---
header: Data management
lang: en
last_updated: '2026-07-08'
url: https://docs.fastly.com/products/data-management
---

Fastly maintains a “privacy and protection by design” approach as part of its data governance program. Fastly is intentional about data processing and implements safeguards designed to limit and control access to customer and Fastly data. Fastly limits data collection to what is needed to provide, maintain, and improve its services and considers legal, compliance, regulatory, and commercial obligations when working with data.

## Fastly production data

In addition to the Fastly [security program](https://docs.fastly.com/products/security-measures), Fastly implements its data governance program with practices designed to manage data in its production environments as follows:

### Network data

- *Service management:* Fastly monitors, collects, and processes data related to the functional performance of Fastly’s network and services, anomalous activity, and suspicious behavior detected by the services. Fastly retains and uses this data to monitor, maintain, and improve its services, business operations, and security and compliance programs.
- *Confidentiality:* Fastly only discloses this data in an anonymized and aggregated form and subject to its confidentiality obligations to customers.

### IP addresses

- *Administrative connections:* Fastly may retain any non-anonymized, non-aggregated client or customer IP addresses associated with administrative connections to Fastly’s services indefinitely.
- *Fastly application:* Fastly independently collects the IP addresses of users who access services within the Fastly control panel or through the Fastly API.
- *Endpoints:* If a customer defines origin servers or syslog endpoints with IP addresses, Fastly will save those IP addresses as part of the customer’s configurations.
- *Client IPs:* Fastly retains client IP addresses in a non-anonymized, non-aggregated fashion for up to two business days, or up to seven days if those addresses are associated with transmission errors.
- *Origin IPs:* Fastly may retain dynamically-resolved origin IP addresses for up to two business days, or up to seven days if associated with transmission errors.
- *Suspicious activity:* Internal systems logs, including access logs and associated client and customer IP addresses, related to events triggered by anomalous activity or suspicious behavior are retained for at least one year. Fastly may retain IP addresses from Fastly event logs or configurations indefinitely.
- *Security events:* Fastly may retain non-anonymized, non-aggregated client or customer IP addresses associated with security-related incidents indefinitely.

### Customer data management

- *Customer content:* Customer content enters, transits, and departs Fastly’s network in response to requests. Generally, customers manage which content is processed, where, and for how long by setting policies that control that content.
- *Customer configurations:* Customer configurations may be stored indefinitely and can be deleted upon request. Fastly may directly access or modify customer accounts or configurations as necessary to provide and improve the services, to prevent or address service or technical issues, as required by law, or as customers expressly permit. Fastly retains encrypted backups of customer configurations, including VCL, and customer provided packages for business continuity purposes.
- *Cached and hosted content:* Cached and hosted content is retained per customer configuration and use of purge functionality. Customers may control length and type of retention through configuration options to meet requirements for regulatory reasons such as [HIPAA](https://docs.fastly.com/products/hipaa-compliant-caching-and-delivery) or [PCI DSS](https://docs.fastly.com/products/pci-compliant-caching-and-delivery). Fastly deletes cached and hosted content according to a customer’s use of the purge or deletion functionality as described in the Documentation.
- *Customer data processed by Next-Gen WAF:* Customer data processed via the security components of Next-Gen WAF and sent to Fastly may be stored for a maximum of 30 days (or such shorter period as may be specified in the Documentation). Customer data processed in local environments is under customer control and there is no remote access by Fastly.
- *Customer packages deployed to Compute:* Customer provided compiled code may be stored indefinitely and can be deleted upon request. Fastly may directly access or modify customer packages as necessary to provide and improve services, to prevent or address service or technical issues, as required by law, or as customers expressly permit.

### Customer request logs and observability features

- *Content request logs:* Customers may stream their content request logs, which may include request headers, including client IP addresses, to a customer-owned and managed or Fastly-owned and managed endpoint for analysis and use as described in the Documentation.
- *Request logs retention:* Fastly does not retain customers’ request logs except where explicitly stated in the Documentation and related to the functional performance of the services
- *Observability features:* Customers may enable observability features to capture and store data as described in the Documentation.

## Note regarding privacy law

Fastly services are delivered through a global network. Points of presence (PoPs) can be found on our [network map](https://www.fastly.com/network-map). Fastly employees provide support and technical services from various locations in the United States, Europe, Japan and other countries and regions. For more information regarding Fastly’s compliance with global privacy laws and regulations, refer to the [Fastly data processing terms](https://www.fastly.com/data-processing), the [list of sub-processors](https://docs.fastly.com/products/sub-processors), Fastly’s [privacy policy](https://www.fastly.com/privacy/), and additional resources on the Fastly [Trust page](https://www.fastly.com/trust).
