Archived: Data Processing Terms

Effective start date: 2021-09-27
Effective end date: 2022-08-09

PLEASE READ THESE DATA PROCESSING TERMS (THESE “TERMS”) CAREFULLY. THESE TERMS ARE A BINDING CONTRACT FOR PROCESSING OF PERSONAL DATA OF DATA SUBJECTS THROUGH THE USE OF FASTLY, INC. OR ITS AFFILIATES (“FASTLY”) SERVICES.

IF YOU DO NOT AGREE TO BE BOUND BY ALL OF THE PROVISIONS OF THESE TERMS, AND YOU HAVE NOT SEPARATELY AGREED WITH FASTLY, INC. OR A RELEVANT FASTLY, INC. AFFILIATE ON TERMS REGARDING THE PROCESSING OF PERSONAL DATA OF DATA SUBJECTS, DO NOT ACCESS OR USE, AS APPLICABLE, FASTLY’S OR THE AFFILIATE’S SERVICES FOR THE PROCESSING OF PERSONAL DATA OF DATA SUBJECTS.

IF YOU REQUIRE A SIGNED VERSION OF THESE TERMS PLEASE CONTACT SUPPORT@FASTLY.COM.

BY ACCESSING OR USING FASTLY SERVICES YOU ARE ACCEPTING THESE TERMS (ON BEHALF OF YOURSELF OR THE ENTITY THAT YOU REPRESENT) AND YOU REPRESENT AND WARRANT THAT YOU HAVE THE RIGHT, AUTHORITY, AND CAPACITY TO ENTER INTO THESE TERMS (ON BEHALF OF YOURSELF OR THE ENTITY THAT YOU REPRESENT AND ITS AFFILIATES).

THESE TERMS WERE POSTED ON SEPTEMBER 27, 2021. PRIOR VERSIONS OF THESE TERMS ARE AVAILABLE AT https://docs-archive.fastly.com/dataprocessing/.



FASTLY DATA PROCESSING TERMS

1. Purpose. In consideration of the parties’ mutual obligations to comply with applicable law in accordance with the Agreement, these Fastly Data Processing Terms (these “Terms”) (including their appendices) apply to Fastly’s Processing of Personal Data on Subscriber’s behalf in accordance with Privacy and Data Protection Laws. Unless otherwise expressly agreed in writing between Subscriber and Fastly, this version of the Terms (1) is incorporated into and subject to the Agreement and each Service Order, (2) shall be effective and remain in force for the term of the Agreement and each Service Order, and (3) in the event of any conflict between the terms of the Agreement, a Service Order, and these Terms, the relevant provisions of these Terms shall take precedence. These Terms shall not apply to any Subscriber that does not access or use the Services for Processing of Personal Data subject to Privacy and Data Protection Laws.

2. Definitions. Capitalized terms not defined in these Terms shall have the meaning set forth in the Agreement.

2.1 “Agreement” means any master subscription agreement or master customer agreement, by which a member of the Fastly Group grants a limited subscription to use the Services to Subscriber or otherwise makes its services available, such as the Fastly Terms of Service (available at https://www.fastly.com/terms). In the event Subscriber has entered into an Agreement with more than one Fastly Group entity, the Agreement governing the Services Processing the applicable Personal Data shall control.

2.2 “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.

2.3 “Data Controller” has the meaning given to “controller” or “data controller” in accordance with applicable Privacy and Data Protection Laws.

2.4 “Data Processor” has the meaning given to “processor” or “data processor” in accordance with applicable Privacy and Data Protection Laws.

2.5 “Data Subject” has the meaning given to “data subject” in accordance with applicable Privacy and Data Protection Laws.

2.6 “Documentation” means the online documentation available via https://docs.fastly.com, or when applicable, product specific documentation described in the Agreement with a Fastly Group affiliate.

2.7 “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

2.8 “Fastly Group” means Fastly, Inc. and its affiliates engaged in the Processing of Personal Data.

2.9 “GDPR” means, as applicable, the EU GDPR and/or the UK GDPR.

2.10 “Personal Data” has the same meaning as personal data or information of or about a person, as defined in the applicable Privacy and Data Protection Laws where such data is submitted to Fastly via the Services according to Subscriber’s configuration of the Services.

2.11 “Privacy and Data Protection Laws” means any law or regulation applicable to the processing of personal data under the Agreement, including, for example, the GDRP and the CCPA.

2.12 “Processing” and “process” have the meaning given in accordance with applicable Privacy and Data Protection Laws.

2.13 “Service Order” means one or more online or written ordering documents which incorporate the Agreement or have otherwise been accepted by a member of the Fastly Group.

2.14 “Services” has the meaning of such defined term in the Agreement or other similar terms to describe the products and services provided by the Fastly Group.

2.15 “Standard Contractual Clauses” means, as applicable, the EEA Standard Contractual Clauses and/or the UK Standard Contractual Clauses as defined in Appendix 3

2.16 “Subscriber” means the subscriber that has executed a Service Order for Services.

2.17 “Subscriber Data” has the meaning of such defined term in the Agreement or other similar term to describe the data submitted (or caused to be submitted) to the Fastly Group via the Services.

2.18 “Sub-processor” means any Data Processor engaged by Fastly or a member of the Fastly Group, including Fastly affiliates.

2.19 “UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018.

3. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Subscriber is either a Data Controller or a Data Processor and Fastly is a Data Processor.

4. Subscriber’s Processing of Personal Data. Subscriber shall, in its use of the Services, only Process Personal Data or transfer such Personal Data to Fastly, in accordance with the requirements of Privacy and Data Protection Laws and the Documentation. In particular, Subscriber represents and warrants on an ongoing basis that, including for the purposes of Article 6 of the GDPR, there is a legal basis for the Processing by Fastly of Personal Data on behalf of Subscriber in accordance with these Terms and the Agreement (including any and all instructions issued by Subscriber from time to time in respect of such Processing) and it will honor the rights of Data Subjects pursuant to Privacy and Data Protection Laws. If Subscriber is a Data Processor, Subscriber represents and warrants that its instructions and actions with respect to the Personal Data, including appointing Fastly as a Processor, have been and are authorized by the relevant Data Controller.

5. Fastly’s Processing of Personal Data. Fastly shall only Process Personal Data upon Subscriber’s documented instructions and immediately notify Subscriber in writing if, in Fastly’s reasonable opinion, their instructions infringe Privacy and Data Protection Laws; provided, Subscriber acknowledges that the Services will Process Personal Data on an automated basis in accordance with Subscriber’s configurations, which Fastly does not monitor. Subscriber instructs Fastly to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Service Orders; (ii) Processing initiated by Subscriber through the Services’ application programming interfaces (APIs) or user interfaces; (iii) Processing to comply with other reasonable documented instructions provided by Subscriber (e.g., via support tickets, email communications and chat platforms) where such instructions are consistent with the terms of the Agreement and (iv) Processing otherwise required of Fastly by applicable laws. These Terms and the Agreement contain Subscriber’s sole instructions to Fastly for the Processing of Personal Data. Appendix I, Part B to these Terms sets out the details of Fastly’s Processing of Personal Data.

6. Transfers of Personal Data

6.1 Fastly’s Global Network. Subscriber acknowledges that as part of performing its Services Fastly maintains a growing global network of computing facilities that will process Subscriber Data (including Personal Data) in accordance with Subscriber’s configurations of the Services. Subscriber acknowledges that its Subscriber Data may automatically transit across national borders in response to Subscriber’s clients’ requests and Subscriber’s configurations of the Services in accordance with the Documentation.

6.2 Consent to Transfer. Except as expressly set forth in the Agreement, Fastly may store and process Personal Data in the United States or any other country in which Fastly or any of its Sub-processors maintains facilities, subject to this Section 6.

6.3 Cross-Border Personal Data Transfer Mechanism. Where Processing of Personal Data by Fastly requires an onward transfer mechanism to lawfully transfer Personal Data from a jurisdiction (including those identified in Appendix 3), then the terms and conditions of Appendix 3 (Cross Border Transfer Mechanism) shall apply.

7. Correction, Amendment and Deletion Of Personal Data. To the extent Subscriber, in its use of the Services, does not have the ability to correct, amend or delete Personal Data as required by Privacy and Data Protection Laws, Fastly shall comply with any commercially reasonable request by Subscriber to facilitate such actions to the extent Fastly is legally permitted to do so and has reasonable access to the Personal Data. Subscriber acknowledges that Fastly cannot correct, amend, or permanently delete cached copies of Personal Data hosted or stored on equipment controlled by Subscriber; and the storage and deletion of Subscriber Data processed by the Services occur automatically in accordance with the Documentation.

8. Third Party Requests. Fastly shall, to the extent legally permitted, promptly notify Subscriber if it receives a request, complaint, inquiry or other correspondence from a data subject, regulatory authority or other third party in connection with Fastly’s processing of Personal Data. Unless required by law, Fastly shall not respond to any such third party request without Subscriber’s prior written consent except to confirm that the third party request relates to Subscriber and to provide the third party with Subscriber’s contact information to allow them to contact Subscriber directly. Taking into account the nature of the Processing and to the extent Subscriber does not have access to the relevant information through its use of the Services, Fastly shall, at Subscriber’s cost, provide Subscriber with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Subscriber in fulfilling its obligations with respect to third party requests.

9. Fastly Personnel

9.1 Confidentiality. Fastly shall ensure that its personnel (including personnel of the Fastly Group) engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed confidentiality agreements.

9.2 Reliability. Fastly shall take commercially reasonable steps to ensure the reliability of any Fastly personnel engaged in the Processing of Personal Data.

9.3 Limitation of Access. Fastly shall limit its access to Personal Data to those personnel who require such access to perform the Agreement.

9.4 Data Protection Officer. Members of the Fastly Group have appointed a data protection officer to the extent this is required by Privacy and Data Protection Laws. The appointed person may be reached at gc@fastly.com.

10. Sub-Processors

10.1 Appointment of Sub-processors. In accordance with Article 28(2) of the GDPR, Subscriber acknowledges and agrees that (a) members of the Fastly Group may be retained as Sub-processors; and (b) members of the Fastly Group may engage third-party Sub-processors in connection with the provision of the Services, in which case, members of the Fastly Group (as the case may be) shall procure that the Fastly Group has entered into a written agreement with respect to each Sub-processor containing data protection obligations in substantially similar terms to those in these Terms with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. Fastly will make available to Subscriber a current list of Sub-processors engaged in connection with the provision of the Services with the identities of those Sub-processors in the Documentation or by posting such list to a Fastly Group website at https://docs.fastly.com/products/sub-processors. Additions or changes to the list of Sub-processors will be provided to Subscribers according to the Documentation updates provision of the Agreement or the applicable Fastly Group website, but in no event less than thirty (30) days prior to the date on which those Sub-processors begin processing Personal Data.

10.2 Right to Object. In the event Subscriber objects to a new or replacement Sub-processor(s) that Processes Personal Data, Subscriber may terminate the applicable Service Order(s) for those Services which cannot be provided by Fastly without the Processing of Personal Data by the objected-to new Sub-processor (including by changing Subscriber’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new or replacement Sub-processor without unreasonably burdening Subscriber or materially diminishing functionality) by providing written notice to Fastly within thirty (30) days of Fastly’s notice or disclosure of such new Sub-processor(s). Subscriber shall receive a pro-rata refund of any unearned prepaid fees for the period following the effective date of termination in respect of such terminated Services.

10.3 Liability. Fastly shall be liable for the acts and omissions of its Sub-processors to the same extent Fastly would be liable if performing the services of each Sub-processor directly under the terms of these Terms, except as otherwise set forth in the Agreement.

11. Security Controls for the Protection of Personal Data. Fastly shall maintain appropriate administrative, physical and technical safeguards for protection of the security and integrity of the Personal Data as set forth in the Documentation. Fastly regularly monitors compliance with these safeguards.

12. Security Breach Management and Notification. Fastly shall notify Subscriber without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Fastly or its Sub-processors of which Fastly becomes aware (“Security Breach”), providing Subscriber with sufficient information (insofar as such information is within Fastly’s possession) to allow Subscriber to meet its obligations to report or inform data subjects and/or regulatory authorities of the Security Breach under the GDPR, to the extent permitted by law. Fastly shall make commercially reasonable efforts to assist Subscriber in the investigation, mitigation and remediation of a Security Breach that is known to Fastly to the extent such Security Breach is caused by a violation of the requirements of these Terms by Fastly.

13. Limitation of Liability. Nothing in these Terms is intended to prejudice or limit any of Fastly’s right to limitations of liability afforded to data processors pursuant to Privacy and Data Protection Laws. Each party’s liability arising out of or related to these Terms (whether in contract, tort or under any other theory of liability) is subject to the limitations of liability set forth in the Agreement; provided, in no event will such limitation apply to any data subject’s rights under the Standard Contractual Clauses.

14. Specific Provisions.

14.1 Data Protection Impact Assessment. Upon Subscriber’s request and at Subscriber’s cost, Fastly shall provide Subscriber with reasonable assistance needed to fulfill Subscriber’s obligation under Privacy and Data Protection Laws to carry out a data protection impact assessment related to Processing of Personal Data by Fastly taking into account the nature of the Processing and to the extent Subscriber does not otherwise have access to the relevant information, and to the extent such information is available to Fastly.

14.2 Prior Consultation. Upon Subscriber’s request and at Subscriber’s cost, Fastly shall provide Subscriber with reasonable assistance with any prior consultations to any regulatory authority of Subscriber which are required under Privacy and Data Protection Laws such as Article 36 of the GDPR related to Processing of Personal Data by Fastly and taking into account the nature of the Processing and to the extent Subscriber does not otherwise have access to the relevant information and to the extent such information is available to Fastly.

14.3 Audits. The parties agree that the audits described in the Standard Contractual Clauses and Privacy and Data Protection Laws shall be carried out in accordance with the following specifications:

14.3.1 Upon Subscriber’s request, and subject to the confidentiality obligations set forth in the Agreement, Fastly shall make available to Subscriber third-party certifications and audit reports regarding the Fastly Group’s compliance with the obligations set forth in these Terms and Subscriber shall use such information solely for the purposes of complying with its obligations under Privacy and Data Protection Laws.

14.3.2 If the information made available pursuant to Section 14.3.1 is insufficient, in Subscriber’s reasonable judgment, to confirm Fastly’s compliance with its obligations under these Terms, then Subscriber may request an onsite audit of the procedures relevant to the protection of Personal Data under these Terms. All such audits will be performed at Subscriber’s expense. Subscriber shall give Fastly reasonable notice of any on-site audit to be conducted under this Section 14.3 (which shall in no event be less than thirty (30) days’ notice unless required by a regulatory authority).

14.3.3 Subscriber shall reimburse Fastly for any time expended for any such on-site audit at the Fastly Group’s then-current professional services rate, which shall be made available to Subscriber upon request. Before the commencement of any such on-site audit, Subscriber and Fastly shall mutually agree upon the scope, timing and duration of the audit in addition to the reimbursement rate for which Subscriber shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Fastly. Subscriber shall promptly notify Fastly with information regarding any non-compliance discovered during the course of an audit. Deletion of Personal Data. Fastly shall delete Personal Data upon the termination or expiration of all Service Orders providing for the Processing of Personal Data and upon the request of Subscriber to the extent permitted by applicable law. Subscriber acknowledges that, except to the extent described in the Documentation, the Services do not export Subscriber Data and, therefore, Fastly will not return any Personal Data.

14.4 Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 of the Standard Contractual Clauses shall be provided by Fastly to Subscriber only upon Subscriber’s request.

15. CCPA Compliance. As a service provider to Subscriber under the Agreement, Fastly will comply with the CCPA’s restrictions and prohibitions on service providers selling Personal Data and retaining, using, or disclosing Personal Data outside of the parties’ direct business relationship. Fastly shall not collect, use, retain, or disclose Personal Data except as permitted in the Agreement and under the CCPA. Fastly shall not sell Personal Data.

16. Enforcement. If any provision of these Terms is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of these Terms will remain in effect.

17. Order of Precedence. In the event of any conflict or inconsistency among the following, the provisions of the following agreements, in order of precedence, shall prevail: (i) the Standard Contractual Clauses (when applicable), (ii) these Terms, (iii) the Service Order(s) and (iv) the Agreement.

18. Changes to these Data Processing Terms. In consideration of Fastly’s ongoing obligations to comply with applicable law in the performance of the Services, Fastly may update these Terms. Fastly will provide no less than thirty (30) days’ prior notice of any change to these Terms (formatting and other immaterial changes excepted), unless prior notice is not practicable due to a conflict in applicable law or regulation or other changes outside of Fastly’s reasonable control. This notice of an update to these Terms will be posted on https://docs.fastly.com/changes/. Subscriber may subscribe to receive email and RSS updates to https://docs.fastly.com/changes.



Appendix 1 - Details of the Parties and Processing

A. List of Parties

Data exporter(s):

Name: Subscriber and any Affiliates identified by Subscriber in the Agreement

Address: Address of Subscriber described in the Agreement or as Subscriber has otherwise informed Fastly

Contact person’s name, position, and contact details: As stated in the Agreement or as Subscriber has otherwise informed Fastly

Activities relevant to the data transferred under the SCCs and the Terms: use of the Services in accordance with the Agreement

Signature and Date: This Appendix 1 shall be deemed executed upon acceptance of the Terms.

Role: Data exporter’s role is set forth in Section 3 of the Terms.


Data importer(s):

Name: Fastly, Inc.

Address: PO Box 78266, San Francisco, California, 94107, United States of America

Contact person’s name, position, and contact details: Paul Luongo, General Counsel, gc@fastly.com

Activities relevant to the data transferred under the SCCs and the Terms: Processing necessary to provide the Services

Signature and Date: This Appendix 1 shall be deemed executed upon acceptance of the Terms.

Role: Processor

B. Description of Processing and Transfer

The categories of Data Subject to whom the Personal Data relates

Data Subjects include the identified or identifiable persons contained in content or requests, including internet protocol (IP) addresses, caused to be submitted to Fastly via the Services according to, by or at the direction of Subscriber’s configuration of the Services.

Categories of personal data processed and transferred

Personal data within network requests and/or Subscriber Data (as that term is defined in the Agreement).

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The Services do not require the Processing of sensitive data. Sensitive data will be processed only if data exporter instructs data importer to process sensitive data. The sensitive or special categories of data contained in content or requests (as determined and controlled by the data exporter) may include, Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life. Any such special categories of data shall be protected by applying the Security Measures described in Appendix 2.

The frequency of the processing and transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Processing and transfers shall occur on a continuous basis as instructed by data exporter.

The nature and purpose of the Processing

Fastly is (a) an Internet intermediary and provider of edge cloud services that processes network requests according to standard protocols; (b) a provider of edge computing; and, (c) directly and through members of the Fastly Group a provider of network security services. Fastly provides all of its services upon the instruction of the data exporter in accordance with the terms of (i) the Agreement and (ii) the Data Processing Terms (or Data Processing Agreement as applicable) with the data exporter.

Fastly will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation and in accordance with Subscriber’s configurations of the Services.

Purpose(s) of the data transfer and further processing

The objective of processing of personal data by data importer is the performance of the Services pursuant to the Agreement with data exporter.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data is retained consistent with data exporter’s instructions and data importer’s documentation. For data importer’s content delivery and caching services, Personal Data is retained until the earlier of automated eviction from data importer’s cache servers automatically or when exporter instructs importer to delete the data.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Data may be transferred to sub-processors to process data, on data importer’s behalf, consistent with data exporter’s instructions to data importer and data importers published documentation.

Data importer makes available to data exporter a current list of sub-processors engaged in connection with the Services with the identities of those sub-processors in its documentation (at https://docs.fastly.com). Notice of additions or changes to the list of sub-processors will be provided to data exporter according to the Documentation updates provision of the parties’ Agreement or the applicable data importer website.

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13

For the EEA Standard Contractual Clauses, the competent supervisory authority is determined in accordance with Clause 13 of the EEA SCCs.

For the UK Standard Contractual Clauses, the competent supervisory authority is the UK Information Commissioner’s Office.



Appendix 2
Technical and Organisational Measures Including Technical and Organisational Measures To Ensure The Security Of The Data

Fastly will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data as described in the Security Measures applicable to the specific Services purchased by data exporter, as updated from time to time, and accessible via https://docs.fastly.com/guides/security-measures/ or otherwise made reasonably available by Fastly.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Fastly’s Security Measures are regularly tested and evaluated by third-party auditors, including as part of annual AICPA SOC 2 Type 2 and PCI DSS Level 1 audits. Fastly also conducts internal audits and risk assessments.



Appendix 3 - Cross Border Transfer Mechanism

1. Definitions. Capitalized terms not defined in this Appendix shall have the meaning set forth in the Terms.

1.1 “Standard Contractual Clauses” means, as applicable to a particular transfer, one of the following:

1.1.1 EEA SCCs

1.1.2 UK SCCs

1.2 “EEA SCCs” or “EEA Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.3 “UK SCCs” or “UK Standard Contractual Clauses” means the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR. The Standard Contractual Clauses will apply to any Processing of Personal Data by Fastly where Personal Data is transferred from the European Economic Area (“EEA”), the United Kingdom and/or Switzerland to outside the EEA, the United Kingdom and/or Switzerland, either directly or via onward transfer, to any country or recipient: (a) not recognized by the European Commission, United Kingdom, or Switzerland (as applicable) as providing an adequate level of protection Personal Data (within the meaning of Privacy and Data Protection Laws); and (b) to the extent the transfer is not covered by an alternative mechanism of transfer (e.g., binding corporate rules) recognized by the relevant authorities or courts as providing an adequate level of protection for personal data.

3. Application of the EEA Standard Contractual Clauses. For data transfers from the EEA or Switzerland, then the EEA SCCs will apply as follows:

3.1 Module 2 (Controller to Processor) will apply where Subscriber is a Controller of Personal Data and Fastly is a Processor of Personal Data;

3.2 Module 3 (Processor to Processor) will apply where Subscriber is a Processor of Personal Data and Fastly is a Processor of Personal Data;

3.3 For each module, where applicable:

3.3.1 in Clause 7, the option docking clause will not apply.

3.3.2 in Clause 9, Option 2 will apply, and the time period for prior notice of a sub-processor will be as set forth in Section 10 of the Terms.

3.3.3 in Clause 11, the option will apply.

3.3.4 in Clause 17 (Governing Law) (Option 1), the law of the Netherlands will apply.

3.3.5 In Clause 18(b), disputes will be resolved before the courts of the Netherlands.

3.4 Annex I of the SCCs shall be deemed completed with the information in Appendix 1 of the Terms.

3.5 Annex II of the SCCs shall be deemed completed with the information in Appendix 2 of the Terms

3.6 For transfers from Switzerland:

3.6.1 The supervisory authority with respect to such personal Data is the Swiss Federal Data Protection and Information Commissioner.

3.6.2 References to a “Member State” shall be interpreted to refer to Switzerland.

3.6.3 Data subjects located in Switzerland shall be able to enforce their rights in Switzerland.

3.6.4 References to the EU GDPR shall be understood to refer to the Swiss Federal Act on Data Protection (as amended or replaced).

3.6.5 In Clause 17 (Governing Law)(Option 1), the law of Switzerland will apply.

3.6.6 In Clause 18(b), disputes will be resolved in the courts of Switzerland.

4. Application of the UK Standard Contractual Clauses. For data transfers from the UK, where a data transfer requires a lawful transfer mechanism, then:

4.1 For so long as the law permits reliance on the standard contractual clauses for the transfer of Personal Data to Processors set forth in the European Commission’s Decision 2010/87/EU (“Old SCCs”), then those clauses shall apply between Subscriber and Fastly for transfers of Personal Data from the United Kingdom as follows:

4.1.1 Annex I of the SCCs shall be deemed completed with the information in Appendix 1 of the Terms.

4.1.2 Annex II of the SCCs shall be deemed completed with the information in Appendix 2 of the Terms.

4.2 In the event that the law does not permit use of the Old SCCs for transfers of Personal Data from the UK, but the parties are permitted to rely on the EEA Standard Contractual Clauses for transfers of Personal Data subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” issued by the UK ICO under s.119(a) (1) of the Data Protection Act of 2018 (“UK Addendum), then: (i) the EEA Standard Contractual Clauses shall apply as modified by Sections 3.1 through 3.5 of this Appendix, amended as specified by the UK Addendum and (ii) the UK addendum shall be deemed executed between Subscriber and Fastly.

If neither Section 4.1 nor 4.2 provides a lawful mechanism of transfer for Personal Data from the UK, then Fastly and Subscriber shall cooperate to implement mutually agreed appropriate safeguards for transfers of Personal Data as required by the UK GDPR.