ImageKit and the General Data Protection Regulation (GDPR)

Last updated - 24 May 2018

About GDPR

GDPR is the biggest compliance-related regulation to come along in years, replacing the Data Protection Directive 95/46/EC (“Directive”) and substantially increasing data subject rights and privileges. The GDPR was finalized on April 14, 2016, and goes into enforcement on May 25, 2018. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.

In GDPR parlance, the relevant entities are broken down into:

  • Data Subjects are simply end-users or consumers with data about them stored in a Data Controller or Data Processor.
  • Data Controllers are those entities that are providing services directly to Data Subjects–any company from a bank to a social network. ImageKit customers are data controllers (who use our service to upload, manipulate and deliver media files or to allows their end users to do the same). When ImageKit collects personal data and determines the purposes and means of processing that personal data – for example, when ImageKit stores account information for account registration, administration, services access, or contact information for the ImageKit account to provide assistance through customer support activities – it acts as a data controller.
  • Data Processors are third-party organizations that are providing services to Data Controllers and using Data Subject data to do so. ImageKit is a data processor. 

Territorial Scope (Who Does The GDPR Apply To)

The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.

Data Subject Rights

The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. It is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state. Under the GDPR, data subjects have right to access, right to be forgotten, the right to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine-readable format' and have the right to transmit that data to another controller, right to rectify inaccurate or incomplete data. In addition, the Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

Although Data Processors have in the past been required usually by some sort of contractual obligation to provide Controllers with sufficient safeguards and assurances that Data Subject data is being properly managed, the GDPR significantly increases the risk of Data Processors. The biggest risk among those lies in the extra-jurisdictional and networked nature of the new GDPR along with Article 82, which puts joint liability on both Controllers and Processors.

Under the Data Protection Directive (the predecessor to the GDPR), it was Data Controller's responsibility to ensure that data regulations are being properly followed throughout their ecosystems. However, under the GDPR, the Data Processor is also liable for damage caused by processing of data where it has not complied with the obligations of the regulation or acted outside of the instructions of the Controller.

ImageKit Responsibility As A Data Processor

ImageKit is responsible for securing the underlying infrastructure that supports the storage, upload, manipulation, and delivery of media files, acting either as data controllers or data processors. We will ensure the security of processing, the ongoing availability of systems and services, the ability to restore data in a timely manner in case of an event, and regular testing to ensure the security of processing. Our architecture is inherently secure and provides security & privacy by design.

ImageKit also provides integration with existing server or storage and those configurations are securely stored. To realize data protection by design and by default principles, we recommend customers protect their ImageKit account credentials. 

Specific features and services which help customers to meet requirements of GDPR

Access Control: Allow only authorized administrators, users and applications access to ImageKit dashboard and uploaded media files.

API to erase files: We provide media API which allows customers (data controllers) to remove any uploaded media from their account on ImageKit.

API to get a list of all uploaded files: You as a data controller can get the list of all uploaded media files using this API, thus allowing you to provide the same information to your customer (data subjects).

API to purge data from CDN and our cache servers: You can purge files from CDN and our caching servers using this API.

Customer's responsibility as Data Controller

As an ImageKit customer, you are a Data Controller and ImageKit is acting as your Data Processor for your users. In this respect, you’ll want to take the following steps leading up to May 25th, 2018:

  • Ensure your Terms of Service and/or Privacy Policy are up to date.
  • If you have customers in the EU or need to be GDPR compliant, you may additionally request to sign our Data Protection Addendum.
  • Perform your own research, modeling, vendor audit, and strategy steps at your company to ensure you understand GDPR as it applies to your business.
  • Watch for updates from ImageKit related to product functionality or privacy and TOS changes.

Our Sub-Processors

  • Amazon Web Services, Inc.
  • ImageKit India Pvt Ltd
  • Google LLC
  • Klenty India Pvt Ltd
  • Razorpay Software Private Limited
  • Freshworks Inc
  • DigitalOcean, LLC

Contact us

We will assist the customers through appropriate measures to fulfill their obligations to respond to requests for data subjects seeking to exercise their rights under the GDPR. You can contact us to discuss your specific case. Email us at