Trust | Cloudinary


At Cloudinary, we value the trust placed in our platform by developers and businesses globally and we take the responsibility of protecting your data seriously. Information Security at Cloudinary is a strategic and cross-functional initiative. This is reflected in our compliance with widely accepted security standards and regulations, enterprise class security features, our privacy policies, and our commitment to transparency.


  • Cloudinary is ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019, ISO/IEC 27032:2012 and ISO/IEC 27701:2019 certified. As part of those certification processes, we’ve been audited by an independent and accredited certification body which verified we have a systematic approach to managing sensitive information so that it remains secure. It included all aspects of our company – people, processes, and systems – by applying a risk-based approach. We believe that adherence to recognized standards sends a valuable and important message to our customers and business partners that demonstrate a clear commitment to information security and data privacy management, which is – security and privacy are top priority for us.
  • Cloudinary is SOC 2 Type II certified. The SOC reports are independent third-party examination reports, compiled by Deloitte, that demonstrate how we achieved key compliance controls and objectives in order to meet the SOC 2 Trust Principles criteria for Security, Availability, and Confidentiality. The purpose of these reports is to help you and your auditors understand the controls we’ve established in order to support your operations and compliance.
  • The Cloud Security Alliance CAIQ questionnaire offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. The questionnaire helps cloud customers to gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure. You can view our questionnaire by visiting
  • Cloudinary’s information security policies comply with the European Union General Data Protection Regulation (GDPR) EU 2106/679. This regulation governs data protection and individual privacy within the European Union and European Economic Area. Learn more about Cloudinary’s GDPR readiness.
  • Cloudinary has also invested significant efforts to meet relevant requirements under the California Consumer Privacy Act of 2018 (CCPA), which entered into effect on January 1, 2020 and is prepared to support requests to exercise the rights of California residents (“consumers” under the CCPA).
  • Cloudinary has an available Data Processing Agreement for paid plans, that can extend the terms of service to reflect the processing of personal data.
  • Cloudinary is a certified active participant in the EU-US Privacy Shield Frameworks designed by the U.S Dept. of Commerce and the European Commission.
  • Cloudinary’s UK entity is registered with the Information Commissioner’s Office (ICO) under the Data Protection Act. Cloudinary Uk Ltd registration number is ZA518179.
  • Cloudinary respects intellectual property rights and publishes its Digital Millenium Copyright Act (DMCA) Copyright Policy.


Service Security

Cloudinary is built on tier-1 public cloud providers, with industry-leading compliance and security practices.

As an APN Advanced Technology Partner, Cloudinary is audited annually to the AWS Well-Architected Framework.

Cloudinary runs a security bug bounty program , enabling globally crowdsourced vulnerability detection. This means that our systems are under constant scrutiny by dozens of security researchers, who we reward for responsible disclosure.

Cloudinary scales to over 300,000,000 image transformations a day sustained, with peaks of over 1 billion a day. We have an internal incident response procedure that is activated in case of a DDoS attack to begin specific mitigations such as country blocking and pattern blocking.

Application Security

Cloudinary enterprise plans include security features such as SSO, 2FA, custom SLA and security incident handling.

Cloudinary allows manual and automated moderation of media to ensure that restricted or offensive content is not displayed. Cloudinary add-ons such as Webpurify for image moderation, AWS Rekognition AI Moderation, or Metascan for virus and malware scanning by four antivirus engines simultaneously, enable additional security for your rich media.

Cloudinary APIs are fully authenticated and secured and allow delivering media over http or https. The API also returns a JSON response with all asset details at a “notification_url” that you set.

Cloudinary uses third party penetration testing to probe our APIs and web applications for vulnerabilities.

Cloudinary security team tracks both known and unreleased vulnerabilities and regularly patches the system to address these.

Data Security

Cloudinary facilitates geographic isolation with regional redundant data centers and backups within our tier-1 cloud providers in North America, Europe and Asia-Pacific. Cloudinary supports backing up your data to your own private AWS S3 bucket or to Google Cloud Storage in any region.This puts your backup and long-term storage in your control in your desired geography.

Cloudinary uses Firewall-as-a-service for the production environment.  Access to production servers is restricted to SSH access only, using client certificates.

Cloudinary uses Dome9 (by Checkpoint Technologies) to monitor and manage policies our firewall rules and VPC flow logs to detect abnormal network traffic.

Cloudinary offers many levels of secured access to assets stored within the platform, including user level access controls, group controls, watermarking, and, invisible watermarking, enabling customers to control exactly who accesses their assets and when.

Images and videos are delivered via multiple industry-leading CDNs, including Akamai and Fastly, via an SSL set up.

Cloudinary utilizes modern encryption protocols and keeps them up-to-date. Strong encryption is used for data in transit as well as at rest, across our systems. For data in transit, TLS 1.2+ is available, and custom/limited cipher sets can be defined for custom plans. For data at rest, industry-standard AES-256 encryption is used.


You own your data and we are committed to keeping it private. Cloudinary’s Privacy Policy clearly outlines how all personally identifiable data is handled and secured.

Cloudinary’s information security policies comply with European Union General Data Protection Regulation (GDPR) EU 2106/679. You can Learn more about GDPR readiness here.

Cloudinary has an available Data Processing Agreement for paid plans, that can extend the terms of service to reflect the processing of personal data.

Cloudinary is a certified active participant in the EU-US Privacy Shield Frameworks  designed by the U.S Dept. of Commerce and the European Commission.


Being GDPR and ISO/IEC 27001 compliant means that Cloudinary has established processes to ensure transparency about any potential data breach. This includes providing notifications and immediate response measures to any security threat.

Cloudinary uses a security bug bounty program , enabling globally crowdsourced vulnerability detection.

Cloudinary maintains relationships with committers of key open source packages to get advance warning on any important security vulnerabilities discovered in them.

Cloudinary publishes its Terms of Use

Cloudinary publishes service status, all system disruptions and outages, historical uptime reports, and we are committed to increasing data transparency of our systems through our support of Server-Timing response headers.