If you use Fastly to process personal data, a separate Data Processing Addendum applies, but you must request it; it is not automatically included in the base terms.
This analysis describes what Fastly's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Customers handling personal data subject to GDPR, UK GDPR, or CCPA need a Data Processing Addendum to meet their legal obligations, but this document indicates it is not automatically part of the agreement and must be separately requested.
Interpretive note: The precise scope and terms of the DPA are not reproduced in the base ToS, so compliance adequacy depends on the DPA document itself, which requires separate review.
Business customers who transmit or process personal data through Fastly without executing a Data Processing Addendum may be operating without the contractual data processing framework required by GDPR, UK GDPR, or CCPA, creating regulatory compliance risk.
How other platforms handle this
To the extent that Duo processes any Personal Data (as defined in the Duo Privacy Data Sheet) on behalf of Customer in connection with Customer's use of the Services, the terms of the Duo Data Processing Agreement ('DPA'), which are hereby incorporated by reference into this Agreement, shall apply a...
Cloudflare's current Privacy Policy is incorporated into this Agreement by this reference and is located at https://www.cloudflare.com/privacypolicy/. In addition, by using the Services, you acknowledge and agree that internet transmissions are never completely private or secure.
If you access or use any of Oura's location-based services, such as by enabling GPS-based activity tracking through our Services, Oura may process the approximate or precise location of your device while the service is active. This data may be obtained via your device's service provider network ID, ...
Monitoring
Fastly has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"To the extent that Fastly processes any Personal Data on your behalf in connection with your use of the Services, such processing shall be subject to Fastly's Data Processing Addendum, which is available upon request and incorporated into these Terms where applicable.— Excerpt from Fastly's Fastly Terms of Service
REGULATORY LANDSCAPE: GDPR Article 28 requires that where a controller uses a processor, a binding data processing agreement must be in place covering specified minimum terms. The UK GDPR imposes equivalent requirements. CCPA similarly requires service provider agreements to include specific contractual terms for personal data sharing. The base Fastly ToS does not appear to satisfy these requirements on its own, and the DPA must be separately executed. Relevant enforcement authorities include EU supervisory authorities, the UK ICO, and the California Privacy Protection Agency. GOVERNANCE EXPOSURE: High for EU, UK, and California customers processing personal data through Fastly without a DPA in place. Operating without a compliant DPA constitutes a potential GDPR Article 28 violation and exposes both Fastly and the customer to regulatory enforcement risk. JURISDICTION FLAGS: EU and UK customers are most directly affected, as GDPR and UK GDPR impose mandatory DPA requirements with regulatory enforcement teeth. California customers processing personal data of California residents should also ensure CCPA-compliant service provider terms are in place. Customers in other jurisdictions with data protection laws should assess local requirements. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams must proactively request and execute Fastly's Data Processing Addendum before transmitting personal data through the platform. The DPA should be assessed against GDPR Article 28 minimum requirements, including scope of processing, security obligations, sub-processor management, and data subject rights assistance. Customers should also assess Fastly's international data transfer mechanisms for data transiting outside the EEA or UK. COMPLIANCE CONSIDERATIONS: Data protection officers and privacy counsel should flag Fastly onboarding as a trigger for DPA execution before go-live. The DPA should be incorporated into the customer's vendor data processing register. Sub-processor lists and international transfer mechanisms (such as Standard Contractual Clauses) should be reviewed as part of DPA execution. Annual reassessment of the DPA and sub-processor list is recommended as part of ongoing GDPR compliance.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Customers handling personal data subject to GDPR, UK GDPR, or CCPA need a Data Processing Addendum to meet their legal obligations, but this document indicates it is not automatically part of the agreement and must be separately requested.
Business customers who transmit or process personal data through Fastly without executing a Data Processing Addendum may be operating without the contractual data processing framework required by GDPR, UK GDPR, or CCPA, creating regulatory compliance risk.
ConductAtlas has identified this type of provision across 6 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Fastly.