Cloudinary EU Alternative 2026: CLOUD Act Risk in Your Media CDN

Post #1097 — Standalone: EU Cloud Services GDPR Series

Most developers don't think of their image CDN as a privacy risk. Cloudinary handles transformations and delivery — it doesn't process personal data in the same way an auth provider or database does, right?

Wrong. Every image you upload to Cloudinary is processed and stored by Cloudinary Inc., a Delaware corporation headquartered in Santa Clara, California. That makes Cloudinary a US-controlled entity subject to the CLOUD Act (18 U.S.C. §2703), meaning US law enforcement and intelligence agencies can compel Cloudinary to hand over your users' media files — without notifying you or your users.

For European developers handling images that contain faces, documents, or any other personal data, this creates a real GDPR exposure that your DPA could scrutinize under Article 44–46 (international data transfers) and Article 9 (biometric data processing restrictions).

Cloudinary Corporate Structure: The Jurisdiction Problem

Cloudinary was founded in 2012 by Israeli entrepreneurs Itai Lahan and Nadav Soferman. The company operates its global platform through Cloudinary Inc., incorporated in Delaware and headquartered in Santa Clara, California.

This structure means:

• US federal law applies to Cloudinary Inc. as a US person under 18 U.S.C. §2702
• CLOUD Act §2703 allows US law enforcement to compel disclosure of stored media files with a warrant, court order, or — in national security cases — a National Security Letter (NSL) with a gag order
• FISA Section 702 authorizes surveillance of non-US persons' data held by US providers for foreign intelligence purposes
• NSL gag orders mean Cloudinary cannot legally notify you when your users' data is accessed by authorities

Cloudinary does offer EU data residency options and publishes a GDPR Data Processing Addendum. But data residency doesn't change jurisdiction: a Delaware corporation remains a US person regardless of where its servers sit. SCCs between Cloudinary and EU customers cannot override a US court order.

What Data Does Cloudinary Process?

Understanding the privacy exposure requires knowing exactly what Cloudinary touches:

Media files themselves:

• User-uploaded images and videos
• Transformed/optimized versions generated by Cloudinary
• Thumbnails and previews

Metadata:

• File names, dimensions, format, size
• Transformation presets and delivery configurations
• Upload timestamps and source IP addresses

Biometric-adjacent data (GDPR Art. 9 risk):

• Images containing human faces → potentially biometric data under GDPR Art. 9(1)
• Cloudinary's AI features (face detection, smart cropping, content moderation) process facial features to identify crop points
• If Cloudinary's AI analyzes faces for cropping purposes, this may constitute biometric data processing requiring explicit consent under GDPR Art. 9(2)(a)

Account and access data:

• API credentials and upload presets
• Upload logs with IP addresses and user-agent strings
• Cloudinary's own analytics on delivery and transformation performance

CLOUD Act Risk Score: 14/25

Using the same methodology applied across this blog series:

For comparison: Clerk (auth tokens) scored 17/25, Upstash (Redis data) 16/25. Cloudinary scores lower because media files are less frequently targeted by intelligence warrants — but CLOUD Act risk is not zero, and the Art. 9 biometric dimension adds GDPR-specific risk that pure data transfer analysis misses.

The GDPR Art. 9 Problem with AI-Enhanced Image Processing

This is where Cloudinary's EU exposure becomes legally nuanced.

Cloudinary's platform includes AI-powered features: automatic face detection, smart cropping based on facial position, background removal with person segmentation, and content moderation that identifies human subjects. These features are not opt-in-by-default for transformation pipelines — developers activate them via transformation parameters.

Under GDPR Art. 9(1), processing of biometric data for the purpose of uniquely identifying a natural person is prohibited without explicit consent or another Art. 9(2) legal basis.

The key question: does Cloudinary's face detection for smart cropping constitute biometric data processing?

The EDPB's Guidelines 3/2019 on processing of personal data through video devices and subsequent national DPA guidance suggest that systematic facial analysis to determine crop coordinates could qualify as biometric processing, particularly when:

1. The analysis is performed on a large number of images (typical for e-commerce or social platforms)
2. The facial data could be used to identify individuals
3. Processing occurs without explicit consent

If your application uses Cloudinary's g_face (gravity: face) transformation parameter at scale, you may be operating AI-enhanced biometric processing through a US-controlled entity without the Art. 9(2)(a) explicit consent — a significant GDPR compliance risk.

Schrems II Transfer Impact Assessment

Any EU controller using Cloudinary must complete a Transfer Impact Assessment (TIA) under GDPR Art. 46 to assess whether SCCs provide adequate protection.

The key factors the TIA must address:

1. CLOUD Act §2703 warrants Cloudinary Inc. can be compelled to disclose media files and metadata via warrant without prior notice. Law enforcement requests that bypass Cloudinary's standard notification policy are legally permitted.

2. FISA Section 702 Non-US persons' data held by US electronic communication service providers can be collected for foreign intelligence purposes without individual warrants. Cloudinary's platform (API calls, CDN logs, stored assets) could fall within FISA §702's broad scope.

3. NSL gag orders National Security Letters under 18 U.S.C. §2709 include mandatory non-disclosure provisions. Cloudinary cannot legally notify affected EU controllers or data subjects when NSL-compelled access occurs.

4. Austrian DSB precedent The Austrian Data Protection Authority's January 2022 decision on Google Analytics established that mere SCCs are insufficient when US surveillance law applies to the US provider. Subsequent decisions by French CNIL (March 2022), Italian Garante (June 2022), and Danish Datatilsynet (September 2022) confirmed this analysis. Cloudinary faces the same legal framework.

The practical conclusion: standard SCCs between Cloudinary and an EU data controller do not eliminate CLOUD Act transfer risk. Your TIA will likely require either a risk acceptance decision or migration to an EU-controlled alternative.

EU-Native Alternatives to Cloudinary

1. Bunny.net — Best EU-Native Media CDN

Bunny Way d.o.o. is a Slovenian company (Ljubljana, EU member state) providing CDN, video streaming, storage, and image optimization services.

CLOUD Act Score: 0/25 — No US corporate entity, no US server infrastructure.

Key capabilities:

• BunnyCDN: Edge delivery across 120+ PoPs, EU PoPs prioritized for EU traffic
• BunnyStorage: Object storage with EU zone options (Frankfurt, Amsterdam, Stockholm)
• BunnyStream: Video hosting and adaptive streaming (HLS)
• BunnyOptimizer: Image optimization and WebP/AVIF conversion

GDPR compliance:

• DPA available under EU law (Slovenia = GDPR jurisdiction)
• No CLOUD Act exposure (non-US company)
• Data residency enforceable under EU law
• No Schrems II TIA required for EU-to-EU processing

Limitations vs Cloudinary:

• Less mature AI transformation features (no automatic face detection, smart cropping)
• Smaller ecosystem of official SDKs
• Image transformation syntax differs from Cloudinary's URL-based API

Migration complexity: Medium — URL transformation syntax needs rewriting, SDK replacement required.

2. imgproxy — Self-Hosted EU-Controlled Image Processing

imgproxy is an open-source, high-performance image processing proxy written in Go (MIT license). You deploy it on EU infrastructure you control, making it fully EU-sovereign.

CLOUD Act Score: 0/25 — No US entity involved, you control the data.

Key capabilities:

• URL-based image transformation (resize, crop, format conversion, watermarking)
• WebP, AVIF, HEIC generation
• Source image fetching from S3-compatible storage (MinIO on EU servers)
• Face detection via OpenCV or TensorFlow (run entirely on your EU infrastructure)
• SVG, PDF thumbnail generation

Self-hosting on EU infrastructure: Deploy imgproxy + Hetzner Object Storage (or MinIO on Hetzner dedicated) for complete EU sovereignty. Images never leave EU jurisdiction.

Limitations vs Cloudinary:

• No managed service — you maintain the infrastructure
• No built-in CDN (combine with Bunny.net or Hetzner CDN)
• Smaller community than Cloudinary

Migration complexity: High — requires infrastructure setup but enables full sovereignty.

3. Thumbor — Open Source Python Alternative

Thumbor is an open-source smart imaging service (Python, Apache 2.0, originated at Globo.com Brazil). Self-hosted on EU infrastructure, it achieves 0/25 CLOUD Act exposure.

Key capabilities:

• On-the-fly image resizing and cropping
• Smart face/feature detection for automatic focal cropping (runs locally — no US entity processes the biometric analysis)
• WebP conversion
• Result storage with EU-controlled backends (S3-compatible, local filesystem)
• URL-based transformation API

The critical advantage over Cloudinary for biometric-sensitive use cases: Thumbor's face detection runs entirely on your EU servers. GDPR Art. 9 biometric processing stays in EU jurisdiction.

4. Cloudimage.io — Swiss-Hosted Image CDN

Cloudimage (by Scaleflex, registered in Switzerland) provides a managed image CDN with Switzerland as the primary data location.

CLOUD Act Score: 3/25 — No US entity; Switzerland has an EU adequacy decision (since January 2024 under FDPA); standard data transfer possible without Art. 46 SCCs.

Key capabilities:

• URL-based image transformations (resize, crop, format, quality)
• AI-powered features (background removal, smart cropping)
• CDN delivery via EU/Swiss PoPs
• GDPR Art.28 DPA under Swiss/EU law

Limitations:

• Switzerland ≠ EU member state (though adequacy decision exists)
• Smaller CDN footprint than Cloudinary
• Less ecosystem maturity

5. Transloadit — EU-Originated File Processing

Transloadit was founded in Germany in 2009 (Amsterdam and Hamburg offices). Transloadit Ltd is incorporated in the UK (post-Brexit) but operates primarily from EU infrastructure.

CLOUD Act Score: 5/25 — UK entity (no CLOUD Act); GDPR Art. 46 UK adequacy decision applies; processing primarily in EU.

Key capabilities:

• File upload handling, image processing, video encoding
• Assembly instructions (programmable processing pipelines)
• S3/GCS/Azure connector for storage
• AI-powered features run in EU

Note on UK incorporation: Post-Brexit, UK entities are outside the EU regulatory space. The EU issued an adequacy decision for UK in June 2021, meaning data transfers from EU to UK are permitted without Art. 46 SCCs — but this adequacy decision is subject to review and is not guaranteed permanently.

EU vs US: CLOUD Act Score Comparison

Note on Cloudflare Images: Many developers consider Cloudflare Images as a Cloudinary alternative. But Cloudflare Inc. is a Delaware corporation — subject to CLOUD Act with a higher score than Cloudinary due to Cloudflare's deeper integration with internet traffic and its CDN infrastructure. Cloudflare is not an EU-native privacy solution.

Migration Guide: Cloudinary to Bunny.net or imgproxy

Step 1: Audit Your Cloudinary Usage

Before migrating, catalog:

• Which Cloudinary features you use (upload, transformation, delivery, AI features)
• Whether you use face detection or AI cropping (biometric risk → highest migration priority)
• Volume of stored assets
• SDK integrations (JavaScript, Python, Ruby, PHP, etc.)

Step 2: Choose Your Target Architecture

Option A — Bunny.net (managed, low ops overhead):

• BunnyStorage for asset storage
• BunnyOptimizer for image transformations
• BunnyCDN for delivery
• DPA under Slovenian law

Option B — imgproxy + EU Object Storage (maximum sovereignty):

• Hetzner Object Storage or MinIO on Hetzner for asset storage
• imgproxy for transformation
• Bunny.net CDN for delivery
• All processing in EU, no US entity involved

Step 3: Migrate Transformation URLs

Cloudinary uses URL-based transformations like:

https://res.cloudinary.com/demo/image/upload/w_300,h_200,c_fill/sample.jpg

imgproxy uses a similar but different syntax:

https://imgproxy.example.com/w:300/h:200/aHR0cHM6Ly9zdG9yYWdlLmV4YW1wbGUuY29tL3NhbXBsZS5qcGc=

Bunny.net Optimizer uses:

https://your-zone.b-cdn.net/sample.jpg?width=300&height=200&aspect_ratio=1:1

Maintain backward compatibility by routing old Cloudinary URLs through a proxy layer during migration.

Step 4: Replace SDK Integrations

Each Cloudinary SDK needs replacement:

• JavaScript: Replace cloudinary npm package with Bunny.net or custom imgproxy URL builder
• Python: Replace cloudinary pip package with direct HTTP calls to imgproxy
• Ruby/Rails: Replace cloudinary gem with custom adapter

Step 5: Update GDPR Documentation

After migration:

• Update your GDPR Art.30 records of processing activities (new processor: Bunny.net / imgproxy)
• Replace Cloudinary DPA with Bunny.net DPA or mark processing as internal (self-hosted)
• Update your privacy policy to remove Cloudinary as a sub-processor
• If you were using Cloudinary's AI features, verify that the Art. 9 biometric processing now occurs entirely within EU jurisdiction
• Remove Cloudinary from your SCCs list (no longer an Art. 46 transfer)

Key Takeaway for EU Developers

Cloudinary is a capable platform, but it is a US entity processing data that may include GDPR-sensitive content. For EU applications handling images of users — e-commerce products with lifestyle shots, profile photos, document scans, HR systems, healthcare platforms — Cloudinary's CLOUD Act exposure is a real compliance consideration.

The strongest alternative is Bunny.net (Slovenian, 0/25 CLOUD Act) for managed media CDN, or imgproxy self-hosted on Hetzner for applications requiring maximum EU sovereignty and GDPR Art. 9 protection for biometric image analysis.

If your current stack uses Cloudinary and you deploy on sota.io (EU-native, Hetzner Germany, no CLOUD Act), pairing with Bunny.net or imgproxy gives you a fully EU-sovereign media pipeline with no US jurisdiction exposure from CDN to compute to storage.

CLOUD Act scores use a 5-dimension methodology: US legal entity (0–5), US-controlled infrastructure (0–5), data sensitivity (0–5), intelligence community exposure (0–5), warrant disclosure risk (0–5). Scores reflect publicly available corporate and legal information as of May 2026.