---
header: Security program
lang: en
last_updated: '2026-07-08'
url: https://docs.fastly.com/products/security-program
---

Fastly operates a comprehensive information security program that includes administrative, physical, and technical safeguards to protect its infrastructure, data, services, and customers.

## Foundation

Fastly's security program is based on the [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) and includes annually reviewed security policies, designated roles and responsibilities, and formal procedures focused on risk.

### Security policies

Fastly institutes information security policies that are published internally and reviewed annually. The policies contain principles and point to standards that cover controls and procedures designed to protect Fastly and its customers.

### Roles and responsibilities

Fastly maintains designated roles and responsibilities within its security program, including a Chief Information Security Officer responsible for comprehensive oversight and a team of security professionals responsible for implementing the program.

### Risk-based approach

Fastly maintains formal procedures for the identification, assessment, and treatment of information security and availability risks, threats, and vulnerabilities to its services. Fastly implements its risk-based approach with controls designed to do the following:

- *Annual risk assessment:* Conduct an annual risk assessment to measure the state of security risk across the company. The results of this assessment are shared with the executive leadership team to ensure appropriate visibility and treatment.
- *Risk analysis and mitigation plan:* Evaluate each identified enterprise security risk and associated controls and implement mitigation plans commensurate with the risk to manage the risk to acceptable levels.
- *Risk register:* Maintain documentation of identified risks, threats, and vulnerabilities related to Fastly services. Assigned personnel help assess and remediate identified items in accordance with established risk and vulnerability management procedures.

## Defense-in-depth

Fastly’s security program is designed with multiple layers of protection. Fastly’s processes, technology, and physical security controls are designed specifically to provide a defense-in-depth approach and can be categorized as follows:

### Identity and access management

Fastly manages access to its production systems with controls designed to do the following:

- *Authentication:* Require unique user accounts and multi-factor authentication for remote access to production systems by all personnel.
- *Authorization:* Limit access using role-based access controls. Access is granted based on the principle of least privilege and manager approval and is reviewed on a periodic basis. Systems are in place to remove access when no longer needed, including upon personnel separation.
- *Audit:* Maintain and monitor logs of access attempts (both success and failure).

### Data security

Fastly manages data security using controls designed to do the following:

- *Customer credentials management*:
  - Secure customer-provided private keys and credentials throughout their lifecycle.
  - Encrypt customer-provided private keys at rest.
  - Re-encrypt customer-provided private keys on a regular interval.
  - Store key encryption keys in a secrets management system.
  - Decrypt private keys in memory at the edge when requested.
  - Remove private keys from memory after a short period of time.
  - Salt and hash customer passwords at rest.
  - Enable encryption for customer account passwords in transit.
  - Limit access to private keys to only those individuals whose role requires it.
- *Data in transit:* Implement encryption technologies based on specific use cases and customer configurations for data in transit. Customers are responsible for configuring encryption of their data in transit to end-users. Product-specific default encryption settings are described in the Documentation.
- *Data governance program:* Maintain a "privacy and protection-by-design" approach manifested in a data governance program and documented separately in the [data management documentation](https://docs.fastly.com/products/data-management).

Fastly may access or modify equipment, systems, or services that manage customer data as necessary to provide and improve the services, prevent or address service or technical issues, as required by law, or as customers expressly permit.

### Application security

Fastly manages application security using controls designed to do the following:

- *Secure development practices:* Train Fastly engineers annually on secure coding concepts, including the OWASP Top 10 and CWE Top 25, and implement testing and deployment controls. Code is peer-reviewed and run through automated testing before deployment to production systems. After review and testing, code is initially deployed to a limited number of locations in the Fastly network for further monitoring. If no problems are encountered, code is gradually deployed across the Fastly network.
- *Application security analysis:* Conduct periodic analysis and regular penetration testing of Fastly-written code with Fastly security engineers and third-party validators.
- *Automated code analysis:* Deploy technology to automatically identify and report on identified vulnerable dependencies.

### System and network security

Fastly manages system and network security in its production systems using controls designed to do the following:

- *Asset management:* Maintain an inventory of hardware and services deployed within the Fastly network.
- *Configuration standards:* Maintain secure configuration standards, including restricted ports, protocols, and services, and remove insecure default settings.
- *Patch management:* Patch systems on a regular basis and apply out-of-band patches for newly-identified risks.
- *System management:* Manage systems by verifying the controls addressed in Fastly’s security program are in place, including logging and monitoring, host-based firewalls, and session management.
- *Audit and monitoring:* Log relevant security-related events, including authentication successes or failures and the use of certain commands. Events triggered by anomalous activity or suspicious behavior are investigated and alerts are monitored for effectiveness.
- *Documentation:* Maintain accurate network diagrams and internal documentation of Fastly production systems and services.
- *Access Control List (ACL) review:* On at least a semi-annual basis, review ACLs of host-based firewall and router rulesets.
- *Intrusion detection:* Maintain mechanisms designed to detect potential intrusions at the network and host level. Fastly inspects and responds to detected events, as applicable, to address threats.

### Physical security

Fastly production systems reside in a combination of Fastly-managed data centers and cloud and internet service provider environments. Regardless of the physical location of the infrastructure or its operator, minimum, mandatory physical security controls are evaluated and applied to all environments in which Fastly production systems reside.
Fastly manages physical security using controls designed to do the following:

- Physical access to provider environments: Only use providers that maintain physical and environmental protections, including perimeter protection, access logging and review, and other surveillance systems.
- Physical access to production systems: Only grant physical access to approved personnel. Requests for access are evaluated by authorized personnel based on proof of proper credentials and access is limited to specified areas.
- Environmental security safeguards: Require Fastly-managed data centers to protect their systems with controls including power redundancy, fire suppression, and other environmental controls.
- Secure hardware destruction: Use secure destruction of production hardware prior to disposal.
- Disk encryption and secure boot: Maintain additional technical security controls, such as disk encryption and secure boot, where deemed appropriate.

Data centers used for Fastly’s PCI and HIPAA-Compliant Caching and Delivery are Payment Card Industry Data Security Standard (PCI DSS) certified locations.

### Human security

Fastly manages human security using controls designed to do the following:

- Employee background screening: Conduct background screenings on each employee upon hire and maintain a policy requiring employees to report any criminal convictions during the course of employment, each as permitted by applicable local regulations.
- Confidentiality agreements: Require all employees to enter into confidentiality agreements with Fastly to help safeguard sensitive information that employees may view, process, or transmit as part of their job functions.
- Awareness training: Provide security training upon hire and annually thereafter for all employees. Mandatory annual training includes security awareness that covers application of best security and privacy practices in day-to-day work to help ensure each employee understands how to identify sensitive information and comply with applicable regulations.

## Continuous monitoring and improvement

Fastly uses strict processes and testing procedures designed to continuously monitor, improve, and apply its security program. These are categorized as follows:

### Change management process

Fastly follows a defined set of procedures to develop and deploy technology changes. These changes include updates to software, configurations, and devices that support Fastly’s services.
Fastly manages its change management process using controls designed to do the following:

- Testing: Require changes to be tested at various stages of development to confirm the changes operate as expected in a non-production environment before completing a deployment into its production services.
- Change approval and notification: Prepare, approve, and communicate change notices to maintain awareness among employees who manage the Fastly network and systems. Fastly maintains rollback procedures to address deployment issues if they arise.
- Post-implementation review: Confirm the success of changes after deployment.
- Change monitoring: Use multiple monitoring and alert mechanisms to enhance the visibility of technical changes and help ensure adherence to change management processes.

### Vulnerability management

Fastly monitors for vulnerabilities in its production systems using controls designed to do the following:

- Internal and external vulnerability scanning: On a regular basis, automatically analyze production systems for vulnerabilities.
- Vulnerability mitigation: Assess the risk of identified or reported vulnerabilities, and mitigate vulnerabilities in a timely manner based on the risk assessment. Mitigations for vulnerabilities deemed highest severity are implemented within twenty-four (24) hours of validation.
- Distribution lists and vendor notification: Monitor publicly disclosed vulnerabilities and confidential vulnerability distribution lists and notifications from software vendors.

### Penetration testing

On an annual basis, Fastly engages a third party to conduct a penetration test of Fastly production systems. Identified issues are prioritized and handled based upon the severity of the evaluated risk they pose.

### Compliance and audits

Fastly maintains recurring [audits and assessments](https://www.fastly.com/trust) to confirm its security program meets various industry standards and regulatory requirements.

### Fastly vendor management

Fastly uses third-party vendors and service providers to support its services. Fastly evaluates its vendors for security controls and risk to Fastly, its customers, and its services prior to using vendor services and regularly thereafter based on vendor risk.

## When something goes wrong

Fastly aims to provide a reliable and secure platform and monitors for threats and system disruptions to detect, respond to, and recover from incidents in a timely manner. Fastly’s implements an incident response process and business continuity controls as follows:

### Incident management plan

Fastly maintains a formal incident response plan to address security-related incidents. The plan contains established roles and responsibilities, communication protocols, and response procedures. Fastly reviews and updates the plan periodically to adapt it to evolving threats and risks to its services. Representatives from key departments are assigned to address security-related incidents. These personnel coordinate the full lifecycle of incidents, from detection, through response, and recovery. These processes include communication with external parties, as needed.

### Incident notification

Fastly notifies affected customers within forty-eight (48) hours of validating any unauthorized disclosure of customer data. Following any security-related incident, Fastly investigates and takes corrective action in a timely manner according to the incident management plan and provides affected customers with periodic updates.

### Business continuity

Fastly manages business continuity using controls designed to do the following:

- Service failover: Prepare production systems for service failover. Production systems are deployed on infrastructure in multiple regions or zones to provide redundancy in the event of degraded performance or operational issues with a third party provider. If failure of a service occurs within a single region or zone, Fastly will automatically attempt to use infrastructure in another region or, if possible, another infrastructure provider.
- Internet redundancy: Only use data centers and cloud infrastructure providers that have connections with multiple internet service providers.
- Service monitoring: Monitor reporting channels to detect service-related issues. Personnel are available 24x7x365 to confirm and respond to disruptions of Fastly services.
- Communication and reporting: Provide service interruption updates to customers using various communication methods (including [fastlystatus.com](https://www.fastlystatus.com/)), depending on an incident's scope and severity.
- Business continuity plan and testing:  Review, approve, update, and test a business continuity plan for Fastly production systems annually.
- Data backups: Conduct regular backups of data, excluding cached customer data, to support the recovery and availability of Fastly services. Data backups are tested on a periodic basis to validate backup recovery procedures.
