When Fastly moves personal data from the EU, UK, or Switzerland to other countries (such as the US), it uses Standard Contractual Clauses, which are pre-approved legal contracts designed to ensure data protection standards follow the data. This is the primary legal mechanism Fastly uses to authorize international data transfers.
This analysis describes what Fastly's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Cross-border transfer mechanisms are a significant area of GDPR enforcement, and the adequacy of Standard Contractual Clauses depends on whether the destination country provides essentially equivalent protection. Organizations relying on SCCs may also need to conduct Transfer Impact Assessments.
Interpretive note: The policy does not specify which SCC module applies to each transfer relationship, nor whether Fastly participates in the EU-US Data Privacy Framework, creating some ambiguity for enterprise customers conducting transfer impact assessments.
Your personal data may be transferred from the EU, UK, or Switzerland to Fastly's servers or sub-processors in other countries, including the US. Fastly states it uses Standard Contractual Clauses to provide a legal basis for this transfer, though the practical protection this affords depends on implementation and the specific countries involved.
How other platforms handle this
When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to countries that have not been found to provide an adequate level of protection under applicable law, we take steps to provide appropriate safeguards, including through the use of Standard Contract...
When we transfer personal data outside the European Economic Area, United Kingdom, or Switzerland, we use appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data is protected.
Canva is headquartered in Australia and has operations and service providers in a number of countries. When we transfer personal information outside of the country in which it was collected, we take steps to ensure that appropriate safeguards are in place to protect your information, including the u...
Monitoring
Fastly has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"If you are located in the European Economic Area, the United Kingdom, or Switzerland, we transfer your personal data to countries outside of these regions only where we have put in place appropriate safeguards, such as the use of Standard Contractual Clauses approved by the European Commission.— Excerpt from Fastly's Fastly Privacy Policy
(1) REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V, which governs international data transfers, and the European Commission's 2021 updated Standard Contractual Clauses. The UK's International Data Transfer Agreement (IDTA) applies for UK-to-third-country transfers. The EU-US Data Privacy Framework may also be relevant if Fastly participates in it, though the policy references SCCs as the primary mechanism. EU data protection authorities have enforcement authority. (2) GOVERNANCE EXPOSURE: Medium. SCCs are a recognized transfer mechanism under GDPR, but their use requires a documented Transfer Impact Assessment (TIA) where the destination country's legal framework may undermine the SCCs' effectiveness (as established by the CJEU in Schrems II). Fastly's policy does not describe whether TIAs are conducted, which is a compliance gap for enterprise customers who must document their own data flows. (3) JURISDICTION FLAGS: EU/EEA and UK data subjects are the primary affected population. Switzerland has its own transfer requirements under the revised Federal Act on Data Protection (revFADP). Enterprise customers in regulated sectors (financial services, healthcare) face heightened scrutiny of international transfer mechanisms from sector-specific regulators. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request copies of Fastly's executed SCCs and verify that they use the updated 2021 European Commission modules appropriate to the controller-processor relationship. DPA terms should specify which SCC module applies and identify the specific sub-processors and countries involved in data transfers. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should update their Records of Processing Activities (RoPA) to reflect Fastly as a data processor and international data transfer destination. A TIA should be documented for transfers to the US or other countries without an EU adequacy decision. Legal teams should verify whether the EU-US Data Privacy Framework offers a simpler transfer basis if Fastly is certified under that framework.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Cross-border transfer mechanisms are a significant area of GDPR enforcement, and the adequacy of Standard Contractual Clauses depends on whether the destination country provides essentially equivalent protection. Organizations relying on SCCs may also need to conduct Transfer Impact Assessments.
Your personal data may be transferred from the EU, UK, or Switzerland to Fastly's servers or sub-processors in other countries, including the US. Fastly states it uses Standard Contractual Clauses to provide a legal basis for this transfer, though the practical protection this affords depends on implementation and the specific countries involved.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Fastly.