Fortinet Privacy Policy

Effective Date: January 1, 2020

This is the Privacy Policy of Fortinet, Inc. and its wholly-owned subsidiaries (collectively,
“Fortinet,” “we,” “our,” or “us”). We provide security solutions that help protect the
data and systems of our business customers from continually evolving risks. It is
Fortinet’s policy to provide security and privacy. Each is important, and they are
sometimes co-dependent. We believe in Security by Design and Privacy by Design. This
Privacy Policy covers Fortinet’s handling of two categories of information:
 Personal data that our partners and customers ask us to process on their behalf
(“Processor Data”). Fortinet offers security products and services, and related support
and professional services (the “Fortinet Services”), including FortiGuard, FortiCare,
FortiCloud, FortiSandbox Cloud, and FortiMail Cloud. With some exceptions as identified
below, under applicable law, in certain contexts Fortinet is considered the “processor”
of the personal data we receive through the Fortinet Services, and our customer is (or
acts on behalf of) the “controller” of the data (i.e., the company with the right to decide
how the data is used).

 Personal data that we handle for our own business (“Controller Data”), other than for
our human resources and recruiting operations. Under applicable law, Fortinet is a
“controller” of this data.

This Privacy Policy includes details specific to Processor Data, details specific to
Controller Data, and information relevant to our handling of both kinds of data.
1. Privacy Practices Specific to Processor Data

a. Types of Processor Data We Collect

We receive information from or on behalf of our customers and their users, and for
most of such data, we act as a “processor.” Because of the nature of the Fortinet
Services, this information may contain any type of personal data. For example, we may
collect the following categories of information, that may be Processor Data, through the
Fortinet Services:
 Device identifiers, such as IP addresses, Device Name, firmware versions,
operating system metadata, time zone, language, MAC addresses, and other
information about computing systems, applications, filenames and file paths,
usernames, Technical data about the operating system instructions flow and
networks.

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]
  Contact details and registration information (including identifiers), such as
names, emails, age, gender, phone numbers, and photographs
 Internet or other electronic network or device activity information, such as
system logs, traffic, URLs, metadata, and antivirus and other malware statistics
 Other information that identifies or can be reasonably associated with you,
including information contained in files, communications content, and
information provided to us through dashboards or portals associated with the
security and firewall solutions of the Fortinet Services, such as troubleshooting
requests and security inquiries regarding files, systems.

Some of the technical information listed above is considered personal data in certain
contexts. Fortinet also collects Processor Data through the technology described in the
“Cookies and Similar Automated Data Collection” section below. We use Processor Data
as described in the following section.
b. Uses of Processor Data

Subject to our contractual obligations, and depending on the particular Fortinet

Services, we may use and disclose the information described above (sometimes in
combination with other information we obtain, such as from our customers) as follows:
 To provide the Fortinet Services, including by:

o Providing maintenance and technical support

o Providing product upgrades
o Addressing security and business continuity issues
o Analyzing and improving the Fortinet Services, including responding to
new threats and developing new features
 To enforce the legal terms that govern the Fortinet Services
 To comply with law and protect rights, safety, and property
 For other purposes requested or permitted by our customers or users, or as
reasonably required to perform our business.
Many Fortinet Services use automated technology to recognize and defend against
cybersecurity risks, such as by blocking or quarantining suspected malicious data. To
better protect our customers and assist them with their own security compliance, some
Fortinet Services use external threat information gathered in these situations to
improve security for customers of Fortinet Services in similar situations. For example, if

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]
certain Fortinet services determine that a hacker is attacking some of our customers, we
may use information about that threat in order to help protect other customers from
similar attacks. This provides our customers’ data with much better protection than
what would be possible if our services could not learn from experience. We handle
“Threat Data” like this as described in the “Privacy Practices Specific to Controller Data”
section below.

c. Disclosures of Processor Data

Subject to our contractual obligations, and depending on the particular Fortinet

Services, we may disclose the information described above as follows:
 To provide the Fortinet Services, which can involve sharing personal data with
our customer and with third parties selected by the customer or its users (for
example, to detect security incidents, and protect against malicious, deceptive,
fraudulent, or illegal activity, we process data about third-party threat actors
such as the IP address of certain hacker-controlled devices that attempt
cyberattacks on our customers)
 To enforce the legal terms that govern the Fortinet Services
 To comply with law, and where we deem disclosure appropriate to protect
rights, safety and property (for example, for national security or law
enforcement)
 As part of an actual or contemplated business sale, merger, consolidation,
change in control, transfer of substantial assets or reorganization
 For other purposes requested or permitted by our customers or users, or as
reasonably required to perform our business
For those purposes, we may share information with our affiliates and other entities that
help us with the activities described in this Privacy Policy.
2. Privacy Practices Specific to Controller Data

a. Types of Controller Data We Collect

As described above, we act as a processor for most of the Fortinet Services. We are,
however, a “controller” under applicable law with respect to Controller Data. Controller
Data includes two general categories of data: Business Data and Threat Data.

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]
For example, we may collect certain data about customers, prospective customers,
partners and their personnel (“Business Data”), which may include:
 Contact details and professional details, such as name, email address, phone
number, title and name of company
 Information about users’ experience with our products, services, events and
online forums and communities, such as the Fortinet Developer Network
 Information about actual or prospective customer personnel’s other interactions
with Fortinet, e.g., procurement, customer service, and point of sale data
 Data we handle in connection with the Network Security Expert Institute, the
Fortinet Network Security Academy and other training and certification
programs, including contact information, identity documents and other personal
data collected for authentication of the candidate’s identity and test security,
and testing results.
 Information about actual or prospective users’ interests
 Financial data, such as payment information for Fortinet products and services
 Investor relations-related data
 Other business-related data collected on our websites (such as online forum
registrations) and elsewhere for our own business (such as at events)
We obtain Business Data directly from the relevant individuals or their employers, and
also from third-party sources, such as distributors, resellers and partners, credit card
issuers, clearinghouses, data brokers, fraud databases, referrals from customers and
users, as well as publicly available sources such as company websites.
In connection with some Fortinet Services, Fortinet is also considered a controller of
certain personal data relevant to security threats, i.e. “Threat Data.” To the extent it is
personal data, IP addresses, device identifiers, URLs, and other data associated with
malicious activity are part of Threat Data. We obtain Threat Data through Fortinet
Services, publicly available sources such as online forums, other security providers and
researchers, and independent research.
Fortinet also collects Business Data and Threat Data through the technology described
in the Cookies and Similar Automated Data Collection section below. We use all
Controller Data as described in the following section.

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]
 b. Uses of Controller Data (Business Data and Threat Data)

Fortinet uses Controller Data as follows:

 To provide our products, services, events, websites, communities, training,
certifications, and other business offerings
 For marketing, advertising, and other communications (including customizing
and tailoring all of them for the particular recipient)
 To manage our relationships with customers, partners, suppliers, event
attendees, and others
 For surveys and other market research
 For cybersecurity research
 To analyze, improve, and create Fortinet Services and other business offerings
 To enforce the legal terms that govern our business and online properties
 To provide security and business continuity
 To comply with law and protect rights, safety, and property
 For other purposes requested or permitted by our customers or users, or as
reasonably required to perform our business.
c. Disclosures of Controller Data (Business Data and Threat Data)

Subject to our contractual obligations, we share the information described above as

follows:
 For the uses of information described above

 As part of an actual or contemplated business sale, merger, consolidation,

change in control, transfer of substantial assets or reorganization
 For other purposes requested or permitted by our customers or users, or as
reasonably required to perform our business.
For those purposes, we may share information with our affiliates and other entities that
help us with the activities described in this Privacy Policy.
d. Legal Bases for Processing Controller Data (Business Data and Threat Data)

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]
The laws in some jurisdictions require companies to tell you about the legal ground they
rely on to use or disclose your personal data. To the extent those laws apply, our legal
grounds for processing Controller Data are as follows:
 Legitimate interests: In most cases, we handle personal data on the ground that
it furthers our legitimate interests in commercial activities such as the following
in ways that are not overridden by the interests or fundamental rights and
freedoms of the affected individuals:
o Protecting our business, personnel and property
o Providing cybersecurity, including for the protection of personal data
o Customer service
o Marketing
o Analyzing and improving our business; and/or
o Managing legal issues
We may also process personal data for the same legitimate interests of our customers
and business partners.
 To honor our contractual commitments to the individual: Some of our
processing of personal data is to meet our contractual obligations to individuals,
or to take steps at the individuals’ request in anticipation of entering into a
contract with them.
 Consent: Where required by law, and in some other cases, we handle personal
data on the basis of consent. Where legally required (e.g., for the use of
fingerprints for security purposes in certain jurisdictions), this is explicit consent.
 Legal compliance: We need to use and disclose personal data in certain ways to
comply with our legal obligations.

3. Additional Information About Our Privacy Practices (applicable to both Processor Data and
Controller Data)

a. Personal Data Rights and Choices (including Direct Marketing Opt-Out)

We offer the options described below for exercising rights and choices under applicable
law. Many of these are subject to important limits or exceptions under applicable law.
 To exercise rights or choices with respect to Processor Data, please make your
request directly to the Fortinet customer for whom we process the data,

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]
 particularly if the self-service options described below do not fully resolve your
concern.
 You may review and update certain user information by logging in to the
relevant portions of the Fortinet Services or Fortinet websites or online services.
In addition, the law of your jurisdiction (for example, within the European Economic
Area) may give you additional rights to request access to and rectification or erasure of
certain of your personal data we hold. In some cases, you may be entitled to receive a
copy of the personal data you provided to us in portable form or to request that we
transmit it to a third party. The law may also give you the right to request restrictions
on the processing of your personal data, to object to processing of your personal data,
or to withdraw consent for the processing of your personal data (which will not affect
the legality of any processing that happened before your request takes effect).
You may contact us as described below to make these requests.
 For example, residents of the European Economic Area and certain other
jurisdictions have a right to opt out of our processing of Controller Data for
direct marketing purposes. You can exercise this right by contacting us as
described below.
 Our marketing emails and certain other communications include unsubscribe
instructions, which you can use to limit or stop the relevant
communications. Opt-out processes may take some time to complete,
consistent with applicable law. Certain communications (such as certain billing-
related communications or emergency service messages) are not subject to opt-
out.
 Many Fortinet Services are designed to block hacking and other unauthorized
activity, and they use automated means to compare user activity or device traits
to similar data points that been associated with hacking or other unauthorized
activity. If you believe that our services have been used to block you in error,
please contact the relevant Fortinet customer for assistance. If you believe our
services have blocked access to certain websites in error, please follow the
instructions on our FortiGuard website to have such blocking reviewed. In
limited cases, we may be able to assist you directly, depending on our contract
with our customer and how the blocking happened.
 You may contact us with any concern or complaint regarding our privacy
practices, and you also may lodge a complaint with the relevant governmental
authority.

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]
  Some Residents of California and Nevada have specific rights under the next two
sections.
b. Notice to California Residents

Except where expressly noted, the subsections below apply only to California residents’
“personal information” about California residents, as that term is defined in the
California Consumer Privacy Act (“CCPA”), and they supplement the information in the
rest of our Privacy Notice above. Data about individuals who are not residents of
California is handled differently and is not subject to the same rights described below.
Californians who wish to exercise the rights described here with respect to Processor
Data should contact the customer on whose behalf we handle the data. The rest of this
California section applies only to Controller Data.
CCPA summary of information practices
Fortinet collects all of the information described in Sections 2(a) and 3(e) of this Privacy
Policy from and about California residents. In CCPA terms, we may use and disclose (and
in the past 12 months have used and disclosed) this information purposes described in
Sections 2 and 3 of our Privacy Notice. In some cases, the link between the data and the
use or disclosure was more direct than others. Not all information in a particular
category was necessarily used for all of the purposes, collected from all the sources, or
disclosed to all of the recipients, that are listed in that category. Again, data about
residents of other jurisdictions is handled in different ways. In more detail:
CCPA categories of Purposes of use of the Sources of the Categories of third
California California personal information personal parties with whom
information information we share the
collected information
Identifiers (such as All purposes described in Data subjects, Service providers,
name, address, Sections 2(b) and 3(e) distributors, affiliates, customers,
email address and resellers and distributors,
other contact partners, credit governmental entities,
information, IP card issuers, partners, suppliers,
addresses) clearinghouses, security researchers,
data brokers, fraud employers and in
databases, referral special cases other
sources, customers, third parties.
users, other
security providers
and researchers, as
well as publicly

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]
 available sources
such as company
websites

Commercial All purposes described in Data subjects, All of the above.

information (such as Sections 2(b) and 3(e) distributors,
information about resellers and
an individual’s partners, credit
interests and card issuers,
interactions with clearinghouses,
Fortinet or our data brokers, fraud
partners, including databases, referral
transaction data) sources, customers,
users, other
security providers
and researchers, as
well as publicly
available sources
such as company
websites
Internet or other All purposes described in Data subjects, All of the above.
network or device Sections 2(b) and 3(e) distributors,
activity resellers and
partners, credit
card issuers,
clearinghouses,
data brokers, fraud
databases, referral
sources, customers,
users, other
security providers
and researchers, as
well as publicly
available sources
such as company
websites

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]
 Visual information To manage our relationships Data subjects, their Service providers,
(such as with customers, partners, employers affiliates, customers,
photographs suppliers, event attendees, and employers and in
collected from others; to enforce the legal special cases other
certification terms that govern our business third parties.
candidates for and online properties; to
identity verification provide security and business
and test security) continuity; to comply with law
and protect rights, safety, and
property; for other purposes
requested or permitted by our
customers or users, or as
reasonably required to perform
our business.
Geolocation All purposes described in Data subjects Service providers,
information Sections 2(b) and 3(e) affiliates, customers,
employers and in
special cases other
third parties.
Categories of All of the above All of the above All of the above
personal
information
described in
California Civil Code
Section 1798.80(e)

CCPA privacy rights

If you are a California resident, California law may permit you to request that we:
 Provide you the categories of personal information we have collected or
disclosed about you in the last twelve months; the categories of sources of such
information; the business or commercial purpose for collecting or selling your
personal information; and the categories of third parties with whom we shared
personal information.
 Provide access to and/or a copy of certain information we hold about you.
 Delete certain information we have about you.
Certain information is exempt from such requests under applicable law. You also may
have the right to receive information about the financial incentives that we offer to you

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]
(if any). You also have certain rights under the CCPA not to be subject to certain
negative consequences for exercising CCPA rights.
To request to exercise any of these rights and receive the fastest response, please email
us at privacy@[Link]. You will be required to verify your identify before we fulfill
your request.
You can also designate an authorized agent to make a request on your behalf. To do
so, you must provide us with sufficient written authorization or a power of attorney,
signed by you, for the agent to act on your behalf. You will still need to verify your
identity directly with us. For security and legal reasons, however, Fortinet will not
accept requests that require us to access third-party websites or services.
CCPA “sale” of California personal information
The CCPA requires businesses that “sell” personal information, as the term “sell” is
defined under the CCPA, to provide an opt-out from such sales. Some people have
taken the position that when a website uses third parties’ cookies or similar technology
for its own analytics or advertising purposes, the website is engaged in a “sale” under
the CCPA if the third parties have some ability to use, disclose or retain the data to
improve their service or to take steps beyond the most narrowly drawn bounds of
merely providing their service to the website/app. Some take this position even when
the website pays the third party (not vice versa), and in most cases merely provides the
third party with an opportunity to collect data directly, instead of providing personal
information to the third party. If you take the position that use of these sorts of
technology involves a “sale” within the meaning of the CCPA, then you may consider
Fortinet to have “sold” what the CCPA calls “identifiers” (like IP addresses), “internet or
other electronic network activity information” (like information regarding an individual’s
browsing interactions on [Link]), and “commercial information” (like the fact that
a browser visited a page directed to people who are considering purchasing from us) to
those sorts of companies. To put limits on the collection and/or use of data in these
sorts of situations, please use all of the control options described in Section 3(e) below.
Deletion of your online posts
Under a separate California law, minors may request deletion or anonymization of
content or information they have posted on our websites or online spaces (such as in a
public forum), by using the self-service option in the relevant website or online space (if
available) or by contacting us as described below. We will handle such requests under
applicable law. Where the request is made under that California law, this process does
not ensure complete or comprehensive removal of the content or information.
c. Notice to Nevada Residents

 Under a Nevada law, certain Nevada consumers may opt out of the “sale” of “personally
identifiable information” for monetary consideration to a person for that person to

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]
 license or sell such information to additional persons, as those concepts are defined
under the Nevada law, which differs from the CCPA. “Personally identifiable
information” under that law includes first and last name, address, email address, phone
number, Social Security Number, or an identifier that allows a specific person to be
contacted either physically or online.
 We do not engage in such activity; however, if you are a Nevada resident who has
purchased or leased goods or services from us, you may submit a request to opt out of
any potential future sales under Nevada law by contacting privacy@[Link]. We
reserve the right to take reasonable steps to verify your identity and the authenticity of
the request. Once verified, we will maintain your request in the event our practices
change.

d. Aggregate or De-Identified Data

Subject to applicable law and our contractual obligations, (i) we may aggregate or de-
identify Controller Data or Processor Data so that the information cannot be linked to
the relevant individual and (ii) our use and disclosure of aggregated, anonymized, and
other non-personal information is not subject to any restrictions under this Privacy
Policy, and we may disclose it to others without limitation for any purpose.
e. Cookies and Similar Automated Data Collection

In our websites, apps and emails, we and third parties may collect certain information
by automated means such as cookies, Web beacons, tags and scripts or similar
technologies, JavaScript and mobile device functionality. This information may include
unique browser identifiers, IP address, browser and operating system information,
device identifiers (such as the Apple IDFA or Android Advertising ID), geolocation, other
device information, Internet connection information, as well as details about individuals’
interactions with our apps, websites and emails (for example, the URL of the third-party
website from which you came, the pages on our website that you visit, and the links you
click on in our websites).
We and third parties may use automated means to read or write information on users’
devices, such as in various types of cookies and other browser-based or plugin-based
local storage (such as HTML5 storage or Flash-based storage).
Cookies and local storage are files that contain data, such as unique identifiers, that we
or a third party may transfer to or read from a user’s device for the purposes described
in this Privacy Policy, such as recognizing the device, service provision, record-keeping,
analytics and marketing, depending on the context of collection.
You may be able to set your web browser to refuse certain types of cookies, or to alert
you when certain types of cookies are being sent. Some browsers offer similar settings
for HTML5 local storage, and Flash storage can be managed here. However, if you block

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]
or otherwise reject our cookies, local storage, JavaScript or other technologies, certain
websites (including our own websites) may not function properly.
These technologies help us (a) keep track of whether you are signed in or have
previously signed in so that we can display all the features that are available to you; (b)
remember your settings on the pages you visit, so that we can display your preferred
content the next time you visit; (c) display personalize content; (d) perform analytics,
and measure traffic and usage trends, and better understand the demographics of our
users; (e) diagnose and fix technology problems; and (f) otherwise plan for and enhance
our business.
Also, in some cases, we facilitate the collection of information by advertising services
administered by third parties. The ad services may track users’ online activities over
time by collecting information through automated means such as cookies, and they may
use this information to show users ads that are tailored to their individual interests or
characteristics and/or based on prior visits to certain sites or apps, or other information
we or they know, infer or have collected from the users. For example, we and these
providers may use different types of cookies, other automated technology, and data (i)
to recognize users and their devices, (ii) to inform, optimize, and serve ads and (iii) to
report on our ad impressions, other uses of ad services, and interactions with these ad
impressions and ad services (including how they are related to visits to specific sites or
apps).
To learn more about interest-based advertising generally, including how to opt out from
the targeting of interest-based ads by some of our current ad service partners, visit
[Link]/choices or [Link] from each of your browsers. You can opt
out of Google Analytics and customize the Google Display Network ads by visiting your
Google Ads Settings. Google also allows you to install a Google Analytics Opt-out
Browser Add-on for your browser. If you replace, change or upgrade your browser, or
delete your cookies, you may need to use these opt-out tools again. We do not respond
to browser-based do-not-track signals.
Please visit your mobile device manufacturer's website (or the website for its operating
system) for instructions on any additional privacy controls in your mobile operating
system, such as privacy settings for device identifiers and geolocation.
f. International Data Transfers

Fortinet and the recipients of the data disclosures described in this Privacy Policy have
locations in the United States, Canada and elsewhere in the world, including where
privacy laws may not provide as much protection as those of your country of
residence. Fortinet data centers for Processor Data are located primarily in
Canada. We comply with legal requirements for cross-border data protection, including
through the use of European Commission-approved Standard Contractual Clauses and,

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]
in some cases, a third party’s participation in the EU-U.S. or Swiss-U.S. Privacy Shield
Framework. To exercise any legal right to request data transfer mechanism documents
that Fortinet uses to transfer data to third parties, please contact us.
Certain Fortinet Services allow our customers and users to make international data
transfers to third parties, for which they are solely responsible.
g. Security

We have put in place physical, electronic, and managerial procedures to safeguard data
and help prevent unauthorized access, to maintain data security, and to use correctly
the data we collect. However, we cannot assure you that data that we collect will never
be used or disclosed in a manner that is inconsistent with this Privacy Policy.
If a password is used to help protect your personal information, it is your responsibility
to keep the password confidential. Do not share this information with anyone.
h. Data Retention

We will retain your information for the period necessary to fulfill the purposes outlined
in this Privacy Policy unless a longer retention period is required or permitted by law. To
provide security and business continuity for the activities described in this Privacy
Policy, we make backups of certain data, which we may retain for longer than the
original data. For example, FortiCloud Sandbox will store logs of suspicious activities for
1 year.
i. Notification of Changes

Fortinet reserves the right to change this Privacy Policy at any time to reflect changes in
the law, our data collection and use practices, the features of our services, or advances
in technology. Please check this page periodically for changes. Any updated Privacy
Policy will be posted on [Link] via a hyperlink in the footer or other convenient
location.
j. How to Contact Us

If you have questions regarding our practices or this Privacy Policy, please contact us
at privacy@[Link].

899 Kifer Road Tel: +1-408-235-7700

Sunnyvale, CA 94086 Fax: +1-408-235-7737 [Link]