At Cloudinary, we value the trust placed in our platform by developers and businesses globally and we take the responsibility of protecting your data seriously. Information Security at Cloudinary is a strategic and cross-functional initiative. This is reflected in our compliance with widely accepted security standards and regulations, enterprise class security features, our privacy policies, and our commitment to transparency.
- Cloudinary is ISO/IEC 27001:2013 certified. As part of this certification process, we’ve been audited by an independent and accredited certification body which verified we have a systematic approach to managing sensitive information so that it remains secure. It included all aspects of our company – people, processes, and systems – by applying a risk-based approach. We believe that adherence to a recognized standard sends a valuable and important message to our customers and business partners that demonstrate a clear commitment to Information Security Management, which is – Security is a top priority for us.
- Cloudinary is SOC 2 Type I certified. The SOC reports are independent third-party examination reports, compiled by Deloitte, that demonstrate how we achieved key compliance controls and objectives in order to meet the SOC 2 Trust Principles criteria for Security, Availability, and Confidentiality. The purpose of these reports is to help you and your auditors understand the controls we’ve established in order to support your operations and compliance.
- Cloudinary’s information security policies comply with the European Union General Data Protection Regulation (GDPR) EU 2106/679. This regulation governs data protection and individual privacy within the European Union and European Economic Area. Learn more about Cloudinary’s GDPR readiness.
- Cloudinary has an available Data Processing Addendum for paid plans, that can extend the terms of service to reflect the processing of personal data.
- Cloudinary is a certified active participant in the EU-US Privacy Shield Frameworks designed by the U.S Dept. of Commerce and the European Commission.
- Cloudinary’s UK entity is registered with the Information Commissioner’s Office (ICO) under the Data Protection Act. Cloudinary Uk Ltd registration number is ZA518179.
- Cloudinary respects intellectual property rights and publishes it’s Digital Millenium Copyright Act (DMCA) Copyright Policy.
Cloudinary is built on tier-1 public cloud providers, with industry-leading compliance and security practices.
Cloudinary runs a security bug bounty program , enabling globally crowdsourced vulnerability detection. This means that our systems are under constant scrutiny by dozens of security researchers, who we reward for responsible disclosure.
Cloudinary scales to over 300,000,000 image transformations a day sustained, with peaks of over 1 billion a day. We have an internal incident response procedure that is activated in case of a DDoS attack to begin specific mitigations such as country blocking and pattern blocking.
Cloudinary enterprise plans include security features such as SSO, 2FA, custom SLA and security incident handling.
Cloudinary allows manual and automated moderation of media to ensure that restricted or offensive content is not displayed. Cloudinary add-ons such as Webpurify for image moderation, AWS Rekognition AI Moderation, or Metascan for virus and malware scanning by four antivirus engines simultaneously, enable additional security for your rich media.
Cloudinary APIs are fully authenticated and secured and allow delivering media over http or https. The API also returns a JSON response with all asset details at a “notification_url” that you set.
Cloudinary uses third party penetration testing to probe our APIs and web applications for vulnerabilities.
Cloudinary security team tracks both known and unreleased vulnerabilities and regularly patches the system to address these.
Cloudinary facilitates geographic isolation with regional redundant data centers and backups within our tier-1 cloud providers in North America, Europe and Asia-Pacific. Cloudinary supports backing up your data to your own private AWS S3 bucket or to Google Cloud Storage in any region.This puts your backup and long-term storage in your control in your desired geography.
Cloudinary uses Firewall-as-a-service for the production environment. Access to production servers is restricted to SSH access only, using client certificates.
Cloudinary uses Dome9 (by Checkpoint Technologies) to monitor and manage policies our firewall rules and VPC flow logs to detect abnormal network traffic.
Cloudinary offers many levels of secured access to assets stored within the platform, including user level access controls, group controls, watermarking, and, invisible watermarking, enabling customers to control exactly who accesses their assets and when.
Images and videos are delivered via multiple industry-leading CDNs, including Akamai and Fastly, via an SSL set up.
Cloudinary utilizes modern encryption protocols and keeps them up-to-date. Strong encryption is used for data in transit as well as at rest, across our systems. For data in transit, TLS 1.2+ is available, and custom/limited cipher sets can be defined for custom plans. For data at rest, industry-standard AES-256 encryption is used.
Cloudinary has an available Data Processing Addendum for paid plans, that can extend the terms of service to reflect the processing of personal data.
Cloudinary is a certified active participant in the EU-US Privacy Shield Frameworks designed by the U.S Dept. of Commerce and the European Commission.
Being GDPR and ISO/IEC 27001 compliant means that Cloudinary has established processes to ensure transparency about any potential data breach. This includes providing notifications and immediate response measures to any security threat.
Cloudinary uses a security bug bounty program , enabling globally crowdsourced vulnerability detection.
Cloudinary maintains relationships with committers of key open source packages to get advance warning on any important security vulnerabilities discovered in them.
Cloudinary publishes service status, all system disruptions and outages, historical uptime reports, and we are committed to increasing data transparency of our systems through our support of Server-Timing response headers.