- EN
- JA
- ES
- DE
- FR
Law Enforcement Request Guidelines
We have published these guidelines to provide guidance for law enforcement authorities seeking information about our customers from Fastly.
Nothing in these guidelines is meant to create any enforceable rights against Fastly, and our guidelines (including descriptions of our business and data handling practices) are subject to change. These guidelines are not intended for requests for information by private parties in civil litigation, criminal defendants, or third parties seeking information about our customers’ content or use of our services. Complaints about customers’ content or use of the Fastly services should be directed to abuse@fastly.com as specified in our Acceptable Use Policy.
Fastly is Not a Website Host. What services does Fastly provide?
Fastly offers content delivery, security, and computing services across a global network. These services are used to secure and enhance websites and internet-facing applications. Fastly is not a traditional hosting provider, and we are unlikely to have in our possession content that a hosting provider has such as web pages or user messages. Our delivery and security services protect and accelerate web content published by our customers. That content is ultimately hosted, however, on servers or other services controlled by our customers even though delivery to our customers’ end-users is made over Fastly-controlled IP addresses. Because we use Fastly-controlled IP addresses when providing our internet intermediary services, certain internet records (such as WHOIS search results) might indicate Fastly is “hosting” a particular website or content, even though the content is hosted elsewhere.
Fastly is not subject to the Communications Assistance for Law Enforcement Act, 47 U.S.C. §§ 1001, et. seq. (“CALEA”), because it is not a telecommunications carrier as defined by CALEA. Further, Fastly’s services do not support interception capabilities.
Fastly Has Limited to No Information About Our Customers’ End Clients
For all Fastly customers, Fastly has account information that includes customer names, contact information, services purchased, and billing information. Fastly may have additional business (and non-content) information, depending on the product or services a customer uses, which may include Fastly service usage history, and records of access to administrative systems by customer personnel.
As a service provider, Fastly also processes customer content, such as data that our customers submit or caused to be submitted to our services.
We empower our customers to collect the data they need. We enable our customers to capture real-time request log information, but we do not keep such information unless either instructed by our customer or when limited logging is necessary to provide a specific customer-requested service. We consider data governance when designing and selecting systems and do not create, collect, or retain more data than we need. When we offer services that require us to temporarily collect data, such as monitoring services, we keep that data for a limited time before it is automatically deleted. As a result, Fastly is highly unlikely to have data responsive to requests seeking transactional data about our customers’ end-users’ interactions with our customers.
Fastly isn’t Likely to be the Appropriate Party for A Law Enforcement Request
We believe that our customers, not Fastly, should respond to all-third party requests related to their use of our services (including information about our customers’ users). The contracts that we enter into for our internet intermediary and edge cloud services require our customers to address all third-party requests we receive regarding data they transmit or cause to be transmitted through our services, including any request we receive from law enforcement authorities and government agencies. The relevant customer is required to resolve the issue directly with the individual or entity that makes the request. If the customer fails to do that, we reserve the right to suspend their access to our services. We believe that this process should apply even when governments are making the request.
For purposes of these guidelines, a “customer” is a Fastly subscriber except for those on a “free trial” account, as described here. Free trial accounts are not supposed to use Fastly to transmit production traffic.
Where to Send a Law Enforcement Request
| If sending your request by: | Send it to: |
|---|---|
| Email (must be used for law enforcement requests unless otherwise required by law) | gc@fastly.com |
| Physical (only where required) | Please alert gc@fastly.com if you wish to make delivery by mail or in person and we will provide an appropriate and accessible location or mailing address. |
Please note:
- Fastly’s acceptance of legal process by any of these means is for convenience and we do not waive any objections, including for lack of jurisdiction or proper service.
- Requests delivered by physical means will likely lead to delayed processing times.
Requirements for All Law Enforcement Requests
All law enforcement requests must:
- Be issued pursuant to applicable laws and through official channels.
- Be clear and specific, not vague or overbroad.
- State with particularity the categories of records or information sought and the time period for which information is requested.
- Provide sufficient information about the individual, entity, or website that is the subject of the request to enable Fastly to accurately associate the individual, entity, or website with the appropriate records. A request that does not include a URL is unlikely to be sufficient. We do not consider requests for all activity associated with one of Fastly’s public IP addresses (available at https://api.fastly.com/public-ip-list) to be particularized. Fastly processes millions of internet requests every second, and our public IP addresses are shared by multiple customers.
To enable us to verify that a request is from an official law enforcement agency, requests must include at least the following information:
- Requesting agency’s name;
- Requesting agent’s name;
- Requesting agent’s badge/identification number;
- Requesting agent’s employer-issued email address;
- Requesting agent’s telephone number (including extension);
- Requesting agent’s mailing address (P.O. boxes will not be accepted);
- Requested response date (please allow at least 2 weeks for processing, unless another time period is required by law); and
- Signature of the requesting official.
Requests from Non-U.S. Law Enforcement
Requests from law enforcement outside of the United States must be issued pursuant to applicable laws and through official channels. A Mutual Legal Assistance Treaty request, a request from a country meeting the obligations under the CLOUD Act, or letters rogatory may be required.
We Will Notify Customers That Are the Subject of a Law Enforcement Request Unless Prohibited By Law
Law enforcement seeking information from Fastly are, in most cases, able to obtain the information they seek directly from Fastly’s customers without compromising investigations or causing risk to individuals. We may provide law enforcement with contact information of our customers as appropriate. Specifically, our contracts require our customers to provide Fastly with a contact address for handling all third-party requests related to their content or use of the services. We are permitted to share that designated contact with any third party, including law enforcement.
Our Terms of Service regarding compelled disclosure require Fastly to notify our customers prior to any disclosure of their confidential information unless explicitly prohibited by law.
Fastly requires nondisclosure orders to include a specified time period (e.g., 90 days) during which we are prohibited from notifying the customer. Where appropriate, we will challenge nondisclosure orders in court. Fastly will provide notice to customers upon the expiration of a valid nondisclosure order.
Requests for Disclosure of Customer Information or Content
Fastly will not release customer information or content unless properly served with a valid and binding legal demand that compels Fastly to produce the requested information.
Fastly objects to overbroad or otherwise inappropriate demands as a matter of course.
Where compelled by law, in response to valid and binding subpoenas, Fastly will disclose customer information, which may include a customer’s name, address, email address, account creation date, and billing information.
Any customer content, including personal data, that our customers submit or cause to be submitted to our services will not be disclosed in response to a subpoena.
Fastly will not produce customer content unless we are served with a valid search warrant issued under procedures set forth in the Federal Rules of Criminal Procedure and the United States Constitution or equivalent procedures upon a showing of probable cause that compels Fastly to produce such information.
We will Preserve Customer Information for a Limited Time Upon Valid Request
Fastly will preserve customer information (which may include a customer’s name, address, email address, account creation date, and billing information) pursuant to a valid request for preservation not to exceed 90 days. Preservation requests, in accordance with applicable law, should include the following information:
- The name and signature of the requesting official;
- A valid, government-issued email address;
- Official letterhead; and
- The specific information for which you are requesting preservation.
Fastly will not disclose any preserved information without law enforcement otherwise meeting the requirements for disclosure set forth in these guidelines.
Emergency Requests from Law Enforcement
Consistent with our Privacy Policy and applicable law, Fastly may disclose information when it determines that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency. Fastly will evaluate emergency disclosure requests on a case-by-case basis in accordance with applicable laws and our Privacy Policy, Terms of Service and the Fastly Data Processing Terms. Where appropriate, we will reject such requests.
While Fastly does not commit to producing records under any set of circumstances or within a particular timeline and may request additional information to verify the nature of the emergency request and/or the identity of the person making the emergency request, any emergency request must:
- Be sent by email. Please include “EMERGENCY DISCLOSURE REQUEST” in the subject line.
- Describe the reasons you believe that Fastly has the information necessary to prevent an emergency involving danger of death or serious physical injury to a person, and includes the nature of the circumstances that requires disclosure of the information without delay.
- If Fastly provides you with information in response to an emergency request, we ask that you obtain and serve on Fastly the appropriate follow-up legal process seeking the same information as soon as practicable.
Child Safety
In addition to applicable law, our acceptable use policy (which is incorporated into our terms of service) prohibits the use of Fastly’s services for the purposes of exploiting or attempting to exploit minors in any way. If a law enforcement request relates to child safety, please put “CHILD SAFETY” in the subject line of the request.
Fastly reports any apparent instance of child exploitation detected on our services to the National Center for Missing and Exploited Children, including content identified within a law enforcement request.
Recovery of Costs
Consistent with applicable law, Fastly may seek reimbursement for costs to comply with requests from law enforcement. Fastly does not seek reimbursement for compliance associated with emergency disclosure requests or child safety matters.