Trust

At Cloudinary, we value the trust placed in our platform by developers and businesses globally and we take the responsibility of protecting your data seriously. Information Security at Cloudinary is a strategic and cross-functional initiative. This is reflected in our compliance with widely accepted security standards and regulations, enterprise class security features, our privacy policies, and our commitment to transparency.

Compliance

Cloudinary’s information security policies comply with the ISO/IEC 27001 standard for Information Security Management Systems. These controls apply to every aspect of our company processes from hiring to IT policies to software development practices. We use a third party company that specializes in information security to validate and audit compliance with these controls.

Cloudinary’s information security policies comply with the European Union General Data Protection Regulation (GDPR) EU 2106/679. This regulation governs data protection and individual privacy within the European Union and European Economic Area. Learn more about Cloudinary’s GDPR readiness.

Cloudinary has an available Data Processing Addendum for paid plans, that can extend the terms of service to reflect the processing of personal data.

Cloudinary is a certified active participant in the EU-US Privacy Shield Frameworks designed by the U.S Dept. of Commerce and the European Commission.

Cloudinary respects intellectual property rights and publishes its Digital Millenium Copyright Act (DMCA) Copyright Policy.

Security

Service Security

Cloudinary is built on tier-1 public cloud providers, with industry-leading compliance and security practices.

As an APN Advanced Technology Partner, Cloudinary is audited annually to the AWS Well-Architected Framework.

Cloudinary runs a security bug bounty program , enabling globally crowdsourced vulnerability detection. This means that our systems are under constant scrutiny by dozens of security researchers, who we reward for responsible disclosure.

Cloudinary scales to over 300,000,000 image transformations a day sustained, with peaks of over 1 billion a day. We have an internal incident response procedure that is activated in case of a DDoS attack to begin specific mitigations such as country blocking and pattern blocking.

Application Security

Cloudinary enterprise plans include security features such as SSO, 2FA, custom SLA and security incident handling.

Cloudinary allows manual and automated moderation of media to ensure that restricted or offensive content is not displayed. Cloudinary add-ons such as Webpurify for image moderation, AWS Rekognition AI Moderation, or Metascan for virus and malware scanning by four antivirus engines simultaneously, enable additional security for your rich media.

Cloudinary APIs are fully authenticated and secured and allow delivering media over http or https. The API also returns a JSON response with all asset details at a “notification_url” that you set.

Cloudinary uses third party penetration testing to probe our APIs and web applications for vulnerabilities.

Cloudinary security team tracks both known and unreleased vulnerabilities and regularly patches the system to address these.

Data Security

Cloudinary facilitates geographic isolation with regional redundant data centers and backups within our tier-1 cloud providers in North America, Europe and Asia-Pacific. Cloudinary supports backing up your data to your own private AWS S3 bucket or to Google Cloud Storage in any region.This puts your backup and long-term storage in your control in your desired geography.

Cloudinary uses Firewall-as-a-service for the production environment.  Access to production servers is restricted to SSH access only, using client certificates.

Cloudinary uses Dome9 (by Checkpoint Technologies) to monitor and manage policies our firewall rules and VPC flow logs to detect abnormal network traffic.

Cloudinary offers many levels of secured access to assets stored within the platform, including user level access controls, group controls, watermarking, and, invisible watermarking, enabling customers to control exactly who accesses their assets and when.

Images and videos are delivered via multiple industry-leading CDNs, including Akamai and Fastly, via an SSL set up.

Cloudinary utilizes modern encryption protocols and keeps them up-to-date. Strong encryption is used for data in transit as well as at rest, across our systems. For data in transit, TLS 1.2+ is available, and custom/limited cipher sets can be defined for custom plans. For data at rest, industry-standard AES-256 encryption is used.

Privacy

You own your data and we are committed to keeping it private. Cloudinary’s Privacy Policy clearly outlines how all personally identifiable data is handled and secured.

Cloudinary’s information security policies comply with European Union General Data Protection Regulation (GDPR) EU 2106/679. You can Learn more about GDPR readiness here.

Cloudinary has an available Data Processing Addendum for paid plans, that can extend the terms of service to reflect the processing of personal data.

Cloudinary is a certified active participant in the EU-US Privacy Shield Frameworks  designed by the U.S Dept. of Commerce and the European Commission.

Transparency

Being GDPR and ISO/IEC 27001 compliant means that Cloudinary has established processes to ensure transparency about any potential data breach. This includes providing notifications and immediate response measures to any security threat.

Cloudinary uses a security bug bounty program , enabling globally crowdsourced vulnerability detection.

Cloudinary maintains relationships with committers of key open source packages to get advance warning on any important security vulnerabilities discovered in them.

Cloudinary’s publishes its Terms of Use

Cloudinary publishes service status, all system disruptions and outages, historical uptime reports, and we are committed to increasing data transparency of our systems through our support of Server-Timing response headers.