Update April 16th, 2016: We have moved this document to https://transloadit.com/legal/privacy/ where we will refine it with new developments.

Starting May 25th 2018, the European General Data Protection Regulation (GDPR) will be enforceable. This post serves to demonstrate what Transloadit, and our customers can do to be compliant.

A blue background with random characters, a padlock and the EU stars around the padlock. The acronym 'GDPR' is to the right.

Transloadit collects and shares information on its customers. A quick overview:

  • Credit card information is stored at WorldPay (PCI compliant). It is not stored at Transloadit.
  • Address information is stored in a database that runs on AWS.
  • IP address, browser agent, and support threads and meta information are shared with Intercom.
  • IP address, browser agent are shared with Google Analytics.
  • Assembly IDs are shared with Pusher.com (only inside account section)

However, since Transloadit is a B2B service, this is data on businesses, not private persons or end-users, which the GDPR aims to protect. This group embodies our customers' customers. They interface with Transloadit on brief touch points, for instance when we handle their uploads, or when they request the status of encoding progress of their files.

In this case, Transloadit has the following metadata on your end-users:

  • IP address
  • browser agent (if the browser discloses, but almost all do)
  • referer (if the browser discloses, depends on settings and e.g. HTTPS)

This information is stored in our log service that runs on Papertrail. All data there is archived after 7 days. The data is used for debugging purposes. In addition, this information is stored in a database that runs on AWS for rate-limiting purposes. These records are archived after 30 days.

Regarding data of your end-users (videos, photos), that information is just passing through, and deleted after 24h. Transloadit does not host files and so migration tools are not applicable.

We do not identify end-users or correlate any (meta) data, nor would we like to. If we wanted to offer tools for deletion, that means we'd first have to correlate and profile this data. This poses a peculiar situation that goes against what the GDPR aims to achieve.

So in order to comply with GDPR we will discard the three meta identifiers (IP, referer, browser agent) that could potentially be used to identify end-users.

If it is important to you that the data of your end-users (even if just temporarily) resides in a particular continent, Transloadit currently operates two regions: us-east-1 (Virginia, USA) and eu-west-1 (Ireland). By default Transloadit will serve your users with the region closest to them, but you can instead opt to only ever address e.g. the EU, using an endpoint like https://api2-eu-west-1.transloadit.com/. Currently, the three metadata fields would still reside in the US, but as said, we will be discarding those.

This is our status quo and plan as of March 13th 2018. We're welcoming your insights on this matter before we execute, and we'll be refining this document as we go.