Under the General Data Protection Regulation (“GDPR”), European nationals have individual rights regarding their personal data that must be respected by companies controlling or processing that data. As part of Fastly’s obligations to provide our edge cloud services in compliance with all applicable laws, and our customer’s obligations not to use our edge cloud services in violation of those same laws, we want to outline the steps we have taken to comply with the GDPR, and in particular the steps we have taken to ease the GDPR compliance burden for our customers.
An Industry Leading Compliance Platform
Instant purge, rapid configuration deployment, and real-time log delivery are fundamental to our platform and facilitate compliance with GDPR and other regulations and compliance standards such as HIPAA and PCI. Notably, instant purge means that customers can invalidate stale (or even problematic) content in 150 milliseconds across our global network. Customers can also deploy new configurations rapidly in response to business or compliance needs.
Additionally, Fastly doesn’t keep request logs, instead we empower our customers to decide exactly what is captured and streamed to them about those interactions, so if our customers don’t want to log some piece of data or it needs to be anonymized at collection, our highly-configurable log-streaming functionality supports that. We also support many logging endpoints so that customers can select the endpoints that meet their functionality, security and compliance requirements.
Our new enterprise support plan provides access to support and compliance professionals to assist with compliance inquiries. You can also read more about updates we’ve made to our documentation to provide guidance about working with configurations and logging in the age of GDPR.
But industry-leading technology alone is not enough, and today we are pleased to announce the extra steps we are taking to make complying with the GDPR easier for our customers.
Data processing terms
When customers use Fastly to deliver and cache personal data, or collect and stream request logs that contain personal data, Fastly is acting as a data processor under GDPR. We have posted a set of data processing terms that are incorporated into the Terms of Service our customers have agreed to with us. All of our direct customers can take advantage of these online data processing terms to meet their GDPR compliance obligations without further action (no emails to forward or forms to fill out). Of course, customers with questions about these online terms can email email@example.com and our account teams will engage with our team of legal and compliance professionals to assist with your request.
Fastly GDPR audit
We are also in the process of completing a third-party audit of our compliance with the GDPR as a data processor for content delivery, content caching, and request log streaming. The results of the audit will be a third-party attestation report that our customers can use to help satisfy their data privacy impact assessment obligations under the GDPR. This audit report should be available in June.
Supporting inquiries from Data Subjects
We have adopted procedures within our customer support organization to promptly forward to our customers any inquiries we receive about their content and its compliance with the GDPR. Any customers that have not already provided us a contact for notices we might receive about our content under our Acceptable Use Policy should take the opportunity to update their abuse contact information by sending a note to firstname.lastname@example.org .
We are in this with you
We recognize this is a challenging time. Our legal, compliance and support teams are standing by to assist our customers with their GDPR and other compliance inquiries. We were at Altitude NYC discussing customers’ questions and concerns, and are looking forward to being at Altitude London in the days before GDPR becomes effective.