Data privacy is priority
We are committed to providing our users control over their personal data, with full transparency into our privacy practices.
Data Processing Agreement
Our DPA covers all necessary data processing commitments and practices, describes the controls and safeguards that we have put in place, and applies globally to any customer who has signed an agreement for the purchase of a subscription.
Cloudinary implements controls, measures procedures, and policies to allow its clients to process personal data in compliance with the European Union General Data Protection Regulation (GDPR) EU 2106/679.
Storage & Transfer
Cloudinary uses AWS servers located worldwide, and provides its enterprise customers with the ability to choose that their data will be stored in the EEA. Any data transfer is treated in accordance with our DPA, the New EU Standard Contractual Clauses (SCC), and the EU-U.S. Data Privacy Framework (DPF), including the UK-US extension and the Swiss-US DPF.
Cloudinary’s main sub-processes are some of the world’s most trusted companies. We conduct careful due diligence on the privacy and security practices of third parties we engage to help us provide our services. You can find our list of sub-processors.
Cloudinary invested significant efforts to provide a trusted environment for its clients to meet their obligations under US consumer privacy laws and in particular the California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act (CPRA).
Security comes first
Cloudinary upholds strict international standards and adheres to applicable regulations to keep your data safe.
The Cloud Security Alliance CAIQ questionnaire offers an industry-accepted methodology to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency.
Cloudinary is an AWS APN Advanced Technology Partner. To receive the designation, APN Partners must possess deep AWS expertise and deliver solutions seamlessly on AWS, including passing an annual AWS Well-Architected Framework audit.
Bug Bounty Program
Cloudinary’s Bug Bounty Program enables globally crowdsourced 24/7/365 vulnerability and risk detection. As a result, systems are under constant scrutiny by dozens of security researchers, who are rewarded for responsible disclosure.
Cloudinary conducts ongoing third-party penetration tests by trusted industry experts at least annually, to expose potential vulnerabilities and risks. Once identified, these are addressed and mitigated.
We support industry-standard controls to help protect your media. Security features include access controls, single sign-on, multi-factor authentication, and strict enforcement of access patterns. Access is granted according to the principle of least privilege and is fully monitored, end-to-end.
Our internal Business Continuity & Disaster Recovery plan ensures that critical operations are always available, allowing our services to recover quickly and with minimal data loss in face of any adverse event. Cloudinary facilitates geographic isolation with regional redundant data centers.
Cloudinary products are built on best-in-class core technologies and are designed to remain operational under nearly every operational situation or circumstance.
System availability and performance, real-time service status reports, system disruptions, and outage reports are available on our status page. Every API response includes Server-Timing headers.
A complete record of system uptime is measured by a third-party and is published on our website. We are committed to a 99.9% uptime.
Cloudinary undergoes audits by an independent and accredited certification body which verifies it has a systematic approach to managing sensitive information. It included all aspects of the company – people, processes, and systems – by applying a risk-based approach.
SOC 2 Type II certified
The SOC reports are independent third-party examination reports, produced by Deloitte, that demonstrate how Cloudinary has achieved key compliance controls and objectives that meet the SOC 2 Trust Principles criteria for Security, Availability, Privacy, Confidentiality and the HIPAA Security Rule.