Notice of Self-Certification Under the EU-U.S. Privacy Shield Framework

Effective Date: September 23, 2016

Fastly, Inc. participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework Principles, including the Supplemental Principles as set forth by the U.S. Department of Commerce (collectively, the “Principles”).  Fastly is committed to subjecting all personal information received from European Union (“EU”) member countries in reliance on the Privacy Shield Framework to the Framework’s Principles.  To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List.

Scope

Fastly, Inc. adheres to the Principles with respect to personal information we receive from individuals or companies in the EU in reliance on the Privacy Shield.  Fastly provides content delivery and related services (our “Services”) that permit subscribers to electronically submit (or cause to be submitted) data to the Services for caching, transmission, and associated processing. As the subscribers (or in some cases their end users) control the data to be cached, transmitted and/or processed, Fastly’s network, platform and services may be used as a conduit for information. As the Principles do not impose secondary liability, to the extent Fastly, on behalf of its subscriber, merely transmits, routes, switches or caches data, Fastly may rely on its subscribers to comply with legal requirements underlying the Principles with respect to such processing.

Types of personal information collected and data processed

Fastly processes data on behalf of our subscribers, which may include personal information, in accordance with our agreements with our subscribers and for the purpose of providing the Services. Fastly acts as a data processor with respect to data submitted to our Services.  Fastly neither controls nor owns what our subscribers and their internet clients submit to the Services.  Fastly also collects, uses and discloses personal information of individuals who visit our websites and applications (“Visitors”) and individual representatives of our subscribers, suppliers and business partners (“Business Contacts”). Personal information associated with Visitors and Business Contacts is collected, stored and processed in accordance with Fastly’s Privacy Policy.

We also receive some data in reliance on other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses.

Purposes of data processing

As a data processor, Fastly caches, transmits, discloses and processes data submitted to our Services, which may include personal information about EU personnel received from its subscribers and their users, at the direction of its subscribers in accordance with our agreements. Fastly may access or process your data to provide the Services, to prevent or address technical or service problems, to follow the instructions of our customer who submitted the data, or in response to contractual or legal requirements. Fastly will not access personal information contained in the data submitted to the Services. Fastly may share personal information with its subsidiaries, contractors, or third parties if Fastly undergoes a business transaction, such as a merger, acquisition by another company or sale of all or a portion of its assets.

Type of third parties to which we disclose personal information

Fastly is responsible for the processing of personal information it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf.  Fastly may use from time to time third-party service providers, contractors and subprocessors to assist in providing the Services on our behalf. Fastly maintains contracts with these third parties restricting their access, use and disclosure of personal information in compliance with our Privacy Shield obligations, and Fastly may be liable if we fail to meet those obligations and we are responsible for the event giving rise to the damage.

Requirement to disclose

Fastly may be required in certain circumstances to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Right to access and to limit use

EU individuals have rights to access personal information about them, and to limit use and disclosure of their personal information, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in question, or where the rights of others would be violated.  With our Privacy Shield certification, Fastly has committed to respect those rights.  Because Fastly personnel have limited ability to access data our subscribers submit to our services, if you wish to request, access, to limit use, or to limit disclosure, please provide the name of the Fastly subscriber who submitted your data to our services.  We will refer your request to that subscriber, and will support them as needed in responding to your request.

Enforcement

With respect to personal Information received or transferred pursuant to the Privacy Shield Framework, Fastly is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Inquiries and complaints

Inquiries and complaints relating to Fastly’s treatment of personal information and its compliance with the Principles may be directed to:

abuse@fastly.com

Or

Fastly, Inc.
Attention:General Counsel
475 Brannan St., Suite 300
San Francisco, CA 94107

Fastly will respond to your inquiry or complaint within 45 days.  If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our designated U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.  

Arbitration

Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted