Privacy by Design #
We at Scaleflex SAS (“Scaleflex”, “Cloudimage”), the European company behind the Cloudimage Service, care about customer service and trust. As a European company, we have a legal obligation to comply with EU data privacy regulations. As a Software-A-A-Service company and Cloud service, we have an ethical obligation to protect our customers data. To make sure our customers can use our Service safely and remain fully compliant with the General Data Protection Regulation (“GDPR”), we have created a Data Processing Addendum (“DPA”) which outlines in details the data we collect and process, how we secure it and the tools we offer for you to control it. The DPA is an addendum to and forms part of the Cloudimage Terms and Conditions. It is pre-signed by us and available to you for counter-signature here. Once counter-signed, email it to firstname.lastname@example.org for it to become effective.
The GDPR is a new European privacy regulation which replaces the current EU Data Protection Directive (“Directive 95/46/EC”) on May 25th 2018. The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law.
If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR.
The GDPR applies to all organizations operating in the EU and processing “personal identifiable data” of EU residents. Personal data is any information relating to an identified or identifiable natural person.
Data minimisation #
According to article 5, clause 1(c) of the GDPR text, Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
We only collect and store data required for our service to run. We call these data the Service Data. Service Data is any information, including personal data, which is stored in or transmitted via the Cloudimage services, by, or on behalf of, our customers and their end-users.
Data Hosting Locality #
Customers who purchase a paid subscription can choose where the image processing and caching will take place. We operate data centers in 3 locations: Canada, France and Singapore. Image processing can be limited to one or more of these data centers upon request. Similarly, customers can request only CDN nodes in specific regions to be used for delivering the images to their end users.
Service Data definition #
In order for the Cloudimage Service to function following data are collected:
- Images and image URLs you provide to Cloudimage for processing and delivery
- Analytics about the delivery of the images processed by Cloudimage. These analytics do not contain and process any personal identifiable data
- Access logs on the Content Delivery Networks (CDNs) used by Cloudimage to deliver images to your end users. These logs contain the IP addresses of the end users requesting an image delivered by Cloudimage, which is considered as personal identifiable data according to GDPR and is subject to additional measures to comply with it, outlined in our DPA. The IP address is the only personal information we and our sub-processors process and store temporary in our logging database. We store a pseudonymised version of the IP address for up to in our logging database.
Service Data ownership #
From a privacy perspective, the customer is the controller of Service Data, and Cloudimage is a processor. This means that throughout the time that a customer subscribes to services with Cloudimage, the customer retains ownership of and control over Service Data in its account
Removal and pseudonymization of Service Data #
As data processor under GDPR, we are required to offer our customers the option to correct, amend or delete personal data. Our Invalidation API allows you to remove all data related to an image from the Cloudimage cache, processing servers and CDN. Personal data (visitor's IP address) is pseudonymised as per the contractual commitments outlined in our DPA.
In addition, we remove the personal data we store according to the following rules:
|Type of Data||Removed after|
|Visitor's pseudonymised IP address||30 days|
|Cached images||30 days|
Who are Cloudimage’s sub-processors? #
Cloudimage maintains an up-to-date list of the names and locations of all sub-processors used for hosting or other processing of Service Data, which can be found here. Should you have any more questions about one or more sub-processors, you can email email@example.com. By registering to Cloudimage, you will be added to an emailing list to receive updates on our sub-processor list.