Notice of Self-Certification Under the EU-U.S. Data Privacy Framework
Effective Date: Aug 8, 2023
Fastly, Inc. participates in and has certified its compliance with the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework. Fastly is committed to subjecting all personal information received from European Union (“EU”) member countries, and Switzerland, respectively, in reliance on each applicable privacy framework to the framework’s applicable Principles. To learn more about the Data Privacy Framework, and to view our certification, visit the U.S. Department of Commerce’s Website.
Fastly has also Self-Certified its compliance pursuant to the United Kingdom Extension to the EU-U.S. DPF; however, Fastly will continue to rely on other permitted mechanisms to transfer data from the UK, and will continue to employ those mechanisms even after the UK’s anticipated adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force.
Scope
Fastly adheres to the Data Privacy Framework’s Principles with respect to personal information we receive from individuals or companies in the EU, the United Kingdom, and Switzerland. Fastly is (a) an Internet intermediary and provider of edge cloud services that process network requests according to standard protocols; (b) a provider of edge computing; and, (c) a provider of network security services (our “Services”) that permit subscribers to electronically submit (or cause to be submitted) data to the Services for associated processing. As the subscribers (or in some cases their end users) control the data to be processed, Fastly’s network, platform, and services may be used as a conduit for information. As the Principles do not impose secondary liability, to the extent Fastly, on behalf of its subscriber, merely transmits, routes, switches, or caches data, Fastly may rely on its subscribers to comply with legal requirements underlying the Principles with respect to such processing.
Types of personal information collected and data processed
Fastly processes data on behalf of our subscribers, which may include personal information, in accordance with our agreements with our subscribers and for the purpose of providing the Services. Fastly acts as a data processor with respect to data submitted to our Services. Fastly neither controls nor owns what our subscribers and their internet clients submit to the Services. Fastly also collects, uses, and processes personal information of individuals who visit our websites and applications (“Visitors”) and individual representatives of our subscribers, suppliers, and business partners (“Business Contacts”). Personal information associated with Visitors and Business Contacts is collected, stored, and processed in accordance with Fastly’s Privacy Policy.
We also receive some data in reliance on other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses. Our Data Processing Terms rely primarily on the Standard Contractual Clauses, but contemplate the use of other mechanisms such as the Data Privacy Framework.
Purposes of data processing
As a data processor, Fastly collects, caches, transmits, discloses, and processes data submitted to our Services, which may include personal information about EU data subjects received from its subscribers and their users, at the direction of its subscribers in accordance with our agreements. Fastly will not access or process personal information contained in the data submitted to the Services, except as provided in our documentation. Fastly may share personal information with its subsidiaries, contractors, or third parties if Fastly undergoes a business transaction, such as a merger, acquisition by another company, or sale of all or a portion of its assets.
Type of third parties to which we disclose personal information
Fastly is responsible for the processing of personal information it receives, under each applicable Data Privacy Framework, and subsequently transfers to a third party acting as an agent on its behalf. Fastly complies with the Data Privacy Framework Principles for all onward transfers of personal data from the EU, the United Kingdom, and Switzerland, including the onward transfer liability provisions.
Fastly may use from time to time third-party service providers, contractors, and subprocessors to assist in providing the Services on our behalf. Fastly maintains contracts with these third parties restricting their access, use, and disclosure of personal information in compliance with our Data Privacy obligations, and Fastly may be liable if we fail to meet those obligations and we are responsible for the event giving rise to the damage.
Requirement to disclose
Fastly may be required in certain circumstances to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Right to access and to limit use
EU, United Kingdom, and Swiss individuals have rights to access personal information about them and to limit the use and disclosure of their personal information, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in question, or where the rights of others would be violated. With our Data Privacy certification, Fastly has committed to respect those rights. Because Fastly personnel have limited ability to access data our subscribers submit to our Services, if you wish to request, access, limit use, or limit disclosure of your personal information, please provide the name of the Fastly subscriber who submitted your data to our services. We will refer your request to that subscriber and will support them as needed in responding to your request.
Enforcement
With respect to personal Information received or transferred pursuant to the Data Privacy Framework, Fastly is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
Inquiries and complaints
Inquiries and complaints relating to Fastly’s treatment of personal information and its compliance with the Principles may be directed to:
abuse@fastly.com
Or
Fastly, Inc. Attention: General Counsel
475 Brannan St., Suite 300
San Francisco, CA 94107
Fastly will respond to your inquiry or complaint within 45 days. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our designated U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Arbitration
Under certain conditions, more fully described on the Data Privacy website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Other Covered Entities
Fastly’s U.S. Entities or Subsidiaries Adhering to the Data Privacy Framework Principles:
Fastly, Inc.
Signal Sciences, LLC (f/k/a Signal Sciences Corp.)