Scribd Logo
Upload

Welcome to Scribd!

  • 29 views

    CTAP For NGFW - Data Privacy Notice

    Uploaded by

    Giovanni -
    Fortinet does not require privacy agreements for assessments but complies with applicable data protection laws. Log data is sent to Fortinet for assessment reports and is bound by Fortinet's privacy policies. Log data contains IP/hostnames but not individual user names. Data is stored temporarily and deleted after reports are completed or 7 days. Anonymized data is retained for analytics to provide threat guidance. Customers can request on-site assessments instead of sending log data to Fortinet.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    CTAP For NGFW - Data Privacy Notice

    Uploaded by

    Giovanni -
    29 views3 pages
    Fortinet does not require privacy agreements for assessments but complies with applicable data protection laws. Log data is sent to Fortinet for assessment reports and is bound by Fortinet's privacy policies. Log data contains IP/hostnames but not individual user names. Data is stored temporarily and deleted after reports are completed or 7 days. Anonymized data is retained for analytics to provide threat guidance. Customers can request on-site assessments instead of sending log data to Fortinet.

    Original Description:

    Original Title

    CTAP for NGFW - Data Privacy Notice

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Fortinet does not require privacy agreements for assessments but complies with applicable data protection laws. Log data is sent to Fortinet for assessment reports and is bound by Fortinet's privacy policies. Log data contains IP/hostnames but not individual user names. Data is stored temporarily and deleted after reports are completed or 7 days. Anonymized data is retained for analytics to provide threat guidance. Customers can request on-site assessments instead of sending log data to Fortinet.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    29 views3 pages

    CTAP For NGFW - Data Privacy Notice

    Uploaded by

    Giovanni -
    Fortinet does not require privacy agreements for assessments but complies with applicable data protection laws. Log data is sent to Fortinet for assessment reports and is bound by Fortinet's privacy policies. Log data contains IP/hostnames but not individual user names. Data is stored temporarily and deleted after reports are completed or 7 days. Anonymized data is retained for analytics to provide threat guidance. Customers can request on-site assessments instead of sending log data to Fortinet.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 3

    Data Privacy for

    NGFW
    Assessments
    Cyber Threat Assessment Program
    Data Privacy for NGFW Assessments

    What EULA or privacy agreements do I need to have in


    place prior to performing an assessment?
    Fortinet does not require agreements up front in order to perform an assessment. However,
    where the assessment is conducted in a country that requires informed consent to the end
    user about the use of their data during the assessment, the FortiPartner is responsible for
    complying with the applicable data protection laws to allow personal data transfers to and
    processing by Fortinet.

    FortiPartners may additionally send participants the information below:

    1. By participating in the Cyber Threat Assessment Program, participants are subject to


    Fortinet’s End User License Agreement (EULA), located at:
    http://www.fortinet.com/doc/legal/EULA.pdf

    2. Fortinet may collect information via the Cyber Threat Assessment Program, which
    will be handled as outlined in Fortinet’s Privacy Policy:
    https://www.fortinet.com/corporate/about-us/privacy.html

    a. Fortinet may obtain personal information about participants, such as their


    name (including company name), contact information (address, phone, email,
    etc.), IP addresses, and the Fortinet products assigned to them. If
    participants signed up for this program via an authorized Fortinet partner,
    please contact the Fortinet partner for details on information that they may
    have about them.

    b. Fortinet’s products may automatically send usage and log data to Fortinet
    during participation in this program.

    3. If participants have any questions or concerns, please email ctap@fortinet.com.

    From a privacy perspective, what kind of information is


    sent to Fortinet and how is it used?
    For the CTAP for NGFW assessment specifically, we are receiving a copy of inspection logs
    for providing the user with a security report. Any data sent to Fortinet servers for processing
    are bound by the Fortinet’s End User License Agreement, available here.

    The CTAP for NGFW report is produced automatically based on these inspection logs. The
    inspection logs contain IP addresses/hostnames associated with individual machines. We
    intentionally do not identify individual user names (via LDAP for instance).

    This data is processed in either Canada (for Americas-based assessments) or Germany (for
    anything outside of Americas).

    www.fortinet.com 2
    Data Privacy for NGFW Assessments

    Inspection is performed by automatically applying our latest threat intelligence and


    technologies to your log data. None of the inspection is performed manually. No automated
    decision-making or profiling is involved in the processing.

    Log data is transported to Fortinet for processing via a secured channel (SSL encrypted).
    Log data is only stored for the duration of the assessment. When an assessment is
    completed, raw logs are permanently erased from any processing servers. The raw logs
    collected are deleted as soon as the report is marked as “Completed.”

    If Fortinet generates a report (Report Ready status) and the assessment creator does not
    mark it “Complete,” we automatically delete the raw logs after 7 days. We occasionally get
    requests to generate a second report, but we may be unable to because the raw logs have
    already been deleted. This is implemented by design and was instituted to protect customer
    privacy.

    A subset of the customer’s assessment data is anonymized, transformed, then retained by


    Fortinet for analytics purposes. Fortinet retains this information only for the purposes of
    providing trend, threat guidance, and general usage data back to the communities we serve.
    Typically, we provide this guidance in the form of quarterly reports (anonymized and
    aggregated from customers worldwide).

    For any questions about Fortinet steps to ensure privacy or the use of the end user’s data,
    the assessment conductor should email ctap@fortinet.com for clarifications.

    What if a customer asks for a Non-Disclosure


    Agreement to be signed?
    Non-disclosure Agreements (NDAs) are typically not required for running a Cyber Threat
    Assessment. Partners may enter into their own NDAs with the customer; however, that is
    outside the scope of Fortinet interactions. If a customer insists on an NDA with Fortinet
    directly, please contact Fortinet legal for assistance.

    What can I tell a prospect who doesn’t want their log


    data being sent to another party?
    Certain prospects may not be comfortable with sending log data to Fortinet. In those cases,
    we recommend requesting a full on-site proof of concept
    FortiGate/FortiSandbox/FortiAnalyzer deployment as necessary to accommodate individual
    customer requirements.

    www.fortinet.com 3

    You might also like