ImageKit and the General Data Protection Regulation (GDPR)
Last updated - 24 Sep 2025
This page outlines our commitment to data protection and our role as a data processor under the General Data Protection Regulation (GDPR). We believe that data privacy is a fundamental right, and our services are built on the principles of transparency, security, and customer control.
Our mission is to help our customers deliver and manage high-quality media content without compromising on performance or privacy.
Our Promise to You
We will never sell or rent any of your personal data or your customers' data to any third party. Your data and your customers' data remain yours. We will only process it to provide, secure, and monitor our services as instructed by you and as outlined in our Data Processing Addendum.
Our Role Under the GDPR
ImageKit operates primarily as a Data Processor for our customers and as a Data Controller for the limited set of the data we collect directly to offer our services.
- You, the Data Controller: When you use ImageKit's services, you are the Data Controller. This means you determine the purposes and means of processing the personal data of your end users.
- ImageKit, the Data Processor: We process personal data on your behalf and at your direction to provide the ImageKit service. Our processing is limited to the instructions you provide through your use of our services and our formal agreements.
- ImageKit, the Data Controller: We act as a Data Controller for a limited set of personal data about our business customers, such as your account contact details, billing information, and user login data. We process this data to provide our services to you, manage your account, and fulfill our contractual obligations.
This relationship is legally documented in our Data Processing Addendum (DPA, available upon request), which is an integral part of our agreement with you and includes the EU's Standard Contractual Clauses (SCCs).
The Data We Process and Why
ImageKit processes certain categories of personal data to deliver our services. The types of data we process depend on how you use our services. You can refer to the data we collect, its purpose, any onward transfers, and our participation in EU-U.S. Data Privacy Framework (DPF), the UK Extension, and the Swiss-U.S. DPF on our Privacy Policy Page.
How We Protect Your Data
Security is at the heart of our operations. We implement robust technical and organizational measures to ensure a high level of security appropriate to the risks associated with processing personal data. All the security measures can be found on our Security and Trust page.
How ImageKit Empowers Your Compliance
Our services are built with features that help you, as the Data Controller, meet your GDPR obligations.
-
Data Upload: You can restrict only authorized administrators, or specific users and applications to upload data to ImageKit.
-
Data Management: You can easily manage, delete, and list all your uploaded data from the ImageKit dashboard or via our APIs.
-
Security Controls: You can restrict data delivery using signed URLs, expiry intervals, and private images. We also offer advanced features to block access based on a user's IP address, URL referrer, or country.
-
User Access Control: You can control access levels for users in your ImageKit dashboard, enforce multi-factor authentication, and use Single Sign-On for user management.
-
Auditability: Our audit logs provide a history of configuration changes in the dashboard, helping you track and report on your data management activities.
Our Subprocessors
To provide our services, ImageKit engages a limited number of third-party subprocessors. We have carefully vetted each of these partners to ensure they are compliant and adhere to data protection obligations no less stringent than our own. We notify our customers of any mandatory changes to new subprocessors by giving a notice of at least 30 days, providing an opportunity to object before a change is implemented.
You can find the most up-to-date list of our subprocessors in our Data Processing Addendum (available upon request). For your convenience, the current list is provided below.
Table of Current Subprocessors
| Sub-processor | Purpose of Processing | Key Locations | Processing Region |
|---|---|---|---|
| Amazon Web Services India Private Limited | Hosting, processing, storage and delivery service. All storage, optimization, transformation, and delivery of files via ImageKit or stored with ImageKit. | USA, India | For images and other static content like PDFs, Docs, etc. - USA, Germany, Singapore, India, Australia - Depending on your choice of processing region/ For video content processing - USA. EU Region available on request for Enterprise Plan Customers. For other data such as user logins, account settings, CDN access logs and server logs for analytics - USA |
| DigitalOcean Holdings, Inc. | Delivery service and content caching only for a few custom CDN users | USA | USA, Germany, Singapore, India - Depending on proximity to your choice of processing region on Enterprise plans |
| Zoho Sign | Electronic signing of agreements. | India & USA | India |
| HubSpot, Inc. | CRM and marketing automation. | USA | USA |
| Intercom, Inc. | Live chat and customer support. | USA | USA |
| Sendgrid (Twilio) | Transactional Emails | USA | USA |
| MailModo Technologies Pvt Ltd | Email marketing and communication. | USA, India | USA |
| Stripe, Inc. | Payment processing for customer accounts. | USA | USA |
| Metabase, Inc. (Self-Hosted) | Product metrics and business analytics. | USA | USA |
| Photoroom | Background change feature (not mandatory, only on demand by Customer) | France | USA |
| Canva Austria GmbH (Remove.BG) | Background remove feature (not mandatory, only on demand by Customer) | Austria | USA and EU |
| OpenAI, L.L.C | Image and video editing, generation, and other AI-based functionalities that may enhance or automate visual processing workflows (not mandatory, only on demand by Customer) | USA | USA |
| Google Cloud | Image and video editing, generation, and other AI-based functionalities that may enhance or automate visual processing workflows (not mandatory, only on demand by Customer) | USA | USA |
Upcoming Changes: Open AI and Google Cloud subprocessors listed above will also be utilized for the change background functionality (used on customer opt-in) on or after 15th November 2025.
Rights as a Data Subject
Under GDPR, ImageKit acts as a Data Processor, while our customers act as Data Controllers.
If you are an end user wishing to exercise your GDPR rights, such as the right to access, rectify, restrict, or erase your personal data, you should contact the relevant Data Controller (our customer).
While our customers (Data Controllers) are primarily responsible for responding to data subject requests, ImageKit will provide reasonable assistance to help fulfill these requests within our technical capabilities and contractual obligations.
Contact & Further Information
For any questions related to data privacy, or any other assistance, you may contact our Data Protection Team at the contact details given below.
Email: admin@imagekit.io
Address: As published on https://imagekit.io/contact-us/
For a comprehensive review of our data processing commitments, you can view our full Data Processing Addendum and Standard Contractual Clauses, which are available upon request for our customers.