When Fastly processes data as part of delivering services for its business clients, the business client is legally responsible for that data, not Fastly. If you are a regular internet user whose data passes through Fastly's network, you need to contact the website or service you were using, not Fastly, to exercise your privacy rights.
This analysis describes what Fastly's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This distinction determines who you can hold accountable for your personal data and where to direct privacy requests. Most end users will not interact with Fastly directly, meaning their primary point of contact for data rights is the company whose website they visited.
If your data was processed by Fastly acting on behalf of a business client, Fastly will redirect your data subject request to that client and take no direct action. This means your right of access or deletion must be exercised against the website or app you used, not against Fastly.
How other platforms handle this
When Okta provides its products and services to its customers (e.g., organizations that use Okta to manage their workforce or Auth0 to manage their customer identity), Okta processes personal data on behalf of those customers as a data processor. In those cases, the customer is the data controller a...
When we provide the Service to our customers, we act as a data processor on behalf of those customers. Our customers are the data controllers, meaning that they determine the purposes and means of the processing of personal data that is submitted into the Service. If you are an end user of a custome...
Docusign may be a 'data controller' or a 'data processor' (or both) depending on the type of personal information and the context in which it is processed. When Docusign determines the purpose and means of processing personal information, we act as a data controller. When Docusign processes personal...
Monitoring
Fastly has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"When Fastly acts as a service provider, we process personal information on behalf of our customers pursuant to their instructions. In these cases, our customers are the 'data controllers' and Fastly is the 'data processor.' If you are an end user of a Fastly customer's service and wish to exercise any rights with respect to your personal information, please contact the Fastly customer directly.— Excerpt from Fastly's Fastly Privacy Policy
(1) REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4, 28, and 82, which establish the legal framework for controller and processor relationships, including joint liability scenarios. Under GDPR, processors may face direct enforcement liability in limited circumstances. The UK GDPR mirrors these provisions. The CCPA/CPRA similarly distinguishes between businesses and service providers, with corresponding obligations on each party. The California Privacy Protection Agency and State AG have enforcement authority over California-related claims. (2) GOVERNANCE EXPOSURE: Medium-High. The allocation of data subject request handling to enterprise customers as controllers is standard practice but operationally significant. If Fastly's enterprise customers have not implemented adequate data subject request workflows, end users may be unable to exercise their rights in practice, which creates regulatory exposure for the enterprise customer. Fastly's policy does not describe what steps it takes to assist controllers in responding to data subject requests, which is a requirement under GDPR Article 28. (3) JURISDICTION FLAGS: EU/EEA and UK data subjects have the strongest rights under this framework, including rights of access, rectification, erasure, and portability. California residents have analogous rights under CPRA. In both jurisdictions, the failure of the controller to respond adequately to data subject requests can result in regulatory investigation. Enterprise customers operating in these jurisdictions bear the primary compliance burden. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers must ensure they have a signed Data Processing Agreement with Fastly that specifies Fastly's obligations as a processor, including assistance with data subject requests, security measures, and sub-processor management. The absence of a compliant DPA would expose the enterprise customer to GDPR enforcement risk. Procurement teams should treat this as a mandatory contract review trigger. (5) COMPLIANCE CONSIDERATIONS: Enterprise compliance teams using Fastly as a CDN or security provider should audit whether their own privacy notices accurately describe Fastly as a sub-processor or service provider and whether their DPA with Fastly satisfies applicable regulatory requirements. Data mapping documentation should reflect Fastly's role and the categories of personal data that may transit Fastly's infrastructure.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This distinction determines who you can hold accountable for your personal data and where to direct privacy requests. Most end users will not interact with Fastly directly, meaning their primary point of contact for data rights is the company whose website they visited.
If your data was processed by Fastly acting on behalf of a business client, Fastly will redirect your data subject request to that client and take no direct action. This means your right of access or deletion must be exercised against the website or app you used, not against Fastly.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Fastly.