Fastly Managed Security Service

Fastly offers Next-Gen WAF (powered by Signal Sciences) customers a Fastly Managed Security Service that provides your organization with continuous monitoring of your included Fastly security products, proactive action by Fastly in the event of an identified security incident, enhanced access to our Customer Security Operations Center (CSOC), and periodic consultation with a Designated Security Specialist for strategic security solutions reviews and planning. Together, Fastly’s CSOC team and your Designated Security Specialist support the design, implementation, and maintenance of your security solutions by consulting on initial configuration, requested maintenance, monitoring, and attack support.

The following table summarizes what the Fastly Managed Security Service provides:

Definitions

• "Business Hours" are 8AM-6PM during a Business Day in California or New York.
• "Business Days" are Monday through Friday, excluding any day that is a US national holiday.
• A "critical security incident" is an event that creates significant business impact or loss of availability for your production environments, or that threatens the integrity or confidentiality of your proprietary information.
• "Fastly Control" means elements entirely under Fastly's control and not a consequence of (a) your hardware or software failures, (b) you or your end user's connectivity issues, (c) your operator errors, (d) traffic amounts that exceed your Permitted Utilization as defined in the Terms and Conditions, (e) your corrupted content, (f) acts of god (any) or war, or earthquakes, or terrorist actions.
• "Full-Site Delivery Services" means the configuration for a website, app, API, or anything else to be served through Fastly’s Full-Site Delivery product.

Prerequisites

To purchase and use the Fastly Managed Security Service, you must also purchase a Professional or Premier Platform subscription for Fastly Next-Gen WAF along with Fastly Full-Site Delivery and delivery Enterprise Support.

To ensure accurate responses to requests and incident reports, you must ensure your account contact information remains up-to-date. The CSOC team can help you verify this information at any time.

Managed Security Service features

Fastly offers the Fastly Managed Security Service for the term as indicated in your Service Order. It includes the following features.

Continuous security product monitoring

Fastly will continuously monitor your Next-Gen WAF and Fastly Full-Site Delivery for early detection of security events and take proactive action in the event we identify a security event resulting in a security incident. The set of security events we monitor may change over time. You can request a current listing of the security incidents we monitor by submitting a general request to the CSOC. We will follow the contact procedures defined in your runbook in the event that we need to contact you prior to taking an action. It is your responsibility to notify us if any of your contact methods or permitted actions need to change.

The proactive actions Fastly may take on your behalf are explicitly permitted by you and documented in your customer runbook. During onboarding, we’ll agree on which actions we may take and you can update these actions by contacting the CSOC. Actions you may permit us to take can include, but are not limited to contacting you if we identify a security event requiring mitigation action and taking proactive action to mitigate the event.

Post-event reports

At Fastly’s discretion or at your request, Fastly will provide post-event reports for security incidents. These reports will document what Fastly observed and what actions were taken.

Monthly security report

Once a month, Fastly will send you a report documenting events observed and actions taken over the past month, recommendations for configuration changes and maintenance, results of threat hunting (when available), threat intelligence updates, and product updates.

Readiness drill

Up to once every six months, at your request, Fastly will partner with you to execute a readiness drill. This readiness drill simulates multiple phases of a security event with the objective of improving incident response. The scope of the readiness drill is at Fastly’s discretion, but will typically include how we will engage and escalate during an attack scenario. You must schedule a readiness drill at least two weeks in advance by making a request by contacting the CSOC. You won't be entitled to any refunds or credits for unused Readiness drills availability.

Account and event reviews

At your request, Fastly will schedule 2-hour account and event reviews during US business hours, up to once per month during the term of your subscription, with a designated security specialist who will review recent security events and actions taken, review configurations, consult with you on rule creation, review security product roadmaps with you, and discuss your overall security health. Because some review discussions require advance preparation, you must schedule them at least two weeks in advance by making a request by contacting the CSOC. You won't be entitled to any refunds or credits for unused reviews.

Priority CSOC access

By purchasing the Fastly Managed Security Service, you will be entitled to 24/7 access to Fastly's CSOC for assistance with incidents, configuration changes, and general inquiries. To receive this assistance, you may initiate contact via:

• Phone number. You will receive a phone number to initiate contact with Fastly's CSOC and to report critical security incidents. Fastly personnel can also establish audio and video conferencing (free app or browser plug-in required) for real-time voice and video communications.
• Email address. You will receive an email address to initiate contact with Fastly's CSOC for general support questions as well as an emergency email address for reporting of critical security incidents.
• Chat channel. You will receive a dedicated security chat channel for real-time communications to discuss security event notifications, general security product support and questions. The chat channel will be monitored 24/7 by Fastly’s CSOC. Inquiries regarding critical security incidents should be communicated using the notification mechanism that will be described during onboarding. Though subject to change, Fastly's current chat provider is Slack (www.slack.com).

Each of these contact methods will be provided to you (as applicable) during your onboarding period.

Fastly Managed Security Service support requests and response times

Fastly's response times and status updates vary based on request and incident severity.

General requests and inquiries

You may initiate general requests and inquiries by creating a ticket via the general support email address provided to Fastly Managed Security Service customers or by submitting a ticket via the Next-Gen WAF console and we will acknowledge your general outreach within two hours of its receipt. We will begin addressing your ticket within 24 hours of acknowledging its receipt and will provide status updates to you once daily on each subsequent day until the incident is resolved or is believed to be outside of Fastly's control.

Critical security incidents

Although the Fastly Managed Security Service includes continuous monitoring and proactive response to security incidents, there may be times where you need to notify us of a critical security incident requiring support. Support for critical security incidents that you identify can only be initiated via the emergency email address provided to Fastly Managed Security Service customers (not chat) or by selecting the Urgent priority when submitting a ticket via the Next-Gen WAF console. The ultimate classification of a request submitted by either of these methods will be determined solely by Fastly based on various factors including input and information you provide.

Fastly will acknowledge your critical security incident outreach within 15 minutes of its receipt. If classified as a critical security incident, we will begin actively troubleshooting these incidents within 30 minutes of acknowledging your ticket and will provide an initial status update within an hour of acknowledging your ticket, with subsequent updates at least every 4 hours thereafter unless an alternative update cadence has been agreed upon. Fastly will continue to work until the incident impact has been mitigated or is believed to be outside of Fastly's control.

Fastly Managed Security Service response SLA and credit terms

If you have purchased the Fastly Managed Security Service and, during a critical security incident, there is a material delay in response time and the cause of the delay is within Fastly's control, a one-time credit of $500 per critical security incident will be credited to your account. Specifically:

• Requests for invoice credits must be made within 30 calendar days of the critical security incident that triggered the service credit.
• All requests for invoice credits must be made to billing@fastly.com.
• A pending invoice credit does not release you from your obligation to pay all Fastly's submitted invoices in full when due.
• Invoice credits will be applied to the invoice generated two months following the month in which the credits were incurred.

If in any consecutive three-month period where three (3) or more support response time objectives are not met and the failure to meet the objectives materially adversely impacted you, you will have 30 days to terminate the Fastly Managed Security Service subscription following the third response failure. You must notify Fastly of your intention to terminate the Fastly Managed Security Service subscription, or the Fastly Managed Security Service portion of any bundled subscription, within 30 days of the triggering event. No other remedy or refund will be available other than your ability to terminate your subscription to the Fastly Managed Security Service.

Observational logging

Fastly will access and use your logs as part of the Fastly Managed Security Service. Logs will be used by Fastly to provide you with support, to monitor and maintain your Fastly security products, and as a means of threat detection.

Fastly will collect, store, and use a sampled subset of logging information generated by the Fastly content delivery network and security products (including IP addresses) for purposes including, but not limited to, monitoring product behavior, managing false positives, making configuration adjustments, producing periodic customer reports, making improvements to our products and services, improving our detection capabilities, and detecting potential security incidents. Fastly will do this by establishing a logging endpoint in your service configuration that will securely collect logging information in a third-party storage provider. Fastly will derive aggregated, anonymized data from the logs collected. This data will be used to improve security products and services for all subscribers, and includes statistical analyses as well as the development of security research and threat intelligence products.

By subscribing to the Fastly Managed Security Service, you instruct Fastly to access and use the logs for providing the above purpose in accordance with the Fastly Documentation. Sampled logged data will be deleted on a rolling basis and in any event retained no longer than thirty (30) days unless otherwise agreed to by you. Aggregated data will be deleted on a rolling basis and in any event retained no longer than ninety (90) days unless otherwise agreed to by you.

Limitations

The Fastly Managed Security Service has the following limitations:

• Origin administration and access. Fastly will not directly access or administer your origin systems at any time.
• Third-party product administration. Fastly will not administer third-party products or services.
• Identity verification. For contacts via telephone, we encourage you to establish authentication methods to verify that individuals reporting issues via telephone are authorized to make inquiries or request changes to account configurations on your behalf. Authentication methods may include use of an account authorization passphrase, Slack challenge process, or email verification. If an individual reporting an issue via telephone is not able to have their identity verified, they may report issues but not receive any account information or initiate account changes and your account's administrators will be notified of requests or inquiries.
• Services monitored. We will monitor up to ten Full-Site Delivery Services. You may request additional monitoring by submitting a general request to the CSOC.