Last updated 2018-10-03
Fastly's security program includes safeguards that help protect your data as it moves through the Fastly service. Information about these safeguards is organized by category. Our technology compliance guide describes additional safeguards we maintain.
Authentication and authorization
User account assignment. We assign individual user accounts to personnel who access Fastly systems and devices. These assignments help us monitor and enforce accountability of user activity.
User-level privileges. Our systems and devices enforce user roles or similar measures to control the extent of access we grant individual users.
Multi-factor authentication. We enforce multi-factor authentication to better secure our computing resources from unauthorized logins.
Secure software development. We provide annual training to Fastly developers to help identify and prevent common software vulnerabilities, including the OWASP Top 10. Developer code undergoes peer review prior to deployment, and internal security engineers and third-party security validators periodically analyze code for software components with higher potential security risk.
Web application security review. A third party assesses the security of the Fastly web application annually. We address findings from this assessment according to the risk they pose to the security of the Fastly service.
Network and infrastructure security
Network security reviews. We regularly perform vulnerability scans and third-party penetration tests on the Fastly network. We review and address findings from these activities to help maintain the security of our network.
Configuration standards. We document and follow configuration standards to maintain secure systems and network devices. These standards include business justification for used ports, protocols, and services, as well as the removal of insecure default settings.
Vulnerability and patch management. To maintain awareness of potential security vulnerabilities, Fastly monitors public and private distribution lists, as well as reports submitted through our responsible disclosure process. We validate and implement security patches for critical vulnerabilities within 24 hours of discovery. For non-critical vulnerabilities and updates, we schedule and deploy vendor-provided patches on a regular basis.
Secure data transmission. The Fastly service supports TLS configurations to encrypt connections both externally to end users and backend origin servers, as well as internally within the Fastly network.
Encryption key management. We maintain technology and procedures to secure private keys throughout their lifecycle.
Key storage and access security. We store private keys in encrypted repositories, and we restrict key storage access to personnel who support our key management processes.
Data center and physical security
Physical access restrictions. Our data centers are fully enclosed with perimeter protection such as fences, gates, and mantraps to prevent unwanted entry. Only authorized people (including data center personnel, our employees, and contractors) may enter and move within a data center.
Data center access management. We ensure movement within our data centers is monitored via onsite safeguards such as security guard assignment, facility access logging and review, and video surveillance. Additionally, we periodically review and adjust the list of personnel who may enter our data centers.
Secure asset installation. We install computer and network hardware in locked cages and racks. Only authorized individuals may physically access this equipment.
Environmental safeguards. Our data centers compensate for environmental disruptions with systems that control backup power, temperature and humidity, and fire suppression.
Business continuity and operational resilience
Service failover. If any of our points of presence (POPs) experience issues serving content, we can redirect traffic to a neighboring POP without interrupting the delivery of content to end users.
Internet redundancy. Our data centers have connections with multiple internet service providers. We do not rely on any single carrier to serve content to end users.
Service monitoring. We monitor multiple internal and external reporting channels to detect service-related issues. Personnel are available 24x7x365 to confirm and respond to disruptions of the Fastly service.
Communication and reporting. We update impacted customers using various communication methods (such as status.fastly.com), depending on an incident's scope and severity.
Security incident management
Incident response plan. We maintain a formal incident response plan with established roles and responsibilities, communication protocols, and response procedures. We review and update this plan periodically to adapt it to evolving threats and risks to the Fastly service.
Incident response team. Representatives from key departments help address security-related incidents we discover. These personnel coordinate the investigation and resolution of incidents, as well as communication with external contacts as needed.
Breach notification. Fastly will notify affected customers within 48 hours of validating an unauthorized disclosure of customer confidential information.
Logging and monitoring
Log analysis. We aggregate and securely store Fastly internal system activity. Monitoring these logs helps us discover and investigate potential security issues.
Change and configuration monitoring. We use multiple monitoring and alert mechanisms to enhance the visibility of technology changes and help ensure adherence to our change management process.
Intrusion detection. We maintain mechanisms to detect potential intrusions at the network and host level. Our Security department inspects and responds to events these detection measures discover.
Customer and end user data management
Cache data and configurations. Customers manage which content is cached, where, and for how long by setting policies that control that content. See our introduction to caching for more information. We may directly access or modify customer accounts or configurations to provide our services, prevent or address service or technical issues, as required by law, or as customers expressly permit. For the same reasons, we may also access or modify equipment, systems, or services that manage customer content.
Client IP addresses. As part of our caching network's general interaction with the internet, Fastly independently collects anonymized and aggregated client IP address information on a limited basis to provide and improve its services. Client IP addresses are retained in a non-anonymized, non-aggregated fashion for up to two business days, or up to seven days if those addresses are associated with transmission errors (such as 503 "Service Unavailable" errors), and are discarded thereafter.
Subscriber IP addresses. Fastly independently collects the IP addresses of users who access their services within the Fastly web interface or through the API. We make these IP addresses available to customers through our event log functionality. If customers define origin servers or syslog endpoints with IP addresses, we save those IP addresses as part of their configurations. We may retain IP addresses from event logs or configurations indefinitely. Dynamically-resolved origin IP addresses may be retained for up to two business days, or up to seven days if those addresses are associated with transmission errors (such as 503 "Service Unavailable" errors), and are discarded thereafter.
IP addresses and security monitoring. Fastly may retain indefinitely any non-anonymized, non-aggregated client or subscriber IP addresses associated with suspicious activity that may pose a risk to the Fastly network or our customers, or that are associated with administrative connections to the Fastly service.
Content request data. Content enters, transits, and departs our network in response to requests. We retain and use data about the operation and reliability of our processing of requests to monitor, maintain, and improve our services, our business operations, and our security and compliance programs. Subject to confidentiality obligations to our customers, we only disclose this data in anonymized and aggregated form.
Subscriber log streaming. Subscribers may stream syslog activity, including end user IP addresses, to a remote endpoint for analysis and use. Fastly does not retain subscriber syslog activity, except as described above.
Cloud infrastructure security and compliance program
The use of third-party cloud infrastructure to host Fastly products that deliver content or process requests requires us to address certain aspects of our security and technology compliance programs differently from when Fastly directly manages the infrastructure.
Data center and physical security. For cloud infrastructure we use, Fastly relies on data center space under the control of the cloud infrastructure providers. These providers may have physical access to assets that contain data from Fastly services. As part of our third-party security review process, we confirm that these providers maintain appropriate physical security measures to protect their data center facilities.
Business continuity and operational resilience. We deploy cloud-hosted products in multiple infrastructure regions or zones to help maintain those services when operational issues occur. If failure of a service occurs within a single availability zone, Fastly will automatically attempt to use cloud nodes in another zone.
Encryption. Fastly leverages in-transit and at-rest encryption to help secure data sent between Fastly and the cloud infrastructure provider or to secure data that resides on cloud infrastructure. Because we use at-rest encryption features offered by infrastructure providers, those providers may also hold the private encryption keys. As part of our third-party security review process, we confirm that these providers maintain secure encryption key management processes.