In order to provide this service, we capture and store information about you and about users uploading material to the service:
As of 25 May 2018, the European General Data Protection Regulation (GDPR) has come into force. We wrote this post to outline what Transloadit - and our customers - can do to make sure the new rules are being followed.
Who is responsible for data protection?
Since we are a small company, we do not have an external data officer. Responsible for data protection are our founders Tim Koschützki and Kevin van Zonneveld. You can reach them at email@example.com.
What data is collected?
Transloadit collects and shares information about its customers. Since Transloadit is a B2B service, this concerns data on businesses. We also receive a limited amount of data on our customers' customers. These are the individuals or 'data subjects' that the GDPR specifically aims to protect, and they come in contact with Transloadit when we handle their uploads or when they request the status of encoding progress of their files.
As far as these cases are concerned, Transloadit receives the following data on end-users:
From the website
- IP addresses
- Request headers
- Data entered on our website
- The browser session (identified through a cookie)
- Information used to analyze usage of our platform (through cookies from Google Analytics. More on cookies is explained below)
From the API
- IP addresses
- Request headers
- Your user agent (browser, device, etc.)
- Data submitted to our API (media files, uploads)
All data stored by us is only used for internal processing, and never sold or otherwise given away.
Since Transloadit does not store data on data subjects, migration or deletion tools are not applicable.
What data is stored exactly?
Transloadit only stores links to uploaded media files in the status JSON of an Assembly. We do not store any other data coming from data subjects.
Storing media files
Transloadit only stores temporary files, and we do so for 24 hours. Files are hashed and anonymized.
Transloadit employees only look at your files to troubleshoot problems. This rarely happens, and when it does, we do so with the understanding that anything we see is to be kept strictly confidential.
Any Transloadit employee or subcontractor with access to these systems will have signed an NDA, which among other things, includes enforcing two-factor authentication for critical services, encrypted drives, and password managers.
If it is important to you that the media files of your end-users, kept during the 24-hour window, temporarily resides in a particular region, Transloadit currently operates in the regions:
By default, the endpoint
https://api2.transloadit.com/ is used, Transloadit will serve your users from the region closest to them, but you can also opt to exclusively address one region, by using an endpoint like
https://api2-eu-west-1.transloadit.com/. In this case, no data for the request leaves this region.
Assemblies contain links to the media files that have been uploaded by data subjects. If the links point to files temporarily hosted by us, then these links will expire after 24 hours (at the point when the associated files are discarded). Links to files that were exported to your own storage system (Amazon S3, FTP server, Rackspace container, etc.) will expire based on the expiry policy you set forth on these containers.
Assemblies will be archived after three months following their creation. Any Assembly Status JSON will cease to be available through https://api2.transloadit.com/assemblies/[[assembly_id]] after three months, along with all links to media files uploaded for this Assembly. Assembly IDs are secure: only the data subject, you as our customer and Transloadit staff know these Assembly IDs.
We use the following third-party services which also store data about you. Third party customer data counts as personal data about you.
|Transloadit||end user (data subject)||browser identifiers except IP||instantly|
|AWS S3||end user (data subject)||media files||✅||>24h|
|AWS RDS||customer (business)||address, email||✅||>30d|
|AWS RDS||customer (business)||assembly metadata||✅||>30d|
|AWS RDS||customer (business)||credentials for writing to cloud storage||aes256||✅|
|AWS RDS||customer (business)||transloadit password||bcrypt||✅|
|Discourse||customer (business)||public support tickets||n/a|
|Intercom||customer (business)||browser identifiers|
|Intercom||customer (business)||support tickets|
|Librato||customer (business)||ops heuristics||✅|
|Stripe||customer (business)||credit card data||PCI compliant|
|Zoom||customer (business)||temporary file download to local server for transcoding||instantly|
- encryption: At rest. All connections in transit are protected by tls
- anonymized: Any data that can be used to identify the 'data subject' is scrubbed
- discarded: Data is destroyed
- archived: Data is accessible only by founders
In the event that your private data or API-uploaded temporary files are disclosed to unauthorized people (such as hackers), Transloadit will send out email notifications to all possibly affected parties. We will also update our blog at https://transloadit.com/blog, our Twitter account at https://twitter.com/transloadit and our status page at https://transloaditstatus.com.
Your information and your rights
If you are based within the EEA (European Economic Area) or within another jurisdiction that has similar data protection laws, under certain circumstances, you have the following rights:
- the right to be told how we use your information and obtain access to your information;
- the right to have your information rectified or erased, or to place restrictions on processing your information;
- the right to object to the processing of your information e.g. for direct marketing purposes or where the processing is based on our legitimate interests;
- the right to have any information you provided to us on an automated basis returned to you in a structured, commonly-used and machine-readable format, or sent directly to another company, where technically feasible (“data portability”);
- where the processing of your information is based on your consent, the right to withdraw that consent subject to legal or contractual restrictions;
- the right to object to any decisions based on the automated processing of your personal data, including profiling; and
- the right to lodge a complaint with the supervisory authority responsible for data protection matters (e.g. in the UK, the Information Commissioner’s Office).
If you request a copy of your information, you may be required to pay a statutory fee.
If we hold any information about you which is incorrect or if there are any changes to your details, please let us know so that we can keep our records accurate and up to date.
We will retain your personal information for the duration of our business relationship and afterwards for as long as is necessary and relevant for our legitimate business purposes, or as otherwise permitted by applicable laws and regulations. When we no longer need your personal information, we will dispose of it in a secure manner (without further notice to you).
Cookies, analytics and traffic data
Our cookies may be session cookies (temporary cookies that identify and track users within our websites) which are deleted when you close your browser or persistent cookies (cookies that enable our website to “remember” who you are and to remember your preferences within our website) which will stay on your computer or device after you close your browser).
We only use strictly necessary cookies. For analytics, we use a self-hosted service that is GDPR compliant and anonymizes data on impact. We also don't share any remaining data. The cookies that remain are required for our website to work, meaning that under EU law, we are not required to show any cookie banners.
Data Processing Addendum (DPA)
If you require a countersigned copy of our DPA, please reach out to support.