Fortinet Privacy Policy
Effective Date: September 9, 2024
This is the Privacy Policy of Fortinet, Inc. and its wholly-owned subsidiaries (collectively, “Fortinet,” “we,” “our,” or “us”). We provide security solutions that help protect the data and systems of our business customers from continually evolving risks. It is Fortinet’s policy to provide security and privacy. Each is important, and they are sometimes co-dependent. We believe in Security by Design and Privacy by Design. This Privacy Policy covers Fortinet’s handling of two categories of information:
- Personal data that our partners and customers ask us to process on their behalf (“Processor Data”). Fortinet offers security products and services, and related support and professional services (the “Fortinet Services”), such as FortiGuard, FortiCare, FortiCloud, FortiSandbox Cloud, FortiSIEM Cloud, and FortiMail Cloud. With some exceptions as identified below, under applicable law, in certain contexts Fortinet receives personal data through the Fortinet Services and is considered the “processor” of that data, and our customer is (or acts on behalf of) the “controller” of the data (i.e., the company with the right to decide how the data is used).
- Personal data that we handle for our own business (“Controller Data”), other than for our human resources and recruiting operations. Under applicable law, Fortinet is a “controller” of this data.
This Privacy Policy includes details specific to Processor Data, details specific to Controller Data, and information relevant to our handling of both kinds of data.
1. Privacy Practices Specific to Processor Data
a. Types of Processor Data We Collect
We receive information from or on behalf of our customers and their users, and for most of such data, we act as a “processor.” Because of the nature of the Fortinet Services, this information may contain any type of personal data. For example, we may collect the following categories of information, that may be Processor Data, through the Fortinet Services:
- Device identifiers, such as IP addresses, device name, model, manufacturer, firmware versions, operating system, metadata, time zone, language, MAC addresses, and other information about computing systems, applications, filenames and file paths, usernames, and technical data about the operating system instructions flow and networks.
- Contact details and registration information (including identifiers), such as names, aliases, usernames, emails, age, gender, phone numbers, addresses, and photographs
- Internet or other electronic network or device activity information, such as system logs, traffic, URLs, metadata, and antivirus and other malware statistics
- Other information that identifies or can be reasonably associated with you, including information contained in files, activity logs, analysis reports, communications content and metadata, distribution lists, and information provided to us through dashboards or portals associated with the security and firewall solutions of the Fortinet Services, such as troubleshooting requests and security inquiries regarding files and systems
Some of the technical information listed above is considered personal data in certain contexts. Fortinet also collects Processor Data through the technology described in the “Cookies and Similar Automated Data Collection” section below. We use Processor Data as described in the following section.
b. Uses of Processor Data
Subject to our contractual obligations, and depending on the particular Fortinet Services, we may use and disclose the information described above (sometimes in combination with other information we obtain, such as from our customers) as follows:
- To provide the Fortinet Services, including by:
- Providing maintenance and technical support
- Providing product upgrades
- Addressing security and business continuity issues
- Analyzing and improving the Fortinet Services, including responding to new threats and developing new features
- To enforce the legal terms that govern the Fortinet Services
- To comply with law and protect rights, safety, and property
- For other purposes requested or permitted by our customers or users, or as reasonably required to perform our business
Many Fortinet Services use automated technology to recognize and defend against cybersecurity risks, such as by blocking or quarantining suspected malicious data. To better protect our customers and assist them with their own security compliance, some Fortinet Services use external threat information gathered in these situations to improve security for customers of Fortinet Services in similar situations. For example, if certain Fortinet services determine that a hacker is attacking some of our customers, we may use information about that threat in order to help protect other customers from similar attacks. This provides our customers’ data with much better protection than what would be possible if our services could not learn from experience. We handle “Threat Data” like this as described in the “Privacy Practices Specific to Controller Data” section below.
c. Disclosures of Processor Data
Subject to our contractual obligations, and depending on the particular Fortinet Services, we may disclose the information described above as follows:
- To provide the Fortinet Services, which can involve disclosing personal data to our customer and with third parties selected by the customer or its users (for example, to detect security threats, and protect against malicious, deceptive, fraudulent, or illegal activity, we process data about third-party threat actors (such as the IP address of certain compromised devices that attempt cyberattacks on our customers)
- To enforce the legal terms that govern the Fortinet Services
- To comply with law, and where we deem disclosure appropriate to protect rights, safety and property (for example, for national security or law enforcement)
- As part of an actual or contemplated business sale, merger, consolidation, change in control, transfer of substantial assets or reorganization
- For other purposes requested or permitted by our customers or users, or as reasonably required to perform our business
For those purposes, we may share information with our affiliates and other entities that help us with the activities described in this Privacy Policy.
2. Privacy Practices Specific to Controller Data
a. Types of Controller Data We Collect
As described above, we act as a processor for most of the Fortinet Services. We are, however, a “controller” under applicable law with respect to Controller Data. Controller Data includes two general categories of data: Business Data and Threat Data.
For example, we may collect certain data about customers, prospective customers, partners and their personnel (“Business Data”), which may include:
- Contact details and professional details, such as name, email address, address, phone number, title and name of company
- Online identifiers, such as IP address and account ID information
- Information about users’ experience with our products, services, events and online forums and communities, such as the Fortinet Developer Network and CTAP end-user reports
- Information about actual or prospective customer personnel’s other interactions with Fortinet, e.g., procurement, customer service, and point of sale data
- Data we handle in connection with the Network Security Expert Institute, the Fortinet Network Security Academy and other training and certification programs, including contact information, identity documents and other personal data collected for authentication of the candidate’s identity and test security, and testing results
- Audio or video information, such recordings of meetings, or photographs collected from certification candidates for identity verification and security checks
- Information about actual or prospective users’ interests
- Financial data, such as payment information for Fortinet products and services
- Investor relations-related data
- Other business-related data collected on our websites (such as online forum registrations) and elsewhere for our own business (such as at events)
We obtain Business Data directly from the relevant individuals or their employers, and also from third-party sources, such as distributors, resellers and partners, credit card issuers, clearinghouses, data brokers, fraud databases, referrals from customers and users, as well as publicly available sources such as company websites.
In connection with some Fortinet Services, Fortinet is also considered a controller of certain personal data relevant to security threats, i.e., “Threat Data.” To the extent it is personal data, IP addresses, device identifiers, URLs, and other data associated with malicious activity are part of Threat Data. We obtain Threat Data through Fortinet Services, publicly available sources such as online forums, dark web sources, other security providers and researchers, and independent research.
Fortinet also collects Business Data and Threat Data through the technology described in the Cookies and Similar Automated Data Collection section below. We use all Controller Data as described in the following section.
b. Uses of Controller Data (Business Data and Threat Data)
Fortinet uses Controller Data as follows:
- To provide our products, services, events, websites, communities, training, certifications, and other business offerings
- For marketing, advertising, and other communications (including customizing and tailoring all of them for the particular recipient)
- To manage our relationships with customers, partners, suppliers, event attendees, and others
- For surveys and other market research
- For cybersecurity research
- To analyze, improve, and create Fortinet Services and other business offerings
- To enforce the legal terms that govern our business and online properties
- To provide security and business continuity
- To comply with law and protect rights, safety, and property
- For other purposes requested or permitted by our customers or users, or as reasonably required to perform our business.
c. Disclosures of Controller Data (Business Data and Threat Data)
Subject to our contractual obligations, we share the information described above as follows:
- For the uses of information described above
- As part of an actual or contemplated business sale, merger, consolidation, change in control, transfer of substantial assets or reorganization
- For other purposes requested or permitted by our customers or users, or as reasonably required to perform our business.
For those purposes, we may share information to:
- Our affiliates.
- Our customers.
- Third parties that assist us, such as our resellers, event providers, payment processors, marketing providers, testing providers, analytics providers, providers of technical services (e.g., providers of data storage, data backup, and CRM systems), and other subcontractors.
- Joint marketing partners.
- Security researchers.
- Computer Emergency Response Teams (CERT)
- Employers and others who seek verification of an individual’s claimed certification status.
- Entities involved in dispute resolution (such as an arbitrator or an opposing party).
- Entities involved in potential or actual significant corporate transactions or events.
- Governmental entities.
d. Legal Bases for Processing Controller Data (Business Data and Threat Data)
The laws in some jurisdictions require companies to tell you about the legal ground they rely on to use or disclose your personal data. To the extent those laws apply, our legal grounds for processing Controller Data are as follows:
- Legitimate interests: In most cases, we handle personal data on the ground that it furthers our legitimate interests in commercial activities such as the following in ways that are not overridden by the interests or fundamental rights and freedoms of the affected individuals:
- Protecting our business, personnel and property
- Providing cybersecurity, including for the protection of personal data (for example, sharing information with a regional CERT team to mitigate threats within a region)
- Customer service
- Marketing
- Analyzing and improving our business; and/or
- Managing legal issues
We may also process personal data for the same legitimate interests of our customers and business partners.
- To honor our contractual commitments to the individual: Some of our processing of personal data is to meet our contractual obligations to individuals, or to take steps at the individuals’ request in anticipation of entering into a contract with them.
- Consent: Where required by law, and in some other cases, we handle personal data on the basis of consent. Where legally required (e.g., for the use of fingerprints for security purposes in certain jurisdictions), this is explicit consent.
- Legal compliance: We need to use and disclose personal data in certain ways to comply with our legal obligations.
e. Personal Data Rights and Choices (including Direct Marketing Opt-Out)
We offer the options described below for exercising rights and choices under applicable law. Many of these are subject to important limits or exceptions under applicable law.
- To exercise rights or choices with respect to Processor Data, please make your request directly to the Fortinet customer for whom we process the data, particularly if the self-service options described below do not fully resolve your concern.
- You may review and update certain user information by logging in to the relevant portions of the Fortinet Services or Fortinet websites or online services.
In addition, the law of your jurisdiction (for example, within the European Economic Area) may give you additional rights to request access to and rectification or erasure of certain of your personal data we hold. In some cases, you may be entitled to receive a copy of the personal data you provided to us in portable form or to request that we transmit it to a third party. The law may also give you the right to request restrictions on the processing of your personal data, to object to processing of your personal data, or to withdraw consent for the processing of your personal data (which will not affect the legality of any processing that happened before your request takes effect).
You may contact us as described below to make these requests.
- For example, residents of the European Economic Area and certain other jurisdictions have a right to opt out of our processing of Controller Data for direct marketing purposes. You can exercise this right by contacting us as described below.
- Our marketing emails and certain other communications include unsubscribe instructions, which you can use to limit or stop the relevant communications. Opt-out processes may take some time to complete, consistent with applicable law. Certain communications (such as certain billing-related communications or emergency service messages) are not subject to opt-out.
- Many Fortinet Services are designed to block hacking and other unauthorized activity, and they use automated means to compare user activity or device traits to similar data points that been associated with hacking or other unauthorized activity. If you believe that our services have been used to block you in error, please contact the relevant Fortinet customer for assistance. If you believe our services have blocked access to certain websites in error, please follow the instructions on our FortiGuard website to have such blocking reviewed. In limited cases, we may be able to assist you directly, depending on our contract with our customer and how the blocking happened.
- You may contact us with any concern or complaint regarding our privacy practices, and you also may lodge a complaint with the relevant governmental authority.
- Some Residents of California and Nevada have specific rights under the next two sections.
f. Privacy Information for California Residents
This subsection applies only to “personal information” about California residents, as that term is defined in the California Consumer Privacy Act, as amended (“CCPA”), and it supplements the information in the rest of our Privacy Notice above. Data about individuals who are not residents of California is handled differently and is not subject to the same rights described below. This section does not apply to data that we handle in our capacity as a processor or “service provider” under the CCPA or to data that is exempt from the CCPA, such as publicly available information. Californians who wish to exercise the rights described here with respect to Processor Data should contact the customer on whose behalf we handle the data. The rest of this California section applies only to Controller Data.
Categories of personal information we collect and disclose
During the 12 months leading up to the effective date of this Privacy Notice and on an ongoing basis, Fortinet has collected all of the following information from and about California residents:
- Identifiers, such as:
- Contact details and professional details, such as name, email address, address, and phone number
- Online identifiers, such as IP address and account ID information
- Professional or employment related data (such as title and name of company)
- Commercial information, such as:
- Information about users’ experience with our products, services, events and online forums and communities, such as the Fortinet Developer Network and CTAP end-user reports
- Information about actual or prospective customer personnel’s other interactions with Fortinet, e.g., procurement, customer service, and point of sale data
- Information about actual or prospective users’ interests
- Certain data we handle in connection with the Network Security Expert Institute, the Fortinet Network Security Academy and other training and certification programs, such as testing results.
- Other business-related data collected on our websites (such as online forum registrations) and elsewhere for our own business (such as at events)
- Audio or video information, such recordings of meetings, or photographs collected from certification candidates for identity verification and security checks
- Financial data, such as payment information for Fortinet products and services Investor relations-related data
- Certain internet or other network or device activity (such as IP addresses, device identifiers, cookie data, device attributes, device usage information, browsing information, and metadata)
- Account login credentials
- Other information that identifies or can be reasonably associated with an individual
- Inferences drawn from any of the above
We intend to retain this information until we determine retention no longer is necessary for the purposes described further below. Because we may collect and use the same category of personal information for different purposes and in different contexts, there is not typically a fixed retention period that always will apply to a particular category of personal information.
The Threat Data we collect (i.e., data related to security threats) may include identifiers, commercial data, login credentials, internet or network or device activity, or other personal information, depending on the context.
Fortinet uses personal information as follows:
- To provide our products, services, events, websites, communities, training, certifications, and other business offerings
- For marketing, advertising, and other communications (including customizing and tailoring all of them for the particular recipient)
- To manage our relationships with customers, partners, suppliers, event attendees, and others
- For surveys and other market research
- For cybersecurity research
- To analyze, improve, and create Fortinet Services and other business offerings
- To enforce the legal terms that govern our business and online properties
- To provide security and business continuity
- To comply with law and protect rights, safety, and property
- For other purposes requested or permitted by our customers or users, or as reasonably required to perform our business
CCPA “sale” of California personal information
Fortinet does not sell personal information as the term “sell” is traditionally understood. But “sell” under the CCPA is broadly defined. As described further below, some of our disclosures of personal information qualify under the CCPA as what it defines as a “sale” or “sharing” of personal information. In many cases, for example, “sale” includes the disclosure of personal information to third parties in exchange for something of value, even if no money changes hands. For example, disclosing an advertising or device identifier to a third party to receive their services may be considered a “sale” under the CCPA in some cases. During the 12 months leading up to the effective date of this Privacy Policy, we have “sold” and “shared” (as those terms are defined under the CCPA) what the CCPA calls “identifiers” (like IP addresses), “internet or other electronic network activity information” (like information regarding an individual’s browsing interactions on Fortinet.com), and “commercial information” (like the fact that a browser visited a page directed to people who are considering purchasing from us) to third parties that assist us, such as marketing providers and analytics providers. This practice continues today. To our knowledge, we do not “sell” or “share” (as those terms are defined under the CCPA) the personal information of individuals under 16 years of age.
Californians have a right to ask us not to “sell” or “share” certain personal information as that term is defined in under the CCPA. You can make such a request by performing BOTH of the following steps:
- Click here and complete the form, using the phrase “Do Not Sell or Share My Personal Information” in the form fields (or just send us an email at privacy@fortinet.com with that request); AND
- If you’d like your request to include CCPA “sales” and “sharing” that happen through cookies and related technology on one of our websites, follow the steps below that are applicable to your use of that website:
- To opt out of those “sales” and “sharing” that occur through webpages with a URL that begins with “www.fortinet.com”, click on the Cookie Settings link in the footer. In the Privacy Preference Center that pops up, click on the Performance Cookies tab and make sure the toggle button is in the off position (the left side of the slider). Click it if it is not in the off position. Repeat this process for Advertising Cookies and Functional Cookies and then click the “Confirm My Choices” button. Be sure to repeat this second step from each browser you use to access our webpages that begin with “www.fortinet.com.” Because we store this preference in a cookie, you’ll need to repeat this process again in a particular browser if you clear your cookies in that browser or if you have chosen to use a browser that automatically clears cookies.
- Additional control options (which can be used to limit certain data collection or use on Fortinet webpages that don't have a Cookie Settings link in their footer) are described in the Cookies and Similar Automated Data Collection section of our Privacy Policy below. Because those too store your preference in a cookie, you’ll need to repeat this process again in a particular browser if you clear your cookies in that browser or if you have chosen to use a browser that automatically clears cookies.
Opting out of “sales” and “sharing” limits only some types of disclosures of personal information, and there are exceptions to all of the rights described in this section. For example, the federal Cybersecurity Information Sharing Act pre-empts (cancels) the CCPA with respect to any requirement that we allow an opt-out of certain disclosures of cybersecurity threat indicators, even if those disclosures might otherwise be considered a “sale” under the CCPA.
Other Disclosures of Personal Information
In the last 12 months, we disclosed California personal information to third parties as follows:
Category of personal information |
Categories of third parties to which it is disclosed |
---|---|
Identifiers (such as name, address, email address and other contact information) |
|
Commercial information, (such as information about an individual’s interests and interactions with us, our partners, or our customers, including transaction data) |
Same as first row in this chart. |
Financial data (such as payment information) |
Affiliates, third parties that assist us, and governmental entities, entities involved in dispute resolution (such as an arbitrator or an opposing party), entities involved in potential or actual significant corporate transactions or events. |
Audio and visual information (such as CCTV images or recordings of calls or meetings) |
Affiliates, third parties that assist us, and governmental entities |
Internet or other network or device activity (such as IP addresses, device identifiers, cookie data, device attributes, device usage information, browsing information, and metadata) |
Same as first row in this chart. |
Geolocation information |
Affiliates, third parties that assist us, and governmental entities, joint marketing partners, security researchers. |
Account login credentials |
Affiliates, third parties that assist us, security researchers. |
Professional or employment related data (such as title) | Same as first row in this chart. |
Other information that identifies or can be reasonably associated with an individual |
Same as first row in this chart. |
Inferences drawn from any of the above | Same as first row in this chart. |
We do not use or disclose “sensitive personal information” covered by this Notice and as defined in the CCPA in a manner that requires us to offer a special right to limit our use of this data under the CCPA.
CCPA Right to Access, Correct, or Delete Personal Information
If you are a California resident, California law also may permit you to request that we:
- Provide access to and/or a copy of certain information we hold about you;
- Delete certain information we have about you;
- Correct certain personal information we have about you; and
- Inform you about the categories of personal information we have collected about you in the preceding 12 months; the categories of sources of such information; the business or commercial purpose for collecting or selling your personal information; and the categories of third parties with whom we have disclosed certain personal information, and more specific detail about what categories of information were "sold," "shared" or disclosed to particular categories of third parties, similar to the detail above this section of the Privacy Policy;
Please note that certain information may be exempt from such requests under California law. For example, we need certain information to provide our services to you, so we may reject a deletion request for that information while providing services to you.
To request to exercise any of these rights and receive the fastest response, please email us at privacy@fortinet.com or click here to submit a request. You may also call us at (833) 675-6887. We reserve the right to require verification of your identify before we fulfill a request, which may include requiring you to login to an existing Fortinet account, providing us with information that matches our records for you, responding to an email we send, or taking other steps relevant to your relationship with us and the nature of your request.
If you are an agent making a request on behalf of a consumer, we reserve the right to take steps to verify that you are authorized to make that request, which may include requiring you to provide us with written proof such as a
notarized authentication letter or a power of attorney. We also may require the consumer to verify their identity directly with us. Because opt-out requests for “sales” and “sharing” made through cookies and related technology must be performed from each browser that is used to access our Services, it is easiest for the consumer to perform such opt-outs themselves. However, if a consumer wishes for an agent to perform browser-based requests on their behalf, the consumer may arrange for the agent to use the consumer’s browser to make such requests. We are not responsible for the security risks of this or any other arrangements that a consumer may have with an agent. For clarity, this is not permission for any user to disclose their login credentials to an agent or any third party. Such disclosure is prohibited and is not required for an agent to make requests under this Privacy Policy.
For security and legal reasons, however, Fortinet reserves the right not to accept requests that require us to access third-party websites or services.
You have a right not to receive “discriminatory treatment” (within the meaning of the CCPA) for the exercise of the privacy rights conferred by the CCPA.
g. Notice to Nevada Residents
- Under a Nevada law, certain Nevada consumers may opt out of the “sale” of “personally identifiable information” for monetary consideration to a person for that person to license or sell such information to additional persons, as those concepts are defined under the Nevada law, which differs from the CCPA. “Personally identifiable information” under that law includes first and last name, address, email address, phone number, Social Security Number, or an identifier that allows a specific person to be contacted either physically or online.
- We do not engage in such activity; however, if you are a Nevada resident who has purchased or leased goods or services from us, you may submit a request to opt out of any potential future sales under Nevada law by contacting privacy@fortinet.com. We reserve the right to take reasonable steps to verify your identity and the authenticity of the request. Once verified, we will maintain your request in the event our practices change.
3. Additional Information About Our Privacy Practices (applicable to both Processor Data and Controller Data)
a. Aggregate or De-Identified Data
Subject to applicable law and our contractual obligations, (i) we may aggregate or de-identify Controller Data or Processor Data so that the information cannot be linked to the relevant individual and (ii) our use and disclosure of aggregated, anonymized, and other non-personal information is not subject to any restrictions under this Privacy Policy, and we may disclose it to others without limitation for any purpose.
b. Cookies and Similar Automated Data Collection
In our websites, apps and emails, we and third parties may collect certain information by automated means such as cookies, Web beacons, tags and scripts or similar technologies, JavaScript and mobile device functionality.
This information may include unique browser identifiers, IP address, browser and operating system information, device identifiers (such as the Apple IDFA or Android Advertising ID), geolocation, other device information, Internet connection information, as well as details about individuals’ interactions with our apps, websites and emails (for example, the URL of the third-party website from which you came, the pages on our website that you visit, and the links you click on in our websites, and firmographic information based on IP lookup).
We and third parties may use automated means to read or write information on users’ devices, such as in various types of cookies and other browser-based or plugin-based local storage (such as HTML5 storage or Flash-based storage).
Cookies and local storage are files that contain data, such as unique identifiers, that we or a third party may transfer to or read from a user’s device for the purposes described in this Privacy Policy, such as recognizing the device, service provision, record-keeping, analytics and marketing, depending on the context of collection.
These technologies help us (a) keep track of whether you are signed in or have previously signed in so that we can display all the features that are available to you; (b) remember your settings on the pages you visit, so that we can display your preferred content the next time you visit; (c) display personalize content; (d) perform analytics, and measure traffic and usage trends, and better understand the demographics and other attributes of our users; (e) diagnose and fix technology problems; and (f) otherwise plan for and enhance our business.
Also, in some cases, we facilitate the collection of information by advertising services administered by third parties. The ad services may track users’ online activities over time by collecting information through automated means such as cookies, and they may use this information to show users ads that are tailored to their individual interests or characteristics and/or based on prior visits to certain sites or apps, or other information we or they know, infer or have collected from the users. For example, we and these providers may use different types of cookies, other automated technology, and data (i) to recognize users and their devices, (ii) to inform, optimize, and serve ads and (iii) to report on our ad impressions, other uses of ad services, and interactions with these ad impressions and ad services (including how they are related to visits to specific sites or apps).
The best way to manage your preferences regarding our use of these technologies on Fortinet websites that have a “Cookie Settings” link in the footer is to click that link and submit your preferences. On other Fortinet webpages, you can make certain choices by following the steps below.
You may be able to set your web browser to refuse certain types of cookies, or to alert you when certain types of cookies are being sent. Some browsers offer similar settings for HTML5 local storage, and Flash storage can be managed here. However, if you block or otherwise reject our cookies, local storage, JavaScript or other technologies, certain websites (including our own websites) may not function properly.
To learn more about interest-based advertising generally, including how to opt out from the targeting of interest- based ads by some of our current ad service partners, visit aboutads.info/choices or youronlinechoices.eu from each of your browsers. You can opt out of Google Analytics and customize the Google Display Network ads by visiting your Google Ads Settings. Google also allows you to install a Google Analytics Opt-out Browser Add-on for your browser.
If you replace, change or upgrade your browser (or use a browser that automatically clears your cookies), or delete your cookies, you may need to use all of the opt-out tools described above again. We do not respond to browser-based do-not-track signals.
Please visit your mobile device manufacturer's website (or the website for its operating system) for instructions on any additional privacy controls in your mobile operating system, such as privacy settings for device identifiers and geolocation.
c. Security
We have put in place physical, electronic, and managerial procedures to safeguard data and help prevent unauthorized access, to maintain data security, and to use correctly the data we collect. However, we cannot assure you that data that we collect will never be used or disclosed in a manner that is inconsistent with this Privacy Policy.
If a password is used to help protect your personal information, it is your responsibility to keep the password confidential. Do not share this information with anyone.
d. Data Retention
We will retain your information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. To provide security and business continuity for the activities described in this Privacy Policy, we make backups of certain data, which we may retain for longer than the original data. For example, FortiGate Cloud Sandbox (SaaS) retains files and related logs if rated Suspicious for 60 days.
e. International Data Transfers
Fortinet and the recipients of the data disclosures described in this Privacy Policy have locations in the United States, Canada and elsewhere in the world, including where privacy laws may not provide as much protection as those of your country of residence. Fortinet data centers for Processor Data are located primarily in Canada. We comply with legal requirements for cross-border data protection, including through the use of European Commission-approved Standard Contractual Clauses. To exercise any legal right to request data transfer mechanism documents that Fortinet uses to transfer data to third parties, please contact us.
Certain Fortinet Services allow our customers and users to make international data transfers to third parties, for which they are solely responsible.
f. Data Privacy Framework
Fortinet, Fortinet Holding LLC, and Fortinet Branch Holding Company, comply with the requirements of the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) (collectively “DPF”), as set forth by the U.S. Department of Commerce and the Federal Trade Commission (“FTC”), regarding the collection, use, and retention of Processor Data transferred from the European Economic Area (“EEA”) and the United Kingdom (“UK”) and Switzerland to the United States. We have certified to the Department of Commerce that we adhere to the DPF Principles and Supplemental Principles with respect to “personal information” (as defined in the DPF) that is part of Processor Data transferred to us in reliance on the DPF. To the extent that the DPF applies to your information, if there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern. We are subject to the investigatory powers of the FTC with respect to our DPF compliance. To learn more about the DPF program, and to view Fortinet’s certification, please visit https://www.dataprivacyframework.gov/s/. Fortinet may also protect information through other legally valid methods, including international data transfer agreements.
>If you are an EEA, UK, or Swiss citizen, you may be able to exercise certain choices under the DPF regarding how some of your personal information is used and disclosed, and may access, correct or delete certain personal information by following the instructions in the “Personal Data Rights and Choices” section of this Privacy Policy.
When we receive Processor Data under the DPF and then transfer it to a third-party service provider acting as our agent on our behalf, we may have certain responsibility under the DPF if both (a) the agent processes the information in a manner inconsistent with the DPF and (b) we are responsible for the event giving rise to the damage.
If you are an EEA, UK, or Swiss citizen and feel that Fortinet is not abiding by the terms of this Privacy Policy, or is not in compliance with the DPF Principles, please contact Fortinet at the contact information provided below.
If we are unable to resolve your concerns, Fortinet has agreed, in compliance with DPF, to refer unresolved complaints concerning our handling of Processor Data received in reliance on DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF-related complaint from us, or if we have not addressed your DPF-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
If any request remains unresolved, you may contact the national data protection authority for your jurisdiction of residence. In certain conditions, if your DPF complaint has not been resolved after raising it with us following the JAMS procedure above and taking certain other steps, complaints may be resolved through binding arbitration, as described in Annex I of the DPF, available here: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.
g. Notification of Changes
Fortinet reserves the right to change this Privacy Policy at any time to reflect changes in the law, our data collection and use practices, the features of our services, or advances in technology. Please check this page periodically for changes. Any updated Privacy Policy will be posted on Fortinet.com via a hyperlink in the footer or other convenient location.
h. How to Contact Us
To request to exercise any of these rights and receive the fastest response, please click here or email us at privacy@fortinet.com.