You appear to be offline. Some site functionality may not work.

Data Processing Terms

PLEASE READ THESE DATA PROCESSING TERMS (THESE “TERMS”) CAREFULLY. THESE TERMS ARE A BINDING CONTRACT FOR PROCESSING OF PERSONAL DATA OF EUROPEAN UNION DATA SUBJECTS THROUGH THE USE OF FASTLY, INC. (“FASTLY”) EDGE CLOUD SERVICES.

IF YOU DO NOT AGREE TO BE BOUND BY ALL OF THE PROVISIONS OF THESE TERMS, AND YOU HAVE NOT SEPARATELY AGREED WITH FASTLY ON TERMS REGARDING THE PROCESSING OF PERSONAL DATA OF EUROPEAN UNION DATA SUBJECTS, DO NOT ACCESS OR USE FASTLY’S SERVICES FOR THE PROCESSING OF PERSONAL DATA OF EUROPEAN UNION DATA SUBJECTS.

IF YOU REQUIRE A SIGNED VERSION OF THESE TERMS PLEASE CONTACT <SUPPORT@FASTLY.COM>.

BY ACCESSING OR USING FASTLY SERVICES YOU ARE ACCEPTING THESE TERMS (ON BEHALF OF YOURSELF OR THE ENTITY THAT YOU REPRESENT) AND YOU REPRESENT AND WARRANT THAT YOU HAVE THE RIGHT, AUTHORITY, AND CAPACITY TO ENTER INTO THESE TERMS (ON BEHALF OF YOURSELF OR THE ENTITY THAT YOU REPRESENT AND ITS AFFILIATES).

THESE TERMS WERE INITIALLY POSTED ON APRIL 24, 2018. THERE HAVE BEEN NO PRIOR VERSIONS OF THESE TERMS. IF AND WHEN UPDATED, ANY PRIOR VERSIONS OF THESE TERMS WILL BE AVAILABLE AT https://docs.fastly.com.



FASTLY DATA PROCESSING TERMS

1. Purpose. In consideration of the parties’ mutual obligations to comply with applicable law in accordance with the Agreement, these Fastly Data Processing Terms (these “Terms”) apply to Fastly’s Processing of Personal Data on Subscriber’s behalf as a Data Controller (or as a Data Processor on behalf a third-party Data Controller) subject to the Directive, the GDPR or applicable Privacy and Data Protection Laws. In the course of providing the Services to Subscriber pursuant to the Agreement, Fastly may Process Personal Data on behalf of Subscriber. Unless otherwise expressly agreed in writing between Subscriber and Fastly, this version of the Terms (1) is incorporated into and subject to the Agreement and each Service Order, (2) shall be effective and remain in force for the term of the Agreement and each Service Order, and (3) in the event of any conflict between the terms of the Agreement, a Service Order, and these Terms, the relevant provisions of these Terms shall take precedence. These Terms shall not apply to any Subscriber that does not access or use the Services for Processing of Personal Data subject to the Privacy and Data Protection Laws.

2. Definitions. Capitalized terms not defined in these Terms shall have the meaning set forth in the Agreement.

2.1 “Agreement” means any master subscription agreement applicable to Subscriber’s use of the Services, such as the Fastly Terms of Service (available at https://www.fastly.com/terms).

2.2 “Certification” means Fastly’s notice of self-certification under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks available at https://www.fastly.com/privacy-shield-notice.

2.3 “Data Controller” has the meaning ascribed to it in the GDPR.

2.4 “Data Processor” has the meaning ascribed to it in the GDPR.

2.5 “Data Subject” has the meaning ascribed to it in the GDPR.

2.6 “Data Subject Request” means Data Subject requests under Privacy and Data Protection Laws, including without limitation the exercise of rights by Data Subjects of Personal Data under Chapter III of the GDPR.

2.7 “Directive” means Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

2.8 “Documentation” means the online documentation available via http://docs.fastly.com.

2.9 “Fastly Group” means Fastly, Inc. and its affiliates engaged in the Processing of Personal Data.

2.10 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom.

2.11 “Model Contract Clauses” means the agreed form standard contractual clauses for the purposes of Article 26(2) of the Directive for the transfer of personal data to data processors established in third countries pursuant to Commission Decision (2010/87/EU) notified under document C(2010) 593 attached to these Terms as Exhibit A (including the appendices).

2.12 “Personal Data” means personal data as defined in the GDPR contained in Subscriber Data and caused to be submitted to Fastly via the Services according to Subscriber’s configuration of the Services.

2.13 “Privacy and Data Protection Laws” means the national provisions adopted pursuant to the Directive (when in effect) and the Federal Data Protection Act of 19 June 1992 (Switzerland), the Data Protection Act 1998 (United Kingdom), the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, the General Data Protection Regulation (when in effect), and the national provisions adopted pursuant to the GDPR, for each as applicable to Subscriber as Data Controller of Subscriber Data and to Fastly as Data Processor of Subscriber Data and when in effect.

2.14 “Processing” has the meaning ascribed to it in the GDPR.

2.15 “Service Order” means one or more online or written ordering documents which incorporate the Agreement.

2.16 “Services” has the meaning of such defined term in the Agreement.

2.17 “Subscriber” means the subscriber that has executed a Service Order for Services.

2.18 “Subscriber Data” has the meaning of such defined term in the Agreement.

2.19 “Sub-processor” means any Data Processor engaged by Fastly or a member of the Fastly Group, including Fastly affiliates.

2.20 “Supervisory Authority” has the meaning ascribed to it in the GDPR.

3. Processing Of Personal Data

3.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Subscriber is the Data Controller and Fastly and members of the Fastly Group, as the case may be, are Data Processors. Exhibit B to these Terms sets out certain information regarding Fastly’s Processing of Personal Data as required by Article 28(3) of the GDPR.

3.2 Subscriber’s Processing of Personal Data. Subscriber shall, in its use of the Services, only Process Personal Data or transfer such Personal Data to Fastly, in accordance with the requirements of Privacy and Data Protection Laws and the Documentation. For the avoidance of doubt, Subscriber’s instructions for the Processing of Personal Data shall comply with Privacy and Data Protection Laws. In particular, Subscriber represents and warrants on an ongoing basis that, for the purposes of Article 6 of the GDPR, there is, and will be throughout the term of the Agreement, a legal basis for the Processing by Fastly of Personal Data on behalf of Subscriber in accordance with these Terms and the Agreement (including any and all instructions issued by Subscriber from time to time in respect of such Processing).

3.3 Fastly’s Processing of Personal Data. In accordance with the requirements of Privacy and Data Protection Laws, Fastly shall only Process Personal Data upon Subscriber’s documented instructions and immediately notify Subscriber in writing if, in Fastly’s reasonable opinion, their instructions infringe Privacy and Data Protection laws; provided, Subscriber acknowledges that the Services will Process Personal Data on an automated basis in accordance with Subscriber’s configurations, which Fastly does not monitor. Subscriber instructs Fastly to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Service Orders; (ii) Processing initiated by Subscriber through the Services’ application programming interfaces (APIs) or user interfaces; (iii) Processing to comply with other reasonable documented instructions provided by Subscriber (e.g., via support tickets, email communications and chat platforms) where such instructions are consistent with the terms of the Agreement and (iv) Processing otherwise required of Fastly by applicable laws. These Terms and the Agreement contain Subscriber’s sole instructions to Fastly for the Processing of Personal Data. Subscriber acknowledges that as part of performing its Services Fastly maintains a growing global network of points of presence (“PoPs”). Fastly’s PoPs will process requests and transmit and cache content (including Personal Data) in accordance with Subscriber’s configurations of the Services. Subscriber acknowledges that its Subscriber Data will automatically transit across national borders in response to Subscriber’s clients’ requests and Subscriber’s configurations in accordance with the Documentation.

4. Transfers Of Personal Data

4.1 Model Contract Clauses. The terms of the Model Contract Clauses will apply, and are incorporated into these Terms, to all Processing of Personal Data by Fastly and its affiliates where the Personal Data is transferred from the European Economic Area (“EEA”) and/or Switzerland to outside the EEA and/or Switzerland, either directly or via onward transfer, to any country or recipient: (a) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Directive or GDPR as applicable), and (b) to the extent the transfer is not covered by the Certification to the EU-U.S. or Swiss-U.S. Privacy Shield Frameworks (as described in Section 4.2) or another a suitable framework (e.g., binding corporate rules, etc.) recognized by the relevant authorities or courts as providing an adequate level of protection for personal data. For the purposes of the EU Model Clauses, Fastly and Subscriber agree that (i) Subscriber will act as the data exporter on its own behalf and on behalf of any of its affiliates and (ii) Fastly will act on its own behalf and/or on behalf of the relevant members of the Fastly Group as the data importers.

4.2 EU-US and Swiss-US Privacy Shield Frameworks. Fastly makes available the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks together with Fastly’s Certification as the transfer mechanism governing transfers of Personal Data to the United States from the EEA and/or its member states and Switzerland. Fastly will in accordance with its Certification:

4.2.1 Provide at least the same level of protection for Personal Data as is required by the relevant principles of the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.

4.2.2 Promptly notify Subscriber of any failure or inability to provide at least the same level of protection.

4.2.3 Where Fastly permits a Sub-processor to access Personal Data, Fastly will require the Sub-processor to provide at least the same level of protection as is required by the relevant principles of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

4.3 Consent to Transfer. Fastly may store and process Personal Data in the United States or any other country in with Fastly or any of its Sub-processors maintains facilities, subject to this Section 4.

4.4 Order of Precedence. In the event of any conflict or inconsistency among the following, the provisions of the following agreements, in order of precedence, shall prevail: (i) the Model Contract Clauses (when applicable), (ii) these Terms, (iii) the Service Order(s) and (iv) the Agreement.

4.5 Registration and approvals. Subscriber agrees that it shall take all reasonable steps to determine whether the parties are required under Privacy and Data Protection Laws to either: (a) register the Model Contract Clauses with any Supervisory Authority in any member state of the EEA and/or Switzerland; or (b) procure approval from any such Supervisory Authority for the transfer referred to in the Model Contract Clauses. Subscriber agrees that it shall inform Fastly immediately upon becoming aware of such requirements.

4.6 Cooperation. The parties agree that they shall cooperate to: (a) make any such necessary registrations and obtain such approvals referred to in Section 4.5; and (b) without limitation, provide any additional information about the transfer referred to in the Model Contract Clauses where required or requested to do so by any Supervisory Authority of competent jurisdiction.

5. Correction, Amendment and Deletion Of Personal Data. To the extent Subscriber, in its use of the Services, does not have the ability to correct, amend or delete Personal Data as required by Privacy and Data Protection Laws, Fastly shall comply with any commercially reasonable request by Subscriber to facilitate such actions to the extent Fastly is legally permitted to do so and has reasonable access to the Personal Data.

6. Data Subject Requests. Fastly shall, to the extent legally permitted, promptly notify Subscriber if it receives a Data Subject Request. Subject to its obligations under Privacy and Data Protection Laws, Fastly shall not respond to any such Data Subject Request without Subscriber’s prior written consent except to confirm that the Data Subject Request relates to Subscriber. Taking into account the nature of the Processing and to the extent Subscriber does not have access to the relevant information through its use of the Services, Fastly shall, at Subscriber’s cost, provide Subscriber with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Subscriber in fulfilling its obligations to Data Subject Requests. Subscriber acknowledges that the storage and removal of cached content by the Services occurs automatically based upon Subscriber’s configurations and Fastly cannot correct, amend or permanently delete cached copies of Personal Data hosted or stored on equipment controlled by Subscriber.

7. Fastly Personnel

7.1 Confidentiality. Fastly shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed confidentiality agreements.

7.2 Reliability. Fastly shall take commercially reasonable steps to ensure the reliability of any Fastly personnel engaged in the Processing of Personal Data.

7.3 Limitation of Access. Fastly shall limit its access to Personal Data to those personnel who require such access to perform the Agreement.

7.4 Data Protection Officer. Members of the Fastly Group have appointed a data protection officer to the extent this is required by Privacy and Data Protection Laws. The appointed person may be reached at gc@fastly.com.

8. Sub-Processors

8.1 Appointment of Sub-processors. Pursuant to Clause 5(h) of the Model Contract Clauses and Article 28(2) of the GDPR (when in effect) Subscriber acknowledges and agrees that (a) members of the Fastly Group may be retained as Sub-processors; and (b) members of the Fastly Group may engage third-party Sub-processors in connection with the provision of the Services, in which case, members of the Fastly Group (as the case may be) shall procure that the Fastly Group has entered into a written agreement with respect to each Sub-processor containing: (i) data protection obligations in substantially similar terms to those in these Terms with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor; and (ii) which terminates automatically on the earlier of the termination of either: (A) the Agreement; or (B) these Terms, in accordance with their respective terms. Fastly will make available to Subscriber a current list of Sub-processors engaged in connection with the provision of the Services with the identities of those Sub-processors upon request of Subscriber or by posting such list to a Fastly website. Effective as of May 25, 2018, additions or changes to the list of Sub-processors will be provided to Subscribers according to the Documentation updates provision of the Agreement.

8.2 Right to Object. In the event Subscriber objects to a new or replacement Sub-processor(s) that Processes Personal Data, Subscriber may terminate the applicable Service Order(s) for those Services which cannot be provided by Fastly without the Processing of Personal Data by the objected-to new Sub-processor (including by changing Subscriber’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new or replacement Sub-processor without unreasonably burdening Subscriber or materially diminishing functionality) by providing written notice to Fastly within sixty (60) days of Fastly’s notice or disclosure of such new Sub-processor(s). Subscriber shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Services.

8.3 Liability. Fastly shall be liable for the acts and omissions of its Sub-processors to the same extent Fastly would be liable if performing the services of each Sub-processor directly under the terms of these Terms, except as otherwise set forth in the Agreement.

9. Security Controls for the Protection of Personal Data. Fastly shall maintain appropriate administrative, physical and technical safeguards for protection of the security and integrity of the Personal Data as set forth in the Documentation. Fastly regularly monitors compliance with these safeguards.

10. Security Breach Management And Notification. Fastly shall notify Subscriber without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Fastly or its Sub-processors of which Fastly becomes aware (“Security Breach”), providing Subscriber with sufficient information (insofar as such information is within Fastly’s possession) to allow Subscriber to meet its obligations to report or inform Data Subjects and/or Supervisory Authorities of the Security Breach under the GDPR, to the extent permitted by law. Fastly shall make commercially reasonable efforts to assist Subscriber in the investigation, mitigation and remediation of a Security Breach that is known to Fastly to the extent such Security Breach is caused by a violation of the requirements of these Terms by Fastly.

11. Limitation of Liability. Nothing in these Terms is intended to prejudice or limit any of Fastly’s right to limitations of liability afforded to data processors pursuant to Privacy and Data Protection Laws (including, for example, Annex III, Section 3 (“Secondary Liability”) of the Privacy Shield) or other laws applicable to the Services (including, for example, Articles 12-14 of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (“Directive on electronic commerce”). Without prejudice to such any limitations afforded to data processors, each party’s liability arising out of or related to these Terms (whether in contract, tort or under any other theory of liability) is subject to the limitations of liability set forth in the Agreement; provided, in no event will such limitation apply to any Data Subject’s rights under the Model Contract Clauses.

12. EU-Specific Provisions.

12.1 Data Protection Impact Assessment. With effect from May 25, 2018, upon Subscriber’s request and Subscriber’s cost, Fastly shall provide Subscriber with reasonable assistance needed to fulfill Subscriber’s obligation under the GDPR to carry out a data protection impact assessment related to Processing of Personal Data by Fastly taking into account the nature of the Processing and to the extent Subscriber does not otherwise have access to the relevant information, and to the extent such information is available to Fastly.

12.2 Prior Consultation. With effect from May 25, 2018, upon Subscriber’s request and Subscriber’s cost, Fastly shall provide Subscriber with reasonable assistance with any prior consultations to any Supervisory Authority of Subscriber which are required under Article 36 of the GDPR related to Processing of Personal Data by Fastly and taking into account the nature of the Processing and to the extent Subscriber does not otherwise have access to the relevant information and to the extent such information is available to Fastly.

12.3 Audits. The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Model Contract Clauses and the GDPR shall be carried out in accordance with the following specifications:

12.3.1 Upon Subscriber’s request, and subject to the confidentiality obligations set forth in the Agreement, Fastly shall make available to Subscriber information regarding the Fastly Group’s compliance with the obligations set forth in these Terms in the form of the third-party certifications and audits set forth in the Documentation and Subscriber shall use such information solely for the purposes of complying with its obligations under Privacy and Data Protection Laws.

12.3.2 Subject to the requirements set out in Section 12.3.3 to 12.3.4, Subscriber may request an on-site audit of the procedures relevant to the protection of Personal Data under these Terms. Prior to agreeing to any on-site audit, Fastly shall provide a copy of Fastly’s then most recent relevant third-party audits or certifications, as applicable, or any summaries thereof.

12.3.3 If the information made available pursuant to Section 12.3.2 is insufficient, in Subscriber’s reasonable judgment, to confirm Fastly’s compliance with its obligations under these Terms, Subscriber shall give Fastly reasonable notice of any on-site audit to be conducted under this Section 12.3 (which shall in no event be less than thirty (30) days’ notice unless required by a Supervisory Authority).

12.3.4 Subscriber shall reimburse Fastly for any time expended for any such on-site audit at the Fastly Group’s then-current professional services rate, which shall be made available to Subscriber upon request. Before the commencement of any such on-site audit, Subscriber and Fastly shall mutually agree upon the scope, timing and duration of the audit in addition to the reimbursement rate for which Subscriber shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Fastly. Subscriber shall promptly notify Fastly with information regarding any non-compliance discovered during the course of an audit.

12.4 Deletion of Personal Data. With effect from May 25, 2018, Fastly shall delete Personal Data upon the termination or expiration of all Service Orders providing for the Processing of Personal Data and upon the request of Subscriber to the extent permitted by applicable law. Subscriber acknowledges that, except to the extent described in the Documentation, the Services do not export Subscriber Data and, therefore, Fastly will not return any Personal Data.

12.5 Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Model Contract Clauses shall be provided by Fastly to Subscriber only upon Subscriber’s request.

13. Changes to these Data Processing Terms. In consideration of Fastly’s ongoing obligations to comply with applicable law in the performance of the Services, Fastly may update these Terms. On and after May 25, 2018, Fastly will provide no less than thirty (30) days’ prior notice of any change to these Terms (formatting and other immaterial changes excepted), unless prior notice is not practicable due to a conflict in applicable law or regulation or other changes outside of Fastly’s reasonable control. This notice of an update to these Terms will be posted on https://docs.fastly.com/changes/. Subscriber may subscribe to receive email and RSS updates to http://docs.fastly.com/changes.

14. Enforcement. If any provision of these Terms is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of these Terms will remain in effect.



EXHIBIT A: MODEL CONTRACT CLAUSES
Commission Decision C(2010)593
Standard Contractual Clauses (processors)


For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation: …

Address: …

Tel.: …

Fax: …

E-mail: …

Member State in which data exporting organization is established: …

Other information needed to identify the organization: …

( the data exporter)

And

Name of the data importing organisation: Fastly, Inc.

Address: PO Box 78266, San Francisco, California, 94107, United States of America

Tel.: +1(415)488-6329; fax: n/a; email: gc@fastly.com

(the data importer)
each a "party"; together "the parties"


HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1
Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

     (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

     (ii) any accidental or unauthorised access, and

     (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

     (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

     (b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9
Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12
Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2.The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

By: …

Name: …

Title: …

Address: …

Date: …

On behalf of the data importer:

By: …

Name: …

Title: …

Address: …

Date: …

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

The data exporter is (i) the legal entity that has executed the Standard Contractual Clauses as a data exporter and, (ii) all affiliates of data exporter established within the European Economic Area (EEA) and Switzerland that have purchased the services set forth on Appendix 3 hereto on the basis of the Data Processing Terms or an order form that incorporates the Data Processing Terms.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

Fastly, Inc. is an Internet intermediary which processes HTTP and HTTPS protocol requests upon the instruction of the data exporter in accordance with the terms of (i) the Agreement and (ii) the Data Processing Terms (to which these Clauses are attached) with data exporter.

Data subjects

The personal data transferred concern the following categories of data subjects:

Data subjects include the identified or identifiable persons contained in content or requests, including internet protocol (IP) addresses, caused to be submitted by of for the data exporter to the data importer via the Services according to, by or at the direction of data exporter’s configuration of the Services.

Categories of data

The personal data transferred concern the following categories of data:

Personal data relating to an identified or identifiable persons contained in content or requests, including IP addresses, caused to be submitted to the data importer via the Services according to, by or at the direction of the data exporter’s configuration of the Services.

Special categories

Data exporter may cause to submit to the data importer via the Services according to, by or at the direction of the data exporter’s configuration of the Services special categories of data, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is, for the sake of clarity, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The objective of processing of personal data by data importer is the performance of the Services pursuant to the Agreement with data exporter.

DATA EXPORTER

Name: …

Authorised Signature: …

DATA IMPORTER

Name: …

Authorised Signature: …

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data as described in the Security Measures applicable to the specific Services purchased by data exporter, as updated from time to time, and accessible via https://docs.fastly.com/guides/security-measures/ or otherwise made reasonably available by data importer.

DATA EXPORTER

Name: …

Authorised Signature: …

DATA IMPORTER

Name: …

Authorised Signature: …

Appendix 3 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Fastly’s content delivery services described here.

DATA EXPORTER

Name: …

Authorised Signature: …

DATA IMPORTER

Name: …

Authorised Signature: …

EXHIBIT B
DETAILS OF PROCESSING PERSONAL DATA


This Exhibit B includes certain details of the Processing of Personal Data as required by Article 28(3) of the GDPR.

Subject matter and duration of the Processing of Personal Data

The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and the Data Processing Terms.

The nature and purpose of the Processing of Personal Data

Fastly will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation and in accordance with Subscriber’s configurations of the Services.

The types of Personal Data to be Processed

  • Personal Data relating to an identified or identifiable persons contained in content or requests, including internet protocol (IP) addresses, caused to be submitted to Fastly via the Services according to, by or at the direction of Subscriber’s configuration of the Services.

  • Special categories of data in this content or these requests may include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life.

The categories of Data Subject to whom the Personal Data relates

Data Subjects include the identified or identifiable persons contained in content or requests, including internet protocol (IP) addresses, caused to be submitted to Fastly via the Services according to, by or at the direction of Subscriber’s configuration of the Services. Special categories of data contained in content or requests (as determined and controlled by the data exporter) may include, Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life.

The obligations and rights of Subscriber

The obligations and rights of Subscriber are set out in the Agreement and the Data Processing Terms.