If you use Fastly to process personal data, a separate Data Processing Addendum applies, but you must request it; it is not automatically included in the base terms.
This analysis describes what Fastly's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Customers handling personal data subject to GDPR, UK GDPR, or CCPA need a Data Processing Addendum to meet their legal obligations, but this document indicates it is not automatically part of the agreement and must be separately requested.
Interpretive note: The precise scope and terms of the DPA are not reproduced in the base ToS, so compliance adequacy depends on the DPA document itself, which requires separate review.
Business customers who transmit or process personal data through Fastly without executing a Data Processing Addendum may be operating without the contractual data processing framework required by GDPR, UK GDPR, or CCPA, creating regulatory compliance risk.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Fastly has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"To the extent that Fastly processes any Personal Data on your behalf in connection with your use of the Services, such processing shall be subject to Fastly's Data Processing Addendum, which is available upon request and incorporated into these Terms where applicable.— Excerpt from Fastly's Fastly Terms of Service
REGULATORY LANDSCAPE: GDPR Article 28 requires that where a controller uses a processor, a binding data processing agreement must be in place covering specified minimum terms. The UK GDPR imposes equivalent requirements. CCPA similarly requires service provider agreements to include specific contractual terms for personal data sharing. The base Fastly ToS does not appear to satisfy these requirements on its own, and the DPA must be separately executed. Relevant enforcement authorities include EU supervisory authorities, the UK ICO, and the California Privacy Protection Agency. GOVERNANCE EXPOSURE: High for EU, UK, and California customers processing personal data through Fastly without a DPA in place. Operating without a compliant DPA constitutes a potential GDPR Article 28 violation and exposes both Fastly and the customer to regulatory enforcement risk. JURISDICTION FLAGS: EU and UK customers are most directly affected, as GDPR and UK GDPR impose mandatory DPA requirements with regulatory enforcement teeth. California customers processing personal data of California residents should also ensure CCPA-compliant service provider terms are in place. Customers in other jurisdictions with data protection laws should assess local requirements. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams must proactively request and execute Fastly's Data Processing Addendum before transmitting personal data through the platform. The DPA should be assessed against GDPR Article 28 minimum requirements, including scope of processing, security obligations, sub-processor management, and data subject rights assistance. Customers should also assess Fastly's international data transfer mechanisms for data transiting outside the EEA or UK. COMPLIANCE CONSIDERATIONS: Data protection officers and privacy counsel should flag Fastly onboarding as a trigger for DPA execution before go-live. The DPA should be incorporated into the customer's vendor data processing register. Sub-processor lists and international transfer mechanisms (such as Standard Contractual Clauses) should be reviewed as part of DPA execution. Annual reassessment of the DPA and sub-processor list is recommended as part of ongoing GDPR compliance.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Customers handling personal data subject to GDPR, UK GDPR, or CCPA need a Data Processing Addendum to meet their legal obligations, but this document indicates it is not automatically part of the agreement and must be separately requested.
Business customers who transmit or process personal data through Fastly without executing a Data Processing Addendum may be operating without the contractual data processing framework required by GDPR, UK GDPR, or CCPA, creating regulatory compliance risk.
ConductAtlas has identified this type of provision across 6 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Fastly.