Fastly, Inc

Content Delivery Network

Fastly speeds up websites by providing a Content Delivery Network, as well as providing DDoS, WAF, and load balancing functionality.


  • Instant configuration changes
  • Instant invalidation
  • Instant logging
  • Customisable logic


  • Complete control over how your content is cached and served
  • You can push new software releases in real time
  • Logs and analytics provide visibility into your changes
  • Add to or update data and logic with the API


£50 per gigabyte per month

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


Fastly, Inc

Michael Seigal

07809 861 473

Service scope

Service scope
Service constraints None.
System requirements We pull from an origin server.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Depending on the support plan, we respond during business hours or 24/7/365.

Depending on the support plan, we respond by:

* the next business day.
* Severity 1 Incidents within 2 hours. Severity 2 Incidents within same day. All other Incidents by the next business day.
* Severity 1 Incidents within 15 minutes. Severity 2 Incidents within 2 hours. All other Incidents by the next business day.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Yes, at an extra cost
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible All features are keyboard-accessible.
Web chat accessibility testing None.
Onsite support Yes, at extra cost
Support levels We provide technical account managers.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide online documentation and if necessary onsite training. This can be found at
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Users extract their data as the service is run.
End-of-contract process The customer is able to purge all data from the network at the end of their contract and configure their origin to no longer use Fastly. They are able to perform all termination duties themselves, however if they need additional assistance they can leverage our professional services to assist them.

Using the service

Using the service
Web browser interface Yes
Using the web interface Users can setup a service via the UI. Users can make changes to the service including configuring origins, front ends, caching, TLS, logging, user access, load balancing.
Web interface accessibility standard None or don’t know
How the web interface is accessible Our UI is deliver in standard text through a browser. Other than the customisation options through the users browser, Fastly has currently not added any additional accessible features. This is on our roadmap.
Web interface accessibility testing None
What users can and can't do using the API Users can configure andFastly provides an application programming interface (API) that can be accessed via a number of popular interactive clients. The Fastly API allows you to manage Fastly services via remote procedure calls instead of the web interface. This currently includes features such as:

Historical Stats
Remote Logging

The API features do not include customer account setup, which can only occur through the web interface controls. For examples of each API call in action, including full descriptions of the fields used and examples of requests and responses, see Fastly's API Reference.
API automation tools
  • Terraform
  • Other
API documentation Yes
API documentation formats HTML
Command line interface No


Scaling available Yes
Scaling type Automatic
Independence of resources Our platform is multi-tenant.
Usage notifications No


Infrastructure or application metrics Yes
Metrics types
  • HTTP request and response status
  • Network
Reporting types
  • API access
  • Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations Other locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach In-house destruction process

Backup and recovery

Backup and recovery
Backup and recovery No

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Information on our SLAs can be found here
and information on service credits is available here -
Approach to resilience Our POPs are internally resilient to any failure and if a POP fails, other POPs will serve its traffic.
Outage reporting Public dashboard with email alerts.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Username or password
Access restrictions in management interfaces and support channels User account assignment. We assign individual user accounts to personnel who access Fastly systems and devices. These assignments help us monitor and enforce accountability of user activity.

User-level privileges. Our systems and devices enforce user roles or similar measures to control the extent of access we grant individual users.

Multi-factor authentication. We enforce multi-factor authentication to better secure our computing resources from unauthorized logins.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
Devices users manage the service through
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Schellman & Company, LLC
PCI DSS accreditation date 12/2017
What the PCI DSS doesn’t cover N/A
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Fastly's security incident response process contains elements of industry standards in line with good security practices, but does not strictly conform to any specific standard.
Information security policies and processes Detail of Fastly's security policies and processes can be found

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Details of Fastly's security and compliance policies can be found at
Vulnerability management type Supplier-defined controls
Vulnerability management approach To maintain awareness of potential security vulnerabilities, Fastly monitors public and private distribution lists, as well as reports submitted through our responsible disclosure process. We validate and implement security patches for critical vulnerabilities within 24 hours of discovery. For non-critical vulnerabilities and updates, we schedule and deploy vendor-provided patches on a regular basis.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Security monitoring is based on matching against known bad characteristics, detecting anomalies, and baselining our production network.

On a daily basis, security engineers review reports from our log analysis tooling, and investigate them

Most events are closed without the need for further investigation. Others are escalated as a security incident, or are shared for remediation with engineering teams.
Incident management type Supplier-defined controls
Incident management approach Security incident management
Incident response plan. We maintain a formal incident response plan with established roles and responsibilities, communication protocols, and response procedures. We review and update this plan periodically to adapt it to evolving threats and risks to the Fastly service.

Incident response team. Representatives from key departments help address security-related incidents we discover. These personnel coordinate the investigation and resolution of incidents, as well as communication with external contacts as needed.

Breach notification. Fastly will notify affected customers within 48 hours of validating an unauthorized disclosure of customer confidential information.

More details can be found at:

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart No

Energy efficiency

Energy efficiency
Energy-efficient datacentres No


Price £50 per gigabyte per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Test up to $50 of traffic for free, no commitment required


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑