SERV ICE DESCRIPTIO N

FORTISANDBOX CLOUD

1. Introduction
FortiSandbox Cloud is a cloud‐based sandboxing service (the “Service”) for FortiGate and FortiMail devices (the
“Fortinet Devices”), providing breach protection solutions to help address the rapidly evolving and more targeted
threats.

The FortiSandbox Cloud service uses a PaaS (“Platform-as-a-Service”) approach to deliver cloud based sandboxing
capabilities for Customers requiring an instance of a dedicated sandbox hosted in the cloud.

2. Service Features and Deliverables

The Service offers a dedicated sandbox VM instance, which eliminates rate-limited submissions for inspection, improves
security posture, and integrates with Fortinet Devices and non-Fortinet security solutions for automated breach
protection.

The Service is hosted in the Fortinet Cloud which is managed on a twenty‐four hours a day by seven days a week basis.
It is monitored for hardware availability, service capacity, and network resource utilization. The Service is made
available in secure datacenters based in the Americas region. The dedicated FortiSandbox and sandboxing VM instances
used in the Service reside in the same region.

Through subscribing to the Service, the following features are included:

 Provides a Service availability of 99.9%.
 Allows Fortinet Devices with active FortiSandbox Cloud license and FortiCare 24x7 support to access the Service
using proprietary and encrypted protocol during communication and submission.
 Allows non-Fortinet security solutions to access the Service using REST API during communication and
submission.
 Checks for device identifiable information such as serial number, hostname, IP address and VDOM.
 Accepts file and URL submission for analysis from the Customer through their Fortinet Devices and non-Fortinet
security solutions which acts a “processor” of their personal data.
 Performs static and dynamic analysis with Artificial Intelligence.
 Keeps submission, device identifiable information, logs and results in the sandboxing VM instance residing at
same region for 3-day and 60-day for clean and risky files, respectively. The information is deleted after the
period.
 Provides Global Network feature for use of the file and URL block list.
 Includes FortiCare™ 24x7 technical support, as outlined in the then-current Fortinet support policies and
service description, available on the Support Portal at https://support.fortinet.com/.

3. Customer Requirements and Responsibilities

The Customer agrees to perform the following actions for the duration of the Service:
 Create and manage a FortiCloud Premium account at support.fortinet.com.
 Register all Fortinet Devices in the Support Portal under the same account.
 Designate a network security skilled individual who will serve as a single point of contact for liaising with
Fortinet for the duration of the Service. This person should be able to assist with determining priorities and
responsible for delivery capability.
 Purchase and maintain all required Service entitlements (in accordance with section 5) to adequately match or
exceed the Customer’s present and future usage of the Service. For clarity, the Customer acknowledges and
agrees that any usage of the Service above its purchased and active Service entitlements will be automatically
blocked and Fortinet shall not be held responsible for any service interruptions and/or degradations of the

FORTINET PUBLIC – CUSTOMERS AND PARTNERS# 870-2718-v1.4 Page | 1 of 4

FORTISANDBOX CLOUD SERVICE DESCRIPTION
 Customer’s network, systems, applications, and/or devices or any other damages, consequences, or
disruptions caused to Customer or third parties as a result of such Service blocking.
 Comply with all reasonable requests for technical information to create and resolve technical tickets, and
provide timely updates to open tickets. It should be noted that when a technical ticket is awaiting a Customer
response the system will send a reminder email after three (3) days with a second reminder email after seven
(7) days. The technical ticket will be automatically closed after fourteen (14) days if there is no response from
the Customer.
 Provide network connectivity with required configuration to enable the devices to communicate with the
Service.
 Access the portal through supported web browser software with appropriate internet connectivity.
 Complete the Service renewal before the expiration of the current term; otherwise, for example, the VM
instance will be purged after 30 days with no grace period.
 Ensure the products and versions are appropriate and up-to-date, to be able to use the Service.
 Ensure Fortinet Devices are running with the following or higher software releases versions: FortiOSTM 6.4.2,
FortiOSTM 6.2.5 and FortiMailTM OS 6.4.3.

The effectiveness and availability of the Service are dependent on the configuration utilized by the Customer on their
local platform, the available bandwidth for communicating the data and the Customer meeting all of its responsibilities,
and in no event is Fortinet responsible for effectiveness or availability issues caused by force majeure events, third
parties or third party technology, or the Customer failing to meet in full its responsibilities.

4. Scope and Conditions

 This service is covered by the (then up to date) current Fortinet Service Terms and Conditions located at
https://www.fortinet.com/content/dam/fortinet/assets/legal/Fortinet-Service-Offering-Terms.pdf.
 An active FortiCloud Premium account license is a requirement for activation of the service on the FortiSandbox
dedicated VM.
 In the event that continued provision of the Service to the customer would compromise the integrity or security
of the Service, the customer agrees that Fortinet may temporarily limit or suspend the Service to the customer.
 Customer agrees to use the Service for legitimate and lawful business purposes only. In particular, the
Customer is responsible for ensuring that its usage of the Service shall be in accordance with all applicable laws
(including, but not limited, privacy and security laws) and proper controls and processes shall be implemented
in this respect. Therefore, Fortinet explicitly advises the Customer to always assess and ensure that the usage
of the Service complies with local legislation prior to its any deployment. Should Fortinet discover illegal
activity, the Service may be terminated without notice and the relevant authorities may be notified regardless
of intent. In the event that the continued provision of the Service to the Customer may compromise the
security of the Service or Fortinet’s systems, networks or reputation, the Customer agrees that Fortinet may
temporarily or permanently suspend the Service to the Customer at Fortinet’s sole discretion without liability.
The Customer accepts and acknowledges that: (a) Fortinet shall not be liable for any damages, fines, claims,
costs or expenses incurred or suffered by the Customer or any third parties as a result of or in connection with
the breach of these warranties; and (b) it shall fully indemnify and hold Fortinet harmless from and against any
and all claims, liabilities, losses, damages, penalties or fines, including all reasonable legal fees, arisen directly
or indirectly as a consequence of the breach of these warranties.
 All service levels described in this document are targets which Fortinet will use reasonable efforts to achieve.
Any loss of network connection, telecommunication links or internet connection is not the responsibility of
Fortinet with the Service continuing to be considered as being utilized. FortiCare Service targets are measured
as of the submission of the support ticket to Fortinet. The availability target only applies to the Service
infrastructure and will exclude delays related to Service unavailability or disruption caused by any of following
events, without limitation:
i. scheduled maintenance or emergency maintenance;
ii. unauthorized user changes;
iii. Customer initiated changes whether implemented by Customer or Fortinet or a third party
on behalf of Customer;
iv. Customer exceeding the subscribed Service entitlement;

FORTINET PUBLIC – CUSTOMERS AND PARTNERS# 870-2718-v1.4 Page | 2 of 4

FORTISANDBOX CLOUD SERVICE DESCRIPTION
 v. Customer's failure to adhere to Fortinet implementation, support processes and
procedures;
vi. acts or omissions of the Customer, its employees, agents, third party contractors or
vendors or any third party accessing the Service;
vii. any violations of the Customer responsibilities defined herein;
viii. any event not wholly within the control of Fortinet;
ix. negligence or willful misconduct of the Customer, or others authorized by the Customer to
use the Services provided by Fortinet;
x. any failure of any component for which Fortinet is not responsible, including but not
limited to all Customer´s infrastructure, electrical power sources, networking equipment,
computer hardware, computer software or data;
xi. any failures that cannot be corrected because the Customer, its systems or networks are
not reasonably accessible to Fortinet. It is the Customer's responsibility to ensure that
technical contact details are kept up to date by submitting a request ticket to confirm or
update the existing the technical contact details.
 Planned maintenance and upgrade may need to be carried out which could impact the availability of
FortiSandbox Cloud service. When such maintenance activity is required, Fortinet will aim to avoid any service
disruption. In any event, Fortinet will endeavor to limit impact to the availability of FortiSandbox Cloud service
to maximum window of eight hours in single calendar month and to provide the customer with forty-eight
hours advanced notice. Notification will be made through the most appropriate method dependent on user
impacted and which may include email, portal messages or other means.
 On the rare occasion that the integrity of the cloud Service is at risk, Fortinet may be required to perform
emergency maintenance actions. In this instance, Fortinet will aim to inform all affected parties within one
hour of the start of the maintenance activity.
 The customer is responsible for ensuring that their use of the FortiSandbox Cloud services is in accordance with
any applicable laws or regulations. Customer represents and warrants that it has all rights, permissions, and
consents necessary to: (a) submit personal data to deliver the Service and necessary support; and (b) grant
Fortinet the right to process personal data for the provision of the Services and support: (i) as required by
applicable law; (ii) as reasonably requested by the Customer via available access controls; (iii) as necessary to
provide the Services, and related support, and prevent or address technical problems or violations of the
Service and (iv) as set forth in the following sentence. Fortinet will process the personal data that Fortinet
receives through the Service pursuant to: (i) a data processing agreement executed between the parties where
required under applicable law, and (ii) the provisions of the Fortinet Privacy Policy located at
http://www.fortinet.com/aboutus/privacy.html. When the Service provides Customer with new personal data
that Customer did not already possess (such as the Service’s determination that a particular email poses a
security threat), Customer may use this new personal data solely for Customer’s lawful internal cybersecurity
purposes.

5. Eligibility & Purchasing

The FortiSandbox Cloud service is available for purchase by an end-customer through authorized Fortinet resellers and
distributors globally (the “Customer”). The service is delivered to the customer as referenced in the purchase order
placed with Fortinet by a customer or Fortinet authorized partner or distributor.

The date of the Service registration determines the start date of the Service (the “Service Start Date”) which will run for
the period determined by the Service SKU purchased by Customer notwithstanding if the Service entitlements are not
fully consumed (the “Service End Date”). The registration and delivery of the Service covered by this service description
must commence within three hundred and sixty-five (365) days from the contract creation date, after which the service
is forfeited without any refund. In no circumstances will the duration of the Service be extended. All sales are final.

FORTINET PUBLIC – CUSTOMERS AND PARTNERS# 870-2718-v1.4 Page | 3 of 4

FORTISANDBOX CLOUD SERVICE DESCRIPTION
Purchasing Information

A FortiCloud Premium Account License is required for using the Service.

Unit Options SKU

FortiCloud Premium Account Access to advanced account and FC-15-CLDPS-219-02-DD
License platform features. Per account
license.
See datasheet/online resources for
included feature/license details.

The Service is activated by at least one Cloud VM Expansion, supporting up to 200 Cloud VMs.

Unit Options SKU

FortiSandbox Cloud Single-VM Expands dedicated sandbox instance FC1-10-SACLP-433-01-DD
Expansion by 1 Cloud VM.
FortiSandbox Cloud 5-VM Expansion Expands dedicated sandbox instance FC2-10-SACLP-433-01-DD
by 5 Cloud VMs.

Where DD is defined by the number of months it may apply to. Please refer to your price list to identify the different
contract durations.

FORTINET PUBLIC – CUSTOMERS AND PARTNERS# 870-2718-v1.4 Page | 4 of 4

FORTISANDBOX CLOUD SERVICE DESCRIPTION