Cloudinary Privacy Guide

Cloudinary Ltd. is media management platform founded to provide developers and businesses with comprehensive solutions for managing, optimizing, and delivering images, videos, and media assets across web and mobile applications. According to company positioning, Cloudinary streamlines media workflows through automated optimization, responsive delivery, and AI-powered transformations eliminating manual media management complexity. Platform serves developers, content creators, marketing teams, and enterprises requiring scalable media infrastructure.

According to service architecture, Cloudinary provides integrated capabilities including media upload and storage (accepting images, videos, audio, documents, raw files via API, SDKs, dashboard, or third-party integrations), automatic format optimization (converting to WebP, AVIF, or optimal format based on browser support), responsive delivery (generating multiple sizes and resolutions automatically adapting to device capabilities), AI-powered transformations (automatic cropping, object removal, background replacement, content-aware editing), programmable media (applying transformations via URL parameters or API enabling dynamic manipulation), global CDN delivery (distributing media through content delivery network for fast worldwide access), video transcoding and streaming (converting videos to streaming formats, adaptive bitrate, thumbnail generation), DAM capabilities (digital asset management with tagging, search, organization, version control), and developer integrations (SDKs for multiple languages, CMS plugins, e-commerce integrations, mobile frameworks).

The fundamental data relationship distinguishes between Customer (account holder uploading and managing media) and End Users (individuals accessing customer websites or applications where Cloudinary-delivered media displayed). According to Data Processing Addendum and Privacy Policy, when Cloudinary processes personal data contained in Customer Data (uploaded media, configurations, logs) on behalf of Customer, Cloudinary acts as processor while Customer acts as controller determining what data to upload, what transformations to apply, what retention periods to establish, and how to respond to data subject rights requests.

According to infrastructure disclosure, Cloudinary platform hosted on multi-tenant logically-separated AWS cloud infrastructure. As multi-tenant SaaS with 75,000+ active customers, no single customer can affect capacity designed with embedded rate limits and throttling. Customer user account credentials restricted ensuring appropriate identity, entitlement, and access management according to established policies and procedures. According to AWS partnership status, Cloudinary is AWS APN Advanced Technology Partner requiring deep AWS expertise, delivering solutions seamlessly on AWS, and passing annual AWS Well-Architected Framework audit.

According to data location framework, Cloudinary uses AWS servers located worldwide. Enterprise customers receive ability to choose data storage in European Economic Area addressing GDPR data residency requirements. Standard plan customers utilize default infrastructure which processes data through AWS US regions unless Enterprise regional selection configured. This tiered approach means data residency control available only for Enterprise tier—lower-tier customers cannot specify storage location.

Media processing workflow according to technical operation involves customer uploading media to Cloudinary via API, SDKs, dashboard, or integrations, Cloudinary storing original media in AWS infrastructure (US regions or EEA for Enterprise with regional selection), transformation requests specifying desired optimizations via URL parameters or API calls, Cloudinary processing transformations (resizing, format conversion, quality optimization, AI manipulations), optimized media cached and delivered through CDN, and analytics and logs capturing delivery metrics, transformation usage, bandwidth consumption.

From security perspective, according to DPA technical and organizational measures, all data encrypted in transit via secure encrypted connections (HTTPS/TLS), encrypted at rest including when stored in AWS backups, with remote access (including maintenance or service procedures) allowed only via VPN tunnels or secure encrypted connections requiring multi-factor authentication. Passwords never stored in plaintext but rather as secure hash. Enterprise plans support SSO allowing customers to enforce own password policies for employees.

According to compliance certifications, Cloudinary maintains ISO/IEC 27001 certification since 2015 as third-party audited and certified information security framework, SOC 2 Type II reports produced by Deloitte demonstrating achievement of key compliance controls and objectives meeting Trust Principles criteria for Security, Availability, Privacy, Confidentiality and HIPAA Security Rule, ISO 14001 certification for environmental management framework, and completion of Cloud Security Alliance CAIQ questionnaire documenting security controls in SaaS services providing security control transparency.

Privacy-enhancing features according to recent updates include IP address masking (optional feature available upon request to Cloudinary support) where source IP addresses for CDN delivery requests are masked and encrypted with last IPv4 octet and last 3 IPv6 octets nullified ensuring end user IP addresses not retained in Cloudinary systems. When full IP address necessary for security purposes, original IP kept encrypted expiring after one calendar day. This masking applies to all logs and databases including CDN logs and headers.

According to data retention framework, customers control retention of uploaded media—assets remain in Cloudinary until customers delete them. Cloudinary imposes no automatic deletion or retention limits on customer media. For operational logs and analytics data, Cloudinary retains data supporting service operations, billing, security monitoring, and compliance obligations. Financial records retained as required by applicable accounting and tax regulations.

From operational resilience perspective, according to business continuity documentation, Cloudinary maintains geographic isolation with regional redundant data centers, facilitates 99.9% uptime commitment measured by third-party real-time monitoring published at status.cloudinary.com, provides 24x7x365 incident coverage with DevOps team employing industry-standard diagnostic procedures, implements tested backups regularly as part of internal compliance processes created in close time proximity to data ingestion, and maintains Incident Management, Disaster Recovery, and Business Continuity processes approved by management, audited by non-dependent third party annually, and practiced ongoing.

According to scale disclosure, Cloudinary infrastructure handles over 20 billion requests daily with every request generating event logs processed through data pipelines storing petabytes of data per month. According to AWS partnership documentation, Cloudinary processes event logs stored on Amazon S3 then analyzed through Snowflake Data Cloud for internal analytics, leveraging Apache Iceberg for vendor-neutral data analytics architecture.

Integration ecosystem according to documentation includes SDKs for JavaScript, Node.js, Python, Ruby, PHP, Java, .NET, iOS, Android, CMS plugins (WordPress, Drupal, Magento), e-commerce integrations (Shopify, Salesforce Commerce Cloud), creative tools (Adobe Creative Cloud Connector), framework integrations (React, Vue, Angular), and developer tools (Heroku plugin, various API clients).

Cloudinary's data collection framework distinguishes between Customer Data processed as processor on behalf of customers and information about customers themselves where Cloudinary acts as controller. According to Privacy Policy and Data Processing Addendum, following data categories apply.

Customer Data (Processor Role - Media and Configuration): When customers use Cloudinary for media management, according to DPA definitions, Cloudinary processes Customer Data including uploaded media assets (images in various formats—JPEG, PNG, GIF, WebP, AVIF, SVG, videos in multiple codecs—MP4, WebM, HLS, DASH, audio files, documents—PDF, and raw files), media metadata (file names, file sizes, upload timestamps, EXIF data embedded in images, GPS coordinates if present in image metadata, camera information from EXIF, content descriptions or tags applied by customers), transformation configurations (URL parameters specifying size, format, quality adjustments, cropping coordinates, overlay specifications, effect parameters for AI transformations), delivery logs (URLs requested, timestamps of delivery, CDN edge locations serving requests, bytes delivered per request, cache hit/miss status), and asset organization data (folder structures, tags for categorization, search metadata, version history if maintained).

According to DPA framework, Cloudinary has no control over personal data or types of personal data uploaded to platform and does not further classify Customer Data beyond technical categorization. Customers determine what media contains personal data (photographs of individuals, videos with identifiable people, documents with personal information) and bear responsibility as controllers for legal basis, consent, privacy notices, and data subject rights fulfillment.

End User Access Data (Processor Role - CDN Logs): When end users access websites or applications utilizing Cloudinary for media delivery, according to service model, Cloudinary processes end user information including IP addresses of users requesting media (can be masked via IP address masking feature), user agent strings identifying browsers and devices, HTTP referrer indicating source website, timestamps of media requests, CDN edge server responding to request, bytes transferred per delivery, and cache headers and request methods.

According to IP address masking feature (available upon request), when enabled, source IP addresses for CDN delivery requests are masked and encrypted—last IPv4 octet and last 3 IPv6 octets nullified actively deleting part of addresses upon receipt so end user IP addresses not retained in Cloudinary systems. This masking ensures IP addresses masked in all logs and databases including CDN logs and headers. In cases where full IP address necessary for security purposes, original IP kept encrypted expiring after one calendar day.

Customer Account Information (Controller Role): For Cloudinary account management, according to Privacy Policy, Cloudinary collects as independent controller customer registration information (name, company name, email address for account administrators, password credentials stored as secure hash, phone number if provided), billing and payment information (payment details processed through payment processors—not stored directly by Cloudinary in plaintext, billing addresses, tax information, subscription tier and plan details, transaction history and invoice records), service usage metrics (storage capacity utilized, bandwidth consumed, transformation operations performed, API request volumes, feature usage patterns, media upload/download statistics), support interactions (support tickets and case contents, email correspondence with Cloudinary support, chat logs if support chat available, problem descriptions and resolution records), and authentication data (login timestamps, session identifiers, IP addresses for account access, device information and user agents, API keys generated for programmatic access, SSO configuration for Enterprise customers).

Website Analytics and Marketing Data: For visitors to cloudinary.com website and users of Cloudinary dashboard, according to Privacy Policy controller processing and Cookie Policy, Cloudinary collects website usage information including IP addresses used to connect devices to internet, login and logout times, duration of service sessions, content uploaded and downloaded, web pages viewed or specific content on web pages, activity measures, geolocation derived from IP, browser type and version, time zone settings, browser plug-in types and versions, operating system and platform, and referral sources.

According to Cookie Policy, Cloudinary uses cookies and tracking technologies for strictly essential functions (session management, authentication, service delivery requiring technical cookies), analytics purposes (traffic analysis, user behavior tracking, performance measurement), and marketing purposes (understanding visitor interests, delivering targeted advertising via partners).

Security and Abuse Monitoring Data: As part of operating secure platform, according to DPA security provisions, Cloudinary processes security-relevant information including failed authentication attempts and credential patterns, API abuse signals (excessive request rates, policy violations, suspicious upload patterns), DDoS attack indicators and mitigation data, malware scanning results if content scanning enabled, anomalous access patterns suggesting unauthorized activity, and threat intelligence indicators for platform protection.

Data Cloudinary Does NOT Collect: According to privacy commitments and processing limitations, Cloudinary does not access media content for Cloudinary's own purposes beyond providing media management services (does not analyze uploaded images for advertising targeting, does not use customer videos for algorithm training without explicit opt-in, does not share customer media with other Cloudinary customers), does not sell or rent customer data or customer content to third parties (business model based on paid usage not data monetization), does not perform facial recognition on uploaded images except when customers explicitly request AI cropping or transformation features requiring facial detection, does not extract text from documents or images for Cloudinary's marketing or analytics purposes, and does not access customer media for competitive intelligence or business development.

According to GDPR framework, Cloudinary has no control over personal data types uploaded and does not classify Customer Data. Important implication—if customer uploads photograph of individual without consent, video recording without necessary permissions, or document containing personal information without legal basis, Cloudinary as processor cannot identify these compliance violations. Customer as controller bears full responsibility for lawfulness of data uploaded to Cloudinary.

Backup and Redundancy Data: According to infrastructure operations, Cloudinary maintains backups of customer media and account data tested regularly as part of internal compliance processes. Backups created in close time proximity to data ingestion. All backups encrypted consistent with production data encryption. Backup retention periods follow internal policies supporting disaster recovery and business continuity requirements.

Analytics Pipeline Data: According to technical infrastructure disclosed in AWS partnership materials, Cloudinary processes event logs from 20 billion+ daily requests storing petabytes of data monthly. Event logs undergo processing through data pipelines with processed data stored on Amazon S3 then loaded into Snowflake Data Cloud for internal analytics. This analytics data serves internal teams and data science groups for detailed analytics and advanced use cases. Data retention historically 30 days though new use cases have driven increased retention extending to 6 months in some cases according to disclosed architectural improvements.

Integration and Third-Party Platform Data: When customers utilize Cloudinary integrations with CMS platforms, e-commerce systems, or creative tools, according to integration documentation, Cloudinary may receive integration-specific data (authentication tokens for connected platforms, synchronization metadata, webhook notification configurations) necessary to facilitate seamless integration functionality. Integration data processed solely to enable requested integration capabilities.

Cloudinary's legal basis for processing personal data varies significantly depending on whether Cloudinary acts as processor (for Customer Data including uploaded media) or controller (for account information and website operations), and differs by jurisdiction. According to Data Processing Addendum and Privacy Policy, following legal bases apply.

Contractual Necessity for Processor Role: When customers upload media containing personal data to Cloudinary, Cloudinary acts as processor on behalf of customer controllers. According to DPA Section on Instructions, Cloudinary processes Customer Personal Data to provide media optimization services (the 'Services') pursuant to Subscription Agreement and to comply with reasonable instructions provided by Customer where instructions are consistent with Subscription Agreement terms. Customer undertakes to provide Cloudinary with lawful instructions only.

This processing includes accepting and storing media uploads to Cloudinary infrastructure, performing transformations requested via URL parameters or API, delivering optimized media through CDN to end users, maintaining media metadata and transformation logs, generating usage analytics and billing metrics, and executing customer instructions for data handling, export, deletion.

According to processor framework, Cloudinary's legal basis for processing is contractual necessity—Cloudinary must process uploaded media and associated data to fulfill contractual obligation to provide media management services. Cloudinary does not independently determine purposes or means of processing customer media. Customer as controller decides what media to upload, what transformations to apply, what retention periods to implement, and whether media contains personal data requiring GDPR compliance.

Customer's Legal Basis Responsibility: While Cloudinary as processor relies on contractual necessity with customers, customers themselves must establish appropriate legal bases as controllers for processing personal data they upload to Cloudinary. According to data protection principles and customer obligations, customers typically rely on consent (where individuals explicitly agreed to having photographs or videos processed through cloud services), contractual necessity (where media processing required to provide services users requested—for example, user profile photos), legal obligations (where data retention mandated by applicable regulations), or legitimate interests (where media processing serves legitimate business purposes not overriding individual rights—for example, product photography for e-commerce).

According to customer responsibilities in DPA, Customer warrants and represents that it shall comply with obligations as Controller or Processor under applicable data protection laws with respect to processing of Personal Data and any processing instructions issued to Cloudinary, including ensuring processing instructions comply with all applicable laws. Customers bear responsibility for obtaining necessary consents, providing privacy notices, implementing data subject rights mechanisms, conducting Data Protection Impact Assessments where required, and maintaining processing records.

Cloudinary as Controller - Contractual Necessity: For Customer Account Information, according to Privacy Policy legal basis section, Cloudinary processes data based on contractual necessity to provide services including creating and maintaining customer accounts, processing subscription payments and billing, providing technical support and resolving service issues, delivering service notifications and account updates, and maintaining platform security and operational integrity.

Cloudinary as Controller - Legitimate Interests: For certain operational activities, according to Privacy Policy and GDPR Article 6(1)(f), Cloudinary relies on legitimate business interests including security monitoring (detecting unauthorized access attempts, preventing security threats, maintaining audit logs for investigations), fraud prevention (identifying fraudulent accounts, preventing abuse of service resources, protecting platform and customer assets), service improvement (analyzing aggregated usage patterns to optimize performance, identifying feature adoption to inform product development, conducting A/B testing for UX improvements), business operations (managing vendor and subprocessor relationships, conducting internal audits, maintaining financial records, defending legal claims), and marketing communications (informing customers about new features, sending relevant service updates, conducting customer surveys with opt-out mechanisms).

According to GDPR balancing requirements, these interests weighed against data subject rights through implementing data minimization in operational logs, access controls limiting personnel access based on need-to-know principle, encryption protecting sensitive information throughout processing lifecycle, transparency through documented and accessible privacy policies, data subject rights fulfillment mechanisms via [email protected], and regular reviews of processing activities for continued necessity.

Compliance with Legal Obligations: In certain circumstances, according to Privacy Policy and DPA compliance provisions, processing necessary to comply with legal requirements including responding to valid legal process (subpoenas, court orders, warrants issued by courts with proper jurisdiction), complying with data breach notification laws and regulatory requirements, meeting tax and financial reporting obligations in jurisdictions where Cloudinary operates, cooperating with law enforcement investigations when legally mandated with appropriate legal basis, and maintaining records as required by commercial law and regulatory frameworks.

Consent: According to Privacy Policy and Cookie Policy, consent serves as legal basis for certain processing activities including marketing communications beyond transactional service emails (where opt-in required by law such as GDPR for electronic marketing), non-essential cookies and tracking technologies (where ePrivacy Directive or similar laws require consent for analytics and marketing cookies), optional features requiring additional data collection (such as beta features, user research participation), and processing beyond service necessity where consent represents appropriate legal basis.

According to consent management framework, where Cloudinary relies on consent, individuals can withdraw consent at any time without affecting lawfulness of processing before withdrawal. Withdrawal mechanisms include unsubscribe links in marketing emails via unsubscribe page, cookie preference management tools on cloudinary.com website, and account settings for optional features.

GDPR Article 6 Legal Bases: For data subjects in European Union, EEA, United Kingdom, and Switzerland, processing governed by GDPR and equivalent laws. According to Privacy Policy GDPR section, Cloudinary's legal bases under Article 6 include processing necessary for performance of contract with customer (Article 6(1)(b)) for service delivery and account management, processing necessary for compliance with legal obligation to which Cloudinary subject (Article 6(1)(c)) for regulatory compliance and legal process response, processing necessary for legitimate interests pursued by Cloudinary or third party except where overridden by data subject interests or fundamental rights (Article 6(1)(f)) for security, fraud prevention, business operations, and processing based on data subject consent for specific purposes (Article 6(1)(a)) for marketing and optional features.

California and US State Privacy Laws: For California residents and residents of other US states with comprehensive privacy laws (CCPA/CPRA, Virginia CDPA, Colorado CPA), according to Privacy Policy US compliance section, Cloudinary invested significant efforts to provide trusted environment for clients to meet obligations under US consumer privacy laws particularly CCPA and CPRA. Cloudinary provides mechanisms for exercising consumer rights (access, deletion, correction), does not sell personal information in traditional sense (no monetization of customer or media data), and honors opt-out preferences where applicable.

Cross-Border Transfer Legal Basis: For international transfers from EU/EEA/UK/Switzerland to United States and other countries, according to Privacy Policy and Trust page disclosures, Cloudinary participates in EU-US Data Privacy Framework as set forth by US Department of Commerce and European Commission. DPF participation includes UK Extension to EU-US DPF and Swiss-US DPF providing adequacy for transfers from UK and Switzerland respectively.

According to DPF certification, Cloudinary commits to DPF Principles regarding processing of personal data received from EU/UK/Switzerland in reliance on framework. As additional safeguard, according to Data Processing Addendum, Standard Contractual Clauses incorporated—both old clauses under Directive 95/46/EC and new EU SCCs under Decision 2021/914—providing fallback mechanism if DPF challenged or circumstances change requiring SCC reliance.

Special Categories and Sensitive Data: According to GDPR Article 9 and service characteristics, Cloudinary is general-purpose media management platform capable of processing any media customers choose to upload including special categories of personal data. Photographs may reveal racial or ethnic origin, religious beliefs (through religious attire or symbols), health data (medical images, disability-related content), or biometric data for unique identification (facial images processed through AI features).

According to customer responsibility framework, customers uploading media containing special categories must ensure appropriate Article 9 legal bases (explicit consent for most special category processing, exceptions for publicly manifested data, substantial public interest bases). Cloudinary as processor cannot identify whether uploaded media contains special categories—customer as controller bears responsibility for GDPR Article 9 compliance, enhanced security implementation, Data Protection Impact Assessment for high-risk processing, and documentation demonstrating legal bases.

HIPAA Alignment: According to compliance certifications, Cloudinary SOC 2 reports include HIPAA Security Rule coverage providing framework for healthcare organizations. However, customers storing Protected Health Information must execute Business Associate Agreement with Cloudinary, implement HIPAA-compliant configurations (encryption, access controls, audit logging), conduct HIPAA risk assessments, and maintain required documentation. Cloudinary provides infrastructure and security controls but customers bear responsibility for HIPAA compliance implementation.

Cloudinary's subprocessor framework reflects multi-layered architecture combining AWS infrastructure, CDN services, analytics platforms, and business operation support services. According to Data Processing Addendum and publicly maintained subprocessor list, Cloudinary provides transparency about third parties engaged to deliver services.

Publicly Maintained Subprocessor List: According to Trust page and DPA provisions, Cloudinary maintains list of service-specific subprocessors at cloudinary.com/trust/subprocessors updated regularly (last update disclosed as February 3, 2025). Subprocessor list updated regularly with customers advised to check back for updates. According to DPA customer rights, any objection to inclusion of new subprocessor can be made per process outlined in Data Processing Agreement.

According to subprocessor evaluation framework, Cloudinary evaluates and performs due diligence on information security practices and data protection compliance of third-party subprocessors before engagement. All third-party subprocessors required to adhere to all security controls and protection of personal data including safeguards to govern international transfers of data.

Amazon Web Services (Infrastructure Hosting): According to multiple disclosures in Privacy Policy, DPA, and Trust page, Cloudinary platform hosted on multi-tenant logically-separated AWS cloud infrastructure. AWS provides fundamental infrastructure services (compute instances for transformation processing, storage services for media asset persistence, networking infrastructure for API and CDN connectivity, database services for metadata and account information, load balancing and autoscaling, backup and disaster recovery infrastructure, security infrastructure including firewalls and DDoS protection).

According to AWS partnership status, Cloudinary is AWS APN Advanced Technology Partner designation requiring deep AWS expertise and passing annual Well-Architected Framework audits. Infrastructure handles 20 billion+ requests daily processing petabytes of data monthly. According to data location disclosure, AWS servers located worldwide with Enterprise customers receiving ability to choose EEA data storage. Standard customers utilize default US-based AWS regions unless Enterprise regional selection configured.

AWS processes all categories of Customer Data since AWS provides underlying storage and compute infrastructure. Processing locations span AWS global infrastructure with specific regions determined by customer subscription tier (US regions for standard customers, EEA regions available for Enterprise customers selecting regional storage).

Content Delivery Network (CDN) Services: According to service architecture, Cloudinary utilizes CDN infrastructure for globally distributing optimized media to end users with low latency. While specific CDN provider not named in available documentation, CDN subprocessor processes end user IP addresses (unless masked via IP masking feature), HTTP request headers and user agents, referrer information, timestamps and geographic locations, cache hit/miss patterns, and bytes delivered per request.

CDN operates globally with edge locations in multiple countries enabling fast media delivery worldwide. IP address masking feature when enabled ensures end user IP addresses nullified in CDN logs (last IPv4 octet and last 3 IPv6 octets removed) with original IP encrypted expiring after one calendar day if retained for security purposes.

Payment Processing Services: For processing subscription payments and billing, according to typical SaaS operations and Privacy Policy billing provisions, Cloudinary engages payment processors to handle credit card transactions, payment method validation, fraud detection and prevention, subscription billing cycles, invoice generation, and failed payment retry logic.

According to data protection practices, Cloudinary does not store payment card details in plaintext—payment information processed through payment processor with Cloudinary receiving only transaction notifications and metadata necessary for account management and billing purposes. Payment processors maintain PCI DSS compliance for card data security.

Analytics and Business Intelligence Platforms: According to AWS partnership case study disclosure, Cloudinary utilizes Snowflake Data Cloud for analytics processing. Event logs from platform operations (20 billion+ requests daily) processed through data pipelines with processed data stored on Amazon S3 then loaded into Snowflake for internal analytics serving internal teams and data science groups.

Additionally according to technical architecture disclosures, Cloudinary leverages AWS analytics services (Amazon Athena for SQL queries, Amazon EMR for Spark processing, AWS Glue for data cataloging) and Apache Iceberg on Amazon S3 for vendor-neutral data lake architecture. These analytics subprocessors process aggregated event logs, usage patterns, performance metrics—not individual customer media content.

Email Delivery Services: For transactional emails and marketing communications, according to typical SaaS operations, Cloudinary engages email service providers to deliver account notifications, billing receipts, password resets, security alerts, product announcements and newsletters (for customers opted in), and support communication emails.

Email service providers process customer email addresses, message content, delivery timestamps, open and click tracking data (for marketing emails), and bounce/complaint handling.

Customer Support and Communication Platforms: For providing customer support, according to support operations, Cloudinary likely utilizes helpdesk or ticketing platforms processing support ticket content and customer issue descriptions, email correspondence with support team, chat logs if live support offered, customer account information necessary for support context, and resolution notes and escalation records.

Specific support platform not disclosed in available documentation but typical choices include Zendesk, Intercom, Salesforce Service Cloud, or similar enterprise support solutions.

Security and Monitoring Services: According to security infrastructure descriptions, Cloudinary implements Bug Bounty Program with globally crowdsourced 24/7/365 vulnerability detection rewarding security researchers for responsible disclosure. Bug bounty platform processes vulnerability reports, researcher communications, reward disbursements, and coordinated disclosure timelines.

Additionally for platform monitoring, infrastructure monitoring services process system logs, performance metrics, error tracking, availability monitoring, and security incident detection. According to DPA provisions, Cloudinary implements 24x7x365 incident coverage with DevOps team employing industry-standard diagnostic procedures.

AI and Machine Learning Services: For AI-powered transformation features (automatic cropping, object removal, background replacement, content-aware editing), according to service capabilities, Cloudinary likely utilizes machine learning services processing uploaded images for object detection, facial recognition for cropping, scene understanding for optimization, and content classification for smart cropping.

Whether these AI capabilities run on Cloudinary's own ML infrastructure built on AWS or involve third-party AI services not disclosed in available documentation. Customers should inquire about AI subprocessors if using AI transformation features for sensitive media.

Integration Platform Partners: According to extensive integration ecosystem, Cloudinary integrates with numerous platforms (Adobe Creative Cloud, WordPress, Magento, Salesforce Commerce Cloud, Shopify, Heroku) potentially involving data flows to enable integration functionality. Integration-specific subprocessors process authentication tokens, synchronization metadata, webhook configurations necessary for seamless integration operations.

No Comprehensive Public Subprocessor Details: Unlike some enterprise SaaS providers publishing detailed subprocessor listings with processing purposes, locations, and data categories for each subprocessor, Cloudinary's public subprocessor list provides high-level disclosure without granular detail. Enterprise customers requiring detailed subprocessor information should request supplementary documentation from Cloudinary account teams including complete subprocessor list with processing descriptions, data flow diagrams showing subprocessor involvement, geographic processing locations for each subprocessor, and security certifications maintained by each subprocessor.

Cloudinary's approach to international data transfer combines US-based default infrastructure with Enterprise-tier regional selection options, EU-US Data Privacy Framework certification, and Standard Contractual Clauses providing multi-layered compliance framework. According to Privacy Policy, Trust page, and Data Processing Addendum, comprehensive transfer mechanisms address EU/EEA/UK/Swiss transfers.

US-Based Default Infrastructure with Enterprise EEA Option: According to infrastructure disclosures across multiple sources, Cloudinary uses AWS servers located worldwide with processing occurring primarily in United States for standard customers. Enterprise customers receive ability to choose data storage in European Economic Area providing data residency option for GDPR-strict compliance scenarios.

This tiered approach means standard and lower-tier customers cannot specify data location—media uploads stored in US-based AWS regions regardless of customer or end user location. European customers on standard plans sending media from and serving media to European end users necessarily transfer personal data to United States by using Cloudinary. Only Enterprise plan customers can select EEA storage keeping data within EU member states.

According to GDPR implications, standard customers serving European end users must rely on EU-US Data Privacy Framework and Standard Contractual Clauses to legitimize transfers since data stored in US infrastructure. Enterprise customers selecting EEA storage can avoid international transfers for primary storage though certain processing operations (billing, support, analytics) may still involve US-based Cloudinary infrastructure.

EU-US Data Privacy Framework Certification: According to Privacy Policy and Trust page disclosures, Cloudinary participates in EU-US Data Privacy Framework as set forth by US Department of Commerce and European Commission. DPF certification includes UK Extension to EU-US DPF and Swiss-US DPF covering transfers from United Kingdom post-Brexit and Switzerland.

According to DPF commitments, Cloudinary certified under framework providing adequacy decision under GDPR Article 45 for transfers of personal data from EU/UK/Switzerland to Cloudinary in United States. This eliminates need for additional transfer mechanisms like Standard Contractual Clauses for DPF-covered transfers when relying on adequacy provided by framework.

DPF Principles to which Cloudinary commits include Notice (informing individuals about processing), Choice (providing opt-out for certain data uses), Accountability for Onward Transfer (ensuring subprocessors provide equivalent protection), Security (implementing safeguards protecting personal data), Data Integrity and Purpose Limitation (ensuring data accuracy and limiting use to specified purposes), Access (enabling individuals to access personal information), and Recourse, Enforcement, and Liability (providing mechanisms for enforcing compliance and addressing violations).

Standard Contractual Clauses as Additional Safeguard: According to Data Processing Addendum, Cloudinary incorporates Standard Contractual Clauses as additional safeguard and fallback mechanism. DPA includes both old Model Clauses under Directive 95/46/EC (for customers who executed DPAs before newer SCCs adopted) and new EU Standard Contractual Clauses under Commission Decision 2021/914 for customers executing or updating DPAs post-June 2021.

According to SCC Module selection, Cloudinary implements Module Two (Controller to Processor) where Customer is controller and Cloudinary is processor for Customer Data, and Module Three (Processor to Processor) where Customer acts as processor for another controller and engages Cloudinary as subprocessor. SCCs provide contractual framework addressing data exporter and importer obligations, technical and organizational security measures, subprocessor engagement and notification, data subject rights assistance requirements, audit and inspection provisions, liability and indemnification frameworks, and dispute resolution mechanisms.

SCCs serve as backup transfer mechanism if EU-US Data Privacy Framework adequacy challenged, invalidated, or circumstances change requiring SCC reliance instead of DPF. According to transfer mechanism layering, DPF provides primary adequacy with SCCs as contractual safeguard ensuring lawful transfers even if adequacy framework faces legal challenges.

Geographic Processing Locations: According to service architecture, while customer media may be stored in US or EEA based on tier selection, other processing operations occur across Cloudinary's infrastructure including account management and authentication (likely processed in primary US-based systems), billing and payment processing (through payment processors in multiple jurisdictions), support operations (may involve support personnel in various countries), and analytics processing (Snowflake Data Cloud, AWS analytics services—locations dependent on configuration).

This means even Enterprise customers selecting EEA storage for primary media assets may experience some processing in United States for business support functions. Customers requiring absolute prohibition on US processing should verify complete data flow documentation with Cloudinary.

CDN and Global Delivery: Media delivery through content delivery network inherently involves global distribution. According to service model, when end user in Asia requests media from European customer's website, CDN serves media from edge location close to Asian end user optimizing delivery speed. This means cached media (optimized versions, not necessarily customer originals) distributed to CDN edge locations worldwide regardless of primary storage location.

For customers with strict data localization requirements prohibiting caching outside specific jurisdiction, this CDN architecture may be incompatible. Customers should inquire about CDN configuration options if media caching in specific countries prohibited by regulations or contracts.

Supplementary Transfer Measures: Following Schrems II decision requiring supplementary measures beyond SCCs, according to DPA security provisions and Trust page disclosures, Cloudinary implements measures including encryption in transit for all data transmission via HTTPS/TLS, encryption at rest for stored media and backups, access controls limiting personnel access to customer data based on need-to-know with quarterly privilege reviews, VPN-only remote access requiring multi-factor authentication, EU-US Data Privacy Framework certification with enhanced safeguards post-Executive Order 14086, Enterprise-tier EEA storage option eliminating US storage for customers requiring EU-only processing, ISO 27001 and SOC 2 certifications providing independent verification of security controls, and incident response procedures with 24x7x365 coverage.

However, Cloudinary has not published Transfer Impact Assessment evaluating US surveillance law risks (FISA 702, Executive Order 12333) and whether SCCs provide essentially equivalent protection to GDPR given US legal framework. According to EDPB recommendations, controllers should conduct and document TIAs for transfers to United States assessing supplementary measures adequacy.

Subprocessor International Transfers: According to subprocessor framework, AWS infrastructure spans global regions, CDN operates with edge locations worldwide, Snowflake Data Cloud may process in US or other regions based on deployment, and other subprocessors process in various countries. Subprocessor list disclosure lacks detailed geographic processing locations making difficult for customers to map complete data flows across jurisdictions.

According to DPA provisions, all subprocessors required to provide safeguards governing international transfers with Cloudinary imposing contractual obligations ensuring adequate protection. However, specific transfer mechanisms for each subprocessor not disclosed in public documentation.

Customer Responsibilities for Transfers: According to data protection principles and customer controller obligations, customers using Cloudinary bear responsibility for international transfer compliance including understanding that standard plans store data in US regardless of customer/user location requiring transfer legitimization, conducting Transfer Impact Assessments for high-risk processing evaluating whether DPF and SCCs provide adequate protection, selecting Enterprise plan with EEA storage if GDPR Article 45-46 compliance requires EU-only processing, disclosing in privacy policies where data stored geographically and that Cloudinary subprocesses in United States, implementing application-layer encryption if additional protection beyond Cloudinary encryption needed for highly sensitive media, and monitoring regulatory developments affecting international transfers in relevant jurisdictions.

When developers integrate Cloudinary for media management, they assume extensive privacy compliance responsibilities as data controllers for media they upload and deliver. According to Terms of Use, Data Processing Addendum, and Privacy Policy, following developer responsibilities apply.

Understanding Controller-Processor Relationship: Developers must recognize that while Cloudinary provides infrastructure, developers remain data controllers for uploaded media content. According to DPA framework, this means developers determine what media to upload to Cloudinary, whether uploaded media contains personal data (photographs of individuals, videos with identifiable people, documents with names/addresses), what transformations to apply to media, what retention periods to implement, and how to respond to data subject rights requests from individuals appearing in media.

According to fundamental principle emphasized in support documentation, Cloudinary has no control over personal data or types of personal data uploaded to platform and does not further classify Customer Data. If developer uploads photograph without consent, video without permission, or document containing personal information without legal basis, Cloudinary as processor cannot identify these violations. Developer bears full legal responsibility for lawfulness of uploaded content.

Selecting Appropriate Service Tier for Compliance: Developers' first major decision is choosing service tier based on data residency requirements. According to pricing and compliance framework, this involves evaluating whether data subjects primarily located in EU/EEA requiring strict GDPR compliance, determining whether GDPR Article 45-46 or other regulations mandate EU-only data storage, understanding that only Enterprise tier provides EEA storage option while standard plans utilize US infrastructure, assessing whether EU-US Data Privacy Framework and Standard Contractual Clauses provide sufficient safeguards for organization's risk tolerance, and documenting tier selection rationale for Data Protection Impact Assessments and compliance records.

For organizations serving primarily European users with strict data residency interpretation of GDPR, Enterprise plan with EEA storage may be necessary despite higher cost. Standard plan customers must accept US storage and rely on DPF/SCC transfer mechanisms.

Privacy Policy Requirements: Developers must maintain comprehensive privacy policies explaining Cloudinary usage and data handling. According to privacy law requirements and transparency obligations, policies should identify Cloudinary as media management infrastructure provider, disclose Cloudinary Data Processing Addendum governs processor relationship, explain what media data collected and stored (uploaded images, videos, transformation configurations, delivery logs), disclose data storage locations (United States via AWS for standard customers, EEA for Enterprise customers selecting regional storage, CDN caching globally for delivery optimization), reference international data transfers with EU-US DPF and Standard Contractual Clauses for US storage scenarios, explain how uploaded media may contain personal data (photographs of individuals) and legal basis for processing, describe security measures (encryption in transit and rest, access controls, Cloudinary certifications), detail retention periods (media retained until customer deletes, operational logs per Cloudinary retention policies), explain how individuals exercise rights (access, deletion, rectification for media containing their personal data), and provide contact information for privacy inquiries including requesting media removal.

Implementing User Rights Fulfillment: Under GDPR, CCPA, and similar laws, individuals appearing in uploaded media have various rights developers must implement. According to compliance obligations, developers must establish processes for access requests (identifying and retrieving media containing individual's personal data from Cloudinary, providing media in accessible format), deletion requests (using Cloudinary API or dashboard to permanently delete media containing individual's personal data, understanding deletion immediate and irreversible), rectification requests (uploading corrected media replacing inaccurate versions, deleting outdated media), portability requests (exporting media in machine-readable format, considering original upload formats), objection to processing (honoring individual objection to continued use of media containing their personal data, removing from Cloudinary and ceasing display), and documenting all rights requests and fulfillment actions for audit trails.

According to Cloudinary capabilities, developers can use dashboard or API for media deletion, bulk operations for deleting multiple assets, tagging and metadata for organizing media by data subjects facilitating rights request fulfillment, and folder structures separating media by sensitivity or data category.

Obtaining Appropriate Consent and Legal Basis: Developers must ensure proper legal basis before uploading personal data to Cloudinary. According to GDPR requirements and controller obligations, this involves obtaining explicit consent for photographs/videos of individuals uploaded to Cloudinary (with consent specifically covering cloud storage and CDN delivery), relying on contractual necessity if media required for service provision (user profile photos for account functionality), invoking legitimate interests with proper balancing test if media supports legitimate business purposes not overriding individual rights, and understanding that purchased stock photos, scraped images, or media obtained without permission lack proper legal basis.

For special categories under GDPR Article 9 (racial origin visible in photographs, health data in medical images, biometric data used for identification via AI features), developers need explicit consent or specific Article 9 exception. Merely having right to display image on website does not automatically confer right to store in third-party cloud service—separate consideration may be required.

Content Moderation and Prohibited Content: Developers bear responsibility for uploaded content complying with Acceptable Use Policy. According to Terms of Use provisions, prohibited content includes copyrighted material without authorization (photographs, videos, documents infringing others' intellectual property), illegal content (child sexual abuse material, regulated items where prohibited by law), content violating privacy rights (photographs taken in private settings without consent, surreptitious recordings), and malicious content (malware embedded in images, phishing content, content designed to exploit vulnerabilities).

Developers should implement content screening before upload where applicable, respond promptly to DMCA takedown notices or equivalent for infringing content, remove media upon discovering privacy violations or lack of proper consent, and maintain abuse reporting mechanisms for users to flag problematic content.

IP Address Masking Configuration: For developers requiring enhanced privacy compliance, Cloudinary offers IP address masking feature. According to feature documentation, to request IP address masking for product environment, contact Cloudinary support. Developers should evaluate whether end user IP address collection necessary for service functionality versus privacy enhancement from masking, request IP masking enablement if privacy-by-design principles or regulations (GDPR, ePrivacy) suggest minimization, understand that masked IPs nullify last octet/octets making impossible to identify individual users from logs, and document decision to enable/not-enable IP masking in privacy assessments.

IP masking particularly relevant for applications serving European users where IP addresses constitute personal data under GDPR and ePrivacy Directive limits tracking without consent.

Transformation Configuration and AI Features: When using AI-powered transformation features, developers should understand privacy implications. According to AI capabilities, features like automatic cropping detect faces, object removal analyzes image content, background replacement involves scene understanding, and content-aware editing requires semantic image analysis.

Developers using AI features should disclose in privacy policies that AI processing applied to media, evaluate whether AI feature use changes legal basis requirements (processing for automated decision-making may trigger GDPR Article 22 considerations), understand Cloudinary AI processing may involve subprocessors (though specific AI subprocessors not disclosed in available documentation), and assess whether AI features appropriate for sensitive media requiring highest privacy protections.

Monitoring and Access Controls: Developers should implement appropriate access controls for Cloudinary accounts. According to security best practices, this involves using API keys with minimum necessary permissions (read-only vs. write access), implementing separate accounts or sub-accounts for different team members or applications avoiding shared credentials, enabling two-factor authentication where available, utilizing SSO for Enterprise customers enforcing own authentication policies, regularly auditing API key usage and revoking unused keys, implementing logging of media uploads/deletions for internal audit trails, and restricting transformation URL parameters if publicly exposing creates security risks.

Backup and Disaster Recovery: While Cloudinary maintains infrastructure backups, developers should consider application-level backup strategies. According to operational best practices, this involves implementing periodic media exports from Cloudinary to separate storage as disaster recovery, maintaining metadata backups (tags, folder structures, transformations) enabling reconstruction, testing restoration procedures verifying backups are recoverable, documenting Recovery Time Objectives and Recovery Point Objectives, and understanding that Cloudinary account termination or service disruption could impact media availability.

Cost Management and Optimization: Developers should manage Cloudinary costs through appropriate usage patterns. According to pricing model, costs include storage volume for original media, transformation operations and bandwidth for delivery, and API requests for upload/management operations. Optimization strategies include implementing lazy loading reducing unnecessary image loads, using responsive images delivering appropriate sizes per device, applying automatic format optimization (WebP, AVIF) reducing bandwidth, deleting unused media avoiding ongoing storage costs, and monitoring usage dashboards identifying cost optimization opportunities.

Regulatory Change Monitoring: Developers should maintain ongoing awareness of privacy developments including monitoring GDPR enforcement actions related to cloud services and international transfers, reviewing ePrivacy Directive updates and national implementations affecting cookies and tracking, staying informed about US state privacy laws (CCPA, CPRA, Virginia, Colorado) and their application to media processing, monitoring EU-US DPF developments and potential legal challenges, and engaging legal counsel for complex compliance questions involving sensitive media or high-risk processing.

Core Documentation:

Trust and Compliance:

Support and Product:

This Privacy & Data Handling Profile provides comprehensive overview of Cloudinary's data processing practices as documented in Privacy Policy, Data Processing Addendum, Trust page disclosures, and compliance materials. Cloudinary represents media management platform with clear controller-processor distinction where Cloudinary processes uploaded media on behalf of customer controllers.

Critical considerations for Cloudinary implementation include understanding tiered data residency model where only Enterprise customers can select EEA storage while standard plans utilize US-based AWS infrastructure. This fundamental limitation means developers on standard plans cannot achieve EU-only processing—media necessarily stored in United States requiring reliance on EU-US Data Privacy Framework and Standard Contractual Clauses to legitimize international transfers. Organizations with strict GDPR interpretations requiring EU-only storage must select Enterprise tier despite higher cost.

EU-US Data Privacy Framework certification including UK and Swiss extensions provides adequacy for transatlantic transfers with Standard Contractual Clauses incorporated as fallback mechanism. This dual-layer approach (DPF primary, SCCs backup) ensures lawful transfers even if framework faces legal challenges. However, developers should conduct Transfer Impact Assessments evaluating whether DPF and SCCs provide adequate protection given US surveillance laws and lack of equivalent protections to GDPR especially for sensitive media.

Cloudinary has no control over personal data types uploaded to platform and cannot classify Customer Data for compliance purposes. This means if developer uploads photograph of individual without consent, video without permission, or document containing personal information without legal basis, Cloudinary as processor cannot identify these violations. Developer as controller bears complete responsibility for lawfulness of uploaded content including obtaining necessary consents, establishing appropriate legal bases, providing privacy notices, and implementing data subject rights mechanisms.

IP address masking feature available upon request provides privacy enhancement masking end user IP addresses in CDN delivery logs—last IPv4 octet and last 3 IPv6 octets nullified with original IP encrypted expiring after one calendar day if retained for security. This feature particularly valuable for GDPR/ePrivacy compliance where IP addresses constitute personal data. Developers should request IP masking enablement from Cloudinary support if serving European users and privacy-by-design principles suggest data minimization.

ISO/IEC 27001 certification since 2015 and SOC 2 Type II reports covering Security, Availability, Privacy, Confidentiality, and HIPAA Security Rule provide independent third-party validation of security controls. However, certifications validate Cloudinary infrastructure not customer implementations. Developers bear responsibility for appropriate configuration, access controls, content moderation, and application-level security measures protecting media and user privacy.

Platform handles 20 billion+ requests daily processing petabytes of data monthly demonstrating significant scale. Multi-tenant architecture with 75,000+ active customers built with rate limits and throttling ensuring no single customer affects capacity. Geographic isolation with regional redundant data centers and 99.9% uptime commitment measured by third-party real-time monitoring provide operational reliability. However, reliance on single provider (AWS) for infrastructure creates vendor concentration risk developers should consider in disaster recovery planning.

AI-powered transformation features (automatic cropping, object removal, background replacement) involve image analysis detecting faces, objects, and scene understanding. Developers using AI features should disclose processing in privacy policies, evaluate whether automated decision-making triggers GDPR Article 22 considerations, and assess appropriateness for sensitive media. Specific AI subprocessors not disclosed in available documentation—developers requiring AI subprocessor transparency should request details from Cloudinary.

CDN delivery architecture distributes cached media globally enabling fast worldwide delivery but creating data flows across jurisdictions. Even Enterprise customers selecting EEA primary storage experience global CDN caching when media delivered to international end users. Customers with absolute data localization prohibitions should verify CDN configuration options and whether jurisdiction-specific caching restrictions possible.

Subprocessor list publicly maintained but lacks granular detail about processing purposes, data categories, and geographic locations for each subprocessor compared to typical enterprise SaaS vendor disclosures. Enterprise customers requiring detailed subprocessor documentation for procurement or compliance assessment should request supplementary materials from Cloudinary account teams including complete subprocessor inventory with processing descriptions, data flow diagrams, and security certifications per subprocessor.

Business model based on paid usage not selling personal data distinguishes Cloudinary from advertising-supported services. According to explicit commitment, Cloudinary does not monetize customer media or user data through third-party sales. Revenue derives from subscription tiers and usage-based pricing for transformations and bandwidth rather than data exploitation.

The information presented here derives from Cloudinary official documentation including Privacy Policy, Data Processing Addendum, Trust page, Cookie Policy, and support materials as of May 2026. Cloudinary continuously enhances platform with new features, AI capabilities, and compliance frameworks. Developers should monitor Cloudinary announcements for service updates, review subprocessor list regularly for changes, verify current data residency options and pricing, stay informed about EU-US DPF developments and GDPR enforcement affecting cloud services, and engage legal counsel for complex compliance questions involving sensitive media or high-risk processing scenarios.

Document Prepared: May 2026

Primary Sources: Cloudinary Privacy Policy, Data Processing Addendum, Trust Page, Cookie Policy, Support Documentation

Intended Use: Educational and informational purposes for developers implementing Cloudinary media management

Not Legal Advice: Consult qualified legal counsel for compliance guidance specific to your application and media content