Cloudinary Blog

Yet Another GDPR Blog Post!

Improve Customer Data Protection with GDPR Implementation

TL;DR

  • We care deeply about the privacy and protection of data.
  • Cloudinary is ready for GDPR
  • We have updated our Privacy Policy ✅, we participate in the EU-US Privacy Shield ✅and have a DPA (Data Protection Agreements) available ✅, and implemented many new internal procedures ✅
  • We also have new features for data flexibility: more backup targets, different image processing data centers and CDN control.
  • We are committed to a higher standard for integrity - we already publish all service disruptions, participate in a security bug bounty program and support Server-Timing.
  • Our business is based on paid usage, not on selling personal data.

Overview

Yay! We've done it! Gold-Star for us! We've talked with all the people, made all the changes, paid all the lawyers and checked all the boxes. GDPR? ✅Done!

Not so fast. Of course, conforming to the GDPR regulations introduced in Europe is just the beginning. This is a process and a state of mind that must become part of our long-term cultural ethos.

I'm happy to announce that, like many companies, Cloudinary is GDPR ready! We take data privacy and data security very seriously. Last year, we shared with your our GDPR plans. We are now on the other side. We have spent thousands of hours and thousands of dollars reviewing policies, reviewing architectures, making changes to our privacy policy, building new features, talking with lawyers, talking some more with lawyers, debating internally amongst ourselves and enhancing our services.

As we went through this process, we realized that it isn’t enough for us to be ready for GDPR -- we also need to be ready to support your business' interpretation of GDPR as well.

Yes. I said it, your interpretation. That's the thing about GDPR: it is very comprehensive and very broad. At its core, GDPR is designed to protect Sally Q Public's personal data from abuse. It is in place to ensure that your personal data is yours. This sounds simple - don't be evil. Yet, there are nuances and complications for the internet that have not yet been tested, so there is ambiguity in how to implement these nuances of protecting personal data.

Don't worry. We've thought long and hard about data protection. We want to make sure that we can help you - as a developer, as a business owner - to be compliant, regardless of your interpretation.

Do I even need to care about GDPR with Cloudinary?

As always, it depends.

As our customer, yes, we need to treat your data - your name, your email address, your billing address and other personal information - with respect. This is your data, and in this respect we are, in GDPR vernacular, a data controller. We have updated our privacy policy to reflect our obligations as a controller to you as a customer.

Note
Do you care about data privacy for yourself? Yes? Please read our updated privacy policy and our DPA. [Short version - your data is yours, we keep it safe but we do need to keep financial records.]

Where it likely becomes more relevant to you, is where we are the steward of your customer's data through the content you upload to Cloudinary. In this regard, Cloudinary is a data processor.

Note
Does your business need to be GDPR compliant as a processor or a controller? Yes? We have a DPA that is available for you. We also have additional features coming that you might want to explore.

What data does Cloudinary consider personal data?

This is a difficult question. Personal data has many definitions. Really comes down to you, or your customers. If this data is personal to you, then it is personal data.

It becomes tricky as a processor, where we might not have all the context to know that this data is personal. As a parent, we’ve all cleaned up our children’s room and “accidentally” discarded that piece of paper -- only to find out that this was a very important note for your child. Oops!

Context is important. For this reason, we assume that any data that you upload to the Cloudinary platform is personal data. Specifically, all images and videos that you, or your users, upload to us (Cloudinary) are treated as personal data..

If I have a customer that wants to be forgotten, how can Cloudinary help me remove this media?

We have fantastic APIs that will enable you to purge content from our CDNs and delete resources from your account. If you are unsure, we also have search APIs. You can programmatically search and delete, or if in doubt, you can use the new media library.

Where are your servers? More importantly, where is my data stored?

This is one of the areas that can be confusing with GDPR. The goal of GDPR is to ensure that your data is treated as private. Not only should it be protected, but it also must live geographically in a location where it can't be stolen.

Depending on how you interpret GDPR for your business, you likely have one of two requirements for a data-processor like Cloudinary: Participation and commitment to the EU-US Privacy Shield -- This provides a legal framework for any personal data that might be stored in the US. It also ensures a level of compliance with GDPRs requirements. OR guarantee that all personal-data is stored in the EU -- This would sidestep any debate about jurisdiction and compliance with GDPR.

Cloudinary is built on tier-1 public cloud providers - primarily located in the United States. Since 2015, we have been operating under a 3rd-party audited and certified information security framework based on ISO/IEC 27001. Since 2017 we have been an active participant in the EU-US Privacy Shield. We have structured our DPA and our policies with these certifications in mind.

Note
Review Cloudinary’s DPA

We recognize and respect that each business might set different expectations to ensure protection for your user’s personal data. For this reason, we are working hard to provide you with new ways to manage where your data is stored.

Storage & backup targets

Cloudinary has long supported the ability to backup your data to your own S3 bucket in any region. We recently enhanced this service so you also can also backup your data to Google Cloud Platform. This puts your backup and long-term storage in your control in your desired geography.

Note
Configure storage backup for your images and video in an S3 or Google Cloud location of your choosing

Geographic isolation

In the very near future, we will be launching a data center in Europe. This will allow you to have absolute confidence that your images and video are not only stored in Europe, but also transformed and manipulated in Europe. This will allow you to have end-to-end media management in the geography of your choosing. More details to come. Stay tuned!

Are Cloudinary’s CDN partners GDPR compliant?

As with all of our vendors, we have worked hard to ensure that each technology partner is likewise also GDPR ready. This includes our CDN (Content Delivery Network) partners.

That's the good news.

But this does raise some interesting questions. As a processor, we are responsible for 'disclosure by transmission' of personal data. On the internet, where does this line stop? Can you use a CDN, which has HTTP caches across the globe? Are you required to establish DPAs with every ISP and geography that could cache your HTTP traffic? What about TCP/IP level and packet retransmissions - is that a form of caching and storage? Are we responsible for each TCP Packet as it journeys through the internet?

This is very confusing. Many hours and beers have been counted debating these topics.

The question ultimately comes down to you and your interpretation of GDPR. For this reason we again offer you many ways to utilize our great service - all of which we believe conform to GDPRs requirements:

  • You can use our CDNs as you do today (recommended default). We have verified that the CDNs we depend on provide the necessary GDPR assurances.
  • We also offer bring-your-own-CDN or “origin” plans, for those who want more control on how to utilize our services. Contact our support or your account team to discuss options.

As always, we are focusing on providing you many ways to ensure that you are compliant with GDPR.

What about the other parts of GDPR? What about notification and alerts?

Being GDPR (and ISO 27001) compliant means that we have established policies and processes to ensure that we are transparent about any potential data breach. This includes providing notifications and taking immediate response to any security threat.

This is why we have also set the bar higher for ourselves. In the last year we have made a number of additional commitments to increase our transparency. This includes:

We want to hold ourselves to a higher standard in ensuring we are transparent about how we conduct our business and how we help you be successful.

Summary

Here we are. GDPR has finally arrived! Cloudinary has invested a lot of time and energy to ensure that we are protecting your personal data and your users’ personal data. This is day-1 of the journey. We will certainly have many more debates in the future. In the end, users personal data will be better protected. The internet will be a better place.

Recent Blog Posts

Our $2B Valuation

By
Blackstone Growth Invests in Cloudinary

When we started our journey in 2012, we were looking to improve our lives as developers by making it easier for us to handle the arduous tasks of handling images and videos in our code. That initial line of developer code has evolved into a full suite of media experience solutions driven by a mission that gradually revealed itself over the course of the past 10 years: help companies unleash the full potential of their media to create the most engaging visual experiences.

Read more
Direct-to-Consumer E-Commerce Requires Compelling Visual Experiences

When brands like you adopt a direct–to-consumer (DTC) e-commerce approach with no involvement of retailers or marketplaces, you gain direct and timely insight into evolving shopping behaviors. Accordingly, you can accommodate shoppers’ preferences by continually adjusting your product offering and interspersing the shopping journey with moments of excitement and intrigue. Opportunities abound for you to cultivate engaging customer relationships.

Read more
Automatically Translating Videos for an International Audience

No matter your business focus—public service, B2B integration, recruitment—multimedia, in particular video, is remarkably effective in communicating with the audience. Before, making video accessible to diverse viewers involved tasks galore, such as eliciting the service of production studios to manually dub, transcribe, and add subtitles. Those operations were costly and slow, especially for globally destined content.

Read more
Cloudinary Helps Minted Manage Its Image-Generation Pipeline at Scale

Shoppers return time and again to Minted’s global online community of independent artists and designers because they know they can count on unique, statement-making products of the highest quality there. Concurrently, the visual imagery on Minted.com must do justice to the designs into which the creators have poured their hearts and souls. For Minted’s VP of Engineering David Lien, “Because we are a premium brand, we need to ensure that every single one of our product images matches the selected configuration exactly. For example, if you pick an 18x24 art print on blue canvas, we will show that exact combination on the hero images in the PDF.”

Read more
Highlights on ImageCon 2021 and a Preview of ImageCon 2022

New year, same trend! Visual media will continue to play a monumental role in driving online conversions. To keep up with visual-experience trends and best practices, Cloudinary holds an annual conference called ImageCon, a one-of-a-kind event that helps attendees create the most engaging visual experiences possible.

Read more