaned up our children’s room and “accidentally” discarded that piece of paper -- only to find out that this was a very important note for your child. Oops!

Context is important. For this reason, we assume that any data that you upload to the Cloudinary platform is personal data. Specifically, all images and videos that you, or your users, upload to us (Cloudinary) are treated as personal data..

If I have a customer that wants to be forgotten, how can Cloudinary help me remove this media?

We have fantastic APIs that will enable you to purge content from our CDNs and delete resources from your account. If you are unsure, we also have search APIs. You can programmatically search and delete, or if in doubt, you can use the new media library.

Where are your servers? More importantly, where is my data stored?

This is one of the areas that can be confusing with GDPR. The goal of GDPR is to ensure that your data is treated as private. Not only should it be protected, but it also must live geographically in a location where it can't be stolen.

Depending on how you interpret GDPR for your business, you likely have one of two requirements for a data-processor like Cloudinary: Participation and commitment to the EU-US Privacy Shield -- This provides a legal framework for any personal data that might be stored in the US. It also ensures a level of compliance with GDPRs requirements. OR guarantee that all personal-data is stored in the EU -- This would sidestep any debate about jurisdiction and compliance with GDPR.

Cloudinary is built on tier-1 public cloud providers - primarily located in the United States. Since 2015, we have been operating under a 3rd-party audited and certified information security framework based on ISO/IEC 27001. Since 2017 we have been an active participant in the EU-US Privacy Shield. We have structured our DPA and our policies with these certifications in mind.

Note
Review Cloudinary’s DPA

We recognize and respect that each business might set different expectations to ensure protection for your user’s personal data. For this reason, we are working hard to provide you with new ways to manage where your data is stored.

Storage & backup targets

Cloudinary has long supported the ability to backup your data to your own S3 bucket in any region. We recently enhanced this service so you also can also backup your data to Google Cloud Platform. This puts your backup and long-term storage in your control in your desired geography.

Note
Configure storage backup for your images and video in an S3 or Google Cloud location of your choosing

Geographic isolation

In the very near future, we will be launching a data center in Europe. This will allow you to have absolute confidence that your images and video are not only stored in Europe, but also transformed and manipulated in Europe. This will allow you to have end-to-end media management in the geography of your choosing. More details to come. Stay tuned!

Are Cloudinary’s CDN partners GDPR compliant?

As with all of our vendors, we have worked hard to ensure that each technology partner is likewise also GDPR ready. This includes our CDN (Content Delivery Network) partners.

That's the good news.

But this does raise some interesting questions. As a processor, we are responsible for 'disclosure by transmission' of personal data. On the internet, where does this line stop? Can you use a CDN, which has HTTP caches across the globe? Are you required to establish DPAs with every ISP and geography that could cache your HTTP traffic? What about TCP/IP level and packet retransmissions - is that a form of caching and storage? Are we responsible for each TCP Packet as it journeys through the internet?

This is very confusing. Many hours and beers have been counted debating these topics.

The question ultimately comes down to you and your interpretation of GDPR. For this reason we again offer you many ways to utilize our great service - all of which we believe conform to GDPRs requirements:

  • You can use our CDNs as you do today (recommended default). We have verified that the CDNs we depend on provide the necessary GDPR assurances.
  • We also offer bring-your-own-CDN or “origin” plans, for those who want more control on how to utilize our services. Contact our support or your account team to discuss options.

As always, we are focusing on providing you many ways to ensure that you are compliant with GDPR.

What about the other parts of GDPR? What about notification and alerts?

Being GDPR (and ISO 27001) compliant means that we have established policies and processes to ensure that we are transparent about any potential data breach. This includes providing notifications and taking immediate response to any security threat.

This is why we have also set the bar higher for ourselves. In the last year we have made a number of additional commitments to increase our transparency. This includes:

We want to hold ourselves to a higher standard in ensuring we are transparent about how we conduct our business and how we help you be successful.

Summary

Here we are. GDPR has finally arrived! Cloudinary has invested a lot of time and energy to ensure that we are protecting your personal data and your users’ personal data. This is day-1 of the journey. We will certainly have many more debates in the future. In the end, users personal data will be better protected. The internet will be a better place.

About Cloudinary

Cloudinary provides easy-to-use, cloud-based media management solutions for the world’s top brands. With offices in the US, UK and Israel, Cloudinary has quickly become the de facto solution used by developers and marketers at major companies around the world to streamline rich media management and deliver optimal end-user experiences.

For more information, visit www.cloudinary.com or follow us on Twitter

Recent Blog Posts

Image-Editing Basics and a Tutorial for Automation With AI

You likely find yourself continually editing images for enhancement by eliminating flaws and tweaking the overall presentation, typically with software tools. Examples of basic editing are straightening, cleaning, and cropping images, as well as adjusting the contrast, exposure, and white balance. With advanced software like Cloudinary, you can automate not only editing tasks, such as quality adjustment and encoding, but also delivery.

Read more
Tips for Retaining Audience Through Engaging Videos

Measuring the level of interest your videos generate helps you produce compelling content. The measurement and optimization approach must, however, address the various aspects of each video, including the A/B test hypothesis and iterations. A high engagement rate spells effective videos; a low engagement rate calls for content improvement.

Read more
Forbes Cloud 100: When the Stars Align

In 2017, when Cloudinary first made the Forbes Cloud 100 as a ‘Rising Star,’ it was an incredibly proud moment for the company. In 2018 we graduated from Rising Star status to be acknowledged as part of the incredible Cloud 100, the top 100 SaaS companies in the world. Today marks our third consecutive year on this prestigious list.

Read more
A Cloudinary-Enhanced Student-ID App

I’m an instructional designer on Cloudinary’s Solutions and Training team. As the COVID-19 pandemic emerged in March, like other global organizations, we pivoted to set up virtual courses. As much as we looked forward to resuming in-person classes in the future, we switched gear to focus on the virtual way of learning.

Read more
Image Formats: Getting it Right

Image formats, which are standards for digital images, can be uncompressed, compressed, raster based, or vector based. You determine the DNA of your images with the formats you adopt, each of which offering different capabilities. For example, rasters generate images with pixels; vectors, with vectors or proportional formulas. PNGs can display logos without background; JPEGs always come with backgrounds. This article explains the main properties of the various image formats, including their basic concepts and pros and cons.

Read more