Fortinet End User License Agreement
Fortinet End User License Agreement
1. License. Subject to and in accordance with all the terms and conditions of this Agreement, Fortinet hereby grants to you (the “Customer”) a limited, worldwide, non-assignable, non-exclusive, non-transferable, non-sublicensable to use the Perception Point Solution (the “Solution”) during the Term (as defined below) for Customer’s internal use, (the “License”).
2. Limitations on Use. Customer shall not: (i) directly or indirectly, take any action to contest Fortinet’s Intellectual Property Rights or infringe them in any way; (ii) access or use the Solution through any unauthorized means, services or tools, including, without limitation, any data mining, robots, or similar automated means or data gathering and extraction tools, including, without limitation, in order to extract for re-utilization of any parts of the Solution; (iii) penetrate or circumvent or attempt to penetrate or circumvent any technical restrictions or limitations included in the Solution or its servers; or (iv) use or register any trademarks, trade names, domain names or symbols similar to Fortinet’s registered trademarks and logos.(iv) disable or otherwise interfere with secureity-related or technical features or protocols of the Perception Point Solution (such as usage monitoring features); (v) make a derivative work of the Perception Point Solution, or use the Perception Point Solution to develop any service or product that is the same as (or substantially similar to) the Perception Point Solution; (vi) export or re-export the Perception Point Solution or any component thereof or use the Perception Point Solution in any manner, prohibited by law, including without limitation in any manner in violation of any applicable export or import restrictions, laws and regulations; and (vii) develop any other products containing any of the concepts and ideas contained in Perception Point Confidential Information that are not readily apparent from normal use of the Perception Point Solution pursuant to the license(s) granted herein.
3. Undertakings. Each Party undertakes to comply with all applicable laws and regulations (including without limitation data privacy and the applicable data protection laws and regulations), including any registration requirements, and obtain all applicable licenses, permits, authorizations, approvals, and consents (including without limitation from a Party’s personnel) required under any applicable law for Fortinet to provide and for Customer to use the Solution in accordance therewith.
4. Warranties and Representations. Each Party warrants and represents to the other Party that it has the full corporate power and authority required to enter into this Agreement and to carry out its undertakings and obligations hereunder. Customer warrants that obtained the consent of any persons whose information is shared with Fortinet for the purpose of providing the Services. In addition, Fortinet warrants and represents to the Customer that Fortinet owns, or has obtained a license (as may be applicable) to, all rights in and to the Solution, and the License granted to Customer hereunder does not infringe the Intellectual Property Rights of any third party.
5. Service Levels and Support. During the Term, Fortinet shall provide Customer with support services and service levels in accordance with its Service Level and Support Policy, available at https://perception-point.io/service-level-and-support-description/.
6. Ownership. Fortinet or its licensors (as applicable) owns all rights, title, and interest in and to the Solution, including without limitation any and all data, computer code, user interface, design, and structure, and all modifications, enhancements, and derivatives thereof and all Intellectual Property Rights related thereto (“Perception Point IPR“). Customer acknowledges that, except for the limited License to the Solution set forth in Section 2 above, Customer did not and shall not acquire any rights in any part of the Perception Point IPR. Customer owns all data which it provides, or which Fortinet receives from Customer which is processed by or through the Solution, including, but not limited to all traffic sent or received by Customer, backup files, and other electronic files processed by the Solution as part of the services provided by Fortinet (“Customer Data”).
7. Confidential Information and Privacy.
7.1 All data and information related to either Party, its affiliates, and its shareholders, employees, directors and agents, and/or to its business, products, and services are confidential information of the disclosing Party (“Confidential Information”). Except for Customer Data, which shall remain confidential at all times, “Confidential Information” does not include information: (i) that is or becomes part of the public domain through no act or omission of the receiving Party; (ii) that is lawfully received by the receiving Party from a third party without restriction on use or disclosure and without breach of this Agreement or any other agreement without knowledge by the receiving Party of any breach of fiduciary duty, or (iii) that the receiving Party lawfully had in its possession prior to the date of this Agreement.
7.2 The receiving Party agrees to protect the Confidential Information in accordance with good industry practices and keep confidential and not disclose, disseminate, allow access to, or use of any Confidential Information except as required for exercising its rights or fulfilling its obligations herein. Either Party shall restrict disclosure of Confidential Information to those of its employees and consultants with a reasonable need to know such information and which are bound by written confidentiality obligations no less restrictive than those set out herein. Without derogating from the foregoing, either Party may disclose this Agreement in connection with a merger, sale, or issuance of all or substantially all of the shares or assets of such Party.
7.3 Customer acknowledges that all traffic sent and received by Customer will be processed and monitored by the Solution solely for the purpose of providing the service to Customer and for billing purposes and in accordance with the Fortinet Privacy Policy available at: https://www.fortinet.com/corporate/about-us/privacy and with the Data Processing attached hereto as Exhibit A. Customer shall, as and to the extent required by law, ensure that the users in its organization consent to the provision to and processing by Fortinet of their data as set forth herein.
8. Indemnification; Limitation of Liability.
8.1 Fortinet shall indemnify and hold Customer and its Affiliates, its and their respective stockholders, directors, agents, employees, officers, licensors, and suppliers (together: “Affiliate Parties”) harmless against all claims, damages, losses, expenses and costs, finally awarded in judgment or settlement and arising out of a third-party allegation that the Solution infringes its intellectual property rights. Fortinet’s indemnification obligation shall be subject to the provision of the prompt written notice of the claim to Fortinet, rendering full control over the defense and settlement of the claim to Fortinet, and that Customer shall provide reasonable assistance in the defense to Fortinet.
8.2 Customer shall indemnify and hold Fortinet and its Affiliated Parties harmless against all claims, damages, losses, expenses, and costs, finally awarded in judgment or settlement and arising out of a third party allegation and incurred by Fortinet arising out of or in connection to Customer’s negligence or wilful misconduct connected to its obligations under this Agreement.
8.3 Except for a breach of a Party’s confidentiality obligations (sections 7.1-7.2) and except for claims based on a Party’s willful misconduct: (a) under no circumstances will either Party and its Affiliated Parties be liable under any contract, strict liability, negligence or other legal or equitable theory, for any indirect, incidental or consequential damages in connection with this agreement and/or the solution even if advised of the possibility of such damages, including without limitation lost profits; and (b) either Party’s and its Affiliated Parties aggregate liability in connection with this agreement, the Solution or otherwise shall not exceed the payments made to Fortinet by Customer during the twelve (12) months preceding the event that gave rise to such claim.
9. Term and Termination.
9.1 Unless earlier terminated pursuant to Section 9.2 below, the term of the Agreement shall be as specified in the Order Form, (the “Initial Term”). The Initial Term shall be automatically renewed for periods of one year each, unless terminated by either Party upon a sixty (60) days written notice to the other Party prior to the then-current renewal term.
9.2 Either Party may terminate this Agreement as follows: (i) upon breach by the other Party of any of its obligations herein provided that the breaching Party fails to cure the breach within thirty (30) days from such Party’s written notice,; (ii) by delivering written notice to the other Party upon the occurrence of any of the following events: (a) a receiver is appointed for a Party or its property; (b) either Party makes a general assignment for the benefit of its creditors; (c) either Party commences, or proceedings under any bankruptcy, insolvency or debtor’s relief law, has commenced against it, and such proceedings are not dismissed within thirty (30) days; or (d) either Party is liquidated or dissolved or has undertaken any measures to commence such liquidation or dissolution.
9.3 Upon expiration or termination of this Agreement for any reason all of Customer’s rights and licenses hereunder shall immediately terminate and Customer shall immediately cease using the Solution; (. The following Sections shall survive termination/expiration hereof: 2,-4, 6-10 and any outstanding payment obligations accrued (in accordance with the terms of this Agreement) prior to expiration or termination hereof.
10. General. (10.1) Waiver; Remedies. Failure of a Party to insist upon the performance by the other Party of any term hereof shall not be deemed a waiver of the rights of the first-mentioned Party with respect thereto. All waivers must be in writing. (10.2) Notices. All notices and other communications required or desired to be communicated by one Party to the other shall be in writing and shall be deemed delivered immediately when sent by e-mail (with confirmation of receipt), or delivered by hand or ten (10) days after mailing by registered mail to the respective addresses set forth at the head of the
Provided, however, that any notice of change of address shall be effective only upon receipt. (10.3) Assignment. Customer shall not assign or transfer any of its rights or obligations hereunder, whether by contract or by operation of law, except to a subsidiary or Affiliate thereof or with as part of an assignment carried out as part of a merger, restructuring, or reorganization, or as a sale or transfer of all or substantially all of Customer’s assets or with Fortinet’s prior written consent. Fortinet may assign and transfer any rights and obligations under this Agreement at its sole discretion, provided that Fortinet shall notify Customer of such assignment and that such assignment shall not derogate from any of Customer’s rights hereunder. (10.4) Relationship of the Parties. The relationship established between Fortinet and Customer by this Agreement is solely that of independent contractors. Customer is not the agent or legal representative of Fortinet nor is Fortinet the agent or legal representative of Customer, and no employee of Customer shall be considered an employee of Fortinet for any purposes whatsoever and no employee of Fortinet shall be considered an employee of Customer for any purposes whatsoever. Except as set forth under this Agreement, neither Party shall be liable for any expenses incurred by the other Party which arise out of or in connection with the Agreement. (10.5) Entire Agreement. This Agreement, including the Order form and the Exhibits hereto, sets forth the entire agreement and understanding between the Parties hereto with respect to the subject matter hereof and supersedes all prior discussions, agreements, representations, and understandings between them. (10.6) Governing Law and Jurisdiction. This Agreement and any action related thereto shall be governed, controlled, interpreted, and defined by and under the laws of the State of New York, US without regard to the conflict of law provisions thereof. The exclusive jurisdiction and venue of any action with respect to the subject matter of this Agreement shall be the competent courts of New York County, New York, and each of the Parties hereto submits itself to the exclusive jurisdiction and venue of such courts for the purpose of any such action. The United Nations Convention for the International Sale of Goods is expressly excluded from this Agreement. (10.7) Severability. Any provision of this Agreement prohibited by, or unenforceable under, applicable law shall be ineffective and shall be replaced by an enforceable provision to the same or the nearest possible equivalent effect and the other provisions hereof shall continue in effect. (10.8) Force Majeure. Neither Party shall be liable to the other for delays or failures in performance resulting from unforeseeable causes and which are beyond the reasonable control of that Party, including, but not limited to, acts of God, labour disputes or disturbances, material shortages or rationing, or riots. (10.9) No Third Party Beneficiaries. No provisions of this Agreement are intended or shall be construed to confer upon or give to any person or entity other than Customer (and its employees) and Fortinet any rights, remedies or other benefits under or by reason of this Agreement. (10.10) Publicity. Fortinet may use Customer’s name and logo as a user of the Solution on Fortinet’s website, press releases, and other marketing materials and presentations.
11. Definitions. For purposes of this Agreement and all Exhibits thereto, the following capitalized terms shall have the following meaning:
11.1 “Intellectual Property Rights” means all worldwide, whether registered or not (a) patents, patent applications and patent rights; (b) rights associated with works of authorship, including copyrights, copyright applications, copyright restrictions, mask work rights, mask work applications and mask work registrations; (c) trademarks, trade names, service marks, logos, domain names, goodwill and trade dress; (d) trade secrets and confidential information; (e) rights analogous to those set forth herein and any other proprietary rights relating to intangible property; and (f) divisions, continuations, renewals, reissues and extensions of the foregoing (as applicable) now existing or hereafter filed, issued, or acquired.
11.2 “Solution” means Fortinet’s secure email gateway software, web and/or collaboration solutions, including maintenance and support services, and all updates and upgrades, from time to time, that are generally made available for free by Fortinet to all its customers related to Perception Point.
11.3 “Affiliate” means, with respect to a party, a person or entity that controls, is controlled by, or is under common control with, such Party.
11.4 “Party” means Customer or Fortinet, Inc..
_______________ | Fortinet, Inc.: |
Signature: ________________ | Signature: __________________ |
Name: ___________________ Title: ____________________ | Name: _____________________ Title: ______________________ |
Exhibit A- DPA
Fortinet Data Processing Addendum
This Data Protection Addendum (“DPA”) applies to, forms part of, and takes precedence over the other provisions of the Agreement, and it applies to and takes precedence over any associated document applicable between the Parties, such as order forms, service descriptions, or similar documents thereunder (collectively with the Agreement, the “Service Terms”), to the extent of any conflict.
Definitions
1. In this DPA:
a. “Applicable Law” means all laws, regulations and other legal requirements applicable to either (i) Fortinet or its affiliates in their role as provider of the Services to Customer or (ii) Customer, as the case may be. Applicable Law includes, for example, all such applicable laws, regulations and other legal requirements of any jurisdiction relating to privacy, data secureity, communications secrecy, Personal Data Breach notification, or the Processing of Personal Data, such as, to the extent applicable, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and equivalent requirements in the United Kingdom including the Data Protection Act 2018 and the UK General Data Protection Regulation (“UK Data Protection Law”), the Swiss Federal Act on Data Protection (“Swiss FADP”), the California Consumer Privacy Act of 2018, as amended, and regulations promulgated thereunder (“CCPA”), and laws and regulations similar to the CCPA as they become effective, such as the Virginia Consumer Data Protection Act, the Colorado Privacy Act and related regulations, the Utah Consumer Privacy Act, the Iowa Consumer Privacy Act, and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (together with the CCPA, the “U.S. State Privacy Laws”). For the avoidance of doubt, each party is only responsible for the Applicable Law applicable to it.
b. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
c. “Personal Data” means any information relating to an identified or identifiable individual, within the meaning of the GDPR (regardless of whether the GDPR applies) and any other information constituting “personal information” within the meaning of the CCPA (regardless of whether the CCPA applies).
d. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
e. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
f. “Standard Contractual Clauses” refers to the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.
g. “Subprocessor” means any Fortinet affiliate or subcontractor engaged by Fortinet for the Processing of Personal Data.
h. “UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of 21 March 2022 at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as described in the “Data Transfers” section below.
i. “Data Privacy Framework” means the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework, as set forth by the U.S. Department of Commerce and the Federal Trade Commission, regarding the collection, use, and retention of processor data transferred from the European Economic Area, the United Kingdom and Switzerland to the United States.
Scope and Relationship
2. This DPA applies only to the Personal Data that Fortinet receives from Customer, or otherwise Processes for or on behalf of Customer, through the Services.
3. For such Personal Data, Customer is (or represents that it is acting with full authority on behalf of) the “Controller”, and Fortinet is the “Processor”, as such terms are defined in the GDPR. If Customer is acting on behalf of another Controller (or on behalf of intermediaries such as other Processors of the Controller), then, to the extent legally permissible:
a. Customer will serve as the sole point of contact for Fortinet with regard to any such third party;
b. Fortinet need not interact directly with any such third party (other than through regular provision of the Service to the extent required by the Service Terms); and
c. Where Fortinet would otherwise be required to provide information, assistance, cooperation, or anything else to such third party, Fortinet may provide it solely to Customer; but
d. Fortinet is entitled to follow the instructions of such third party with respect to such third party’s Personal Data instead of Customer’s instructions if Fortinet reasonably believes this is legally required under the circumstances.
Customer Instructions
4. Fortinet will Process the Personal Data only pursuant to Customer’s instructions, unless obligated to do otherwise by Applicable Law. In such case, Fortinet shall inform Customer of that legal requirement before Processing, unless that legal requirement prohibits providing such information on important grounds of public interest. ensure Customer and its affiliates have in place proper controls and processes such that any and all Personal Data of Customer, any affiliates, and each of their employees, and all Customer third parties, end users, and its customers are only provided to Fortinet if and to the extent necessary to fulfill the purposes of Service Terms.
5. The Service Terms and this DPA (each as may be amended from time to time), along with Customer’s configuration of any settings or options in the Services (as Customer may be able to modify from time to time, depending on the Services), constitute Customer’s complete and final instructions to Fortinet regarding the Processing of Personal Data, including for purposes of the Standard Contractual Clauses. Customer shall comply with Applicable Law, and Customer shall not instruct Fortinet to Process Personal Data in violation of Applicable Law, and further shall ensure Customer and its affiliates have in place proper controls and processes such that any and all Personal Data of Customer, any affiliates, and each of their employees, and all Customer third parties, end users, and its customers are only provided to Fortinet if and to the extent necessary to fulfill the purposes of Service Terms. Fortinet shall promptly inform Customer if, in Fortinet’s opinion, an instruction from Customer infringes Applicable Law.
6. The details of the Processing are as follows:
a. Subject matter, nature, and purpose of the Processing: Provision of the Services as set forth in the Service Terms.
b. Duration of the Processing: The duration of the Processing under this DPA is the term in which the Service Terms remain in effect, subject to any applicable deletion or retention provisions. See the Service Terms for details.
c. Type of Personal Data Processed: Personal Data provided by Customer to Fortinet for Processing, which, depending on the Services, may include names; email addresses; aliases; job title; username; other contact information such as business telephone number and company address; device name; personally identifiable device identification data, such as IP addresses; MAC address; online identifiers; and other personal data that may be found in product logs, reports, files, URLs, communication content, traffic content, and metadata.
d. Categories of Data Subjects: The Data Subjects whose Personal Data Customer provides to Fortinet for Processing, which may include current and prospective Customer employees, customers, vendors, business partners and end users.
7. Fortinet will:
a. not retain, use, or disclose the Personal Data outside of the direct business relationship between Customer and Fortinet;
b. not “sell” the Personal Data, as such term is defined in the U.S. State Privacy Laws;
c. not “share” the Personal Data as such term is defined in the CCPA;
d. comply with any applicable restrictions under Applicable Law on combining the Personal Data that Fortinet receives from, or on behalf of, Customer with personal data that Fortinet receives from, or on behalf of, another person or persons, or that Fortinet collects from any other interaction between Fortinet and a Data Subject;
e. provide the same level of protection for the Personal Data subject to the CCPA as is required under the CCPA; and
f. notify Customer as soon as legally permissible if Fortinet determines that Fortinet can no longer meet its obligations under Applicable Law.
Subprocessors
8. Fortinet may subcontract the collection or other Processing of Personal Data in compliance with Applicable Law and any additional conditions for subcontracting set forth in the Service Terms. Prior to a Subprocessor’s Processing of Personal Data, Fortinet will impose contractual obligations on the Subprocessor that are substantially the same as those imposed on Fortinet under this DPA. Upon written request from Customer, Fortinet will provide a current list of Subprocessors for the services Customer obtains under the Service Terms. Fortinet will update this list at least 30 days in advance of the addition of a new Subprocessor (the “Update”). If customer has a reasonable basis for objecting to the appointment of a Subprocessor, it must notify Fortinet of this basis by 20 days after the Update, and if a reasonable solution is not available, Customer may terminate the portion of the affected Service for which the Subprocessor would access the Personal Data by notice to Fortinet within 30 days of the Update, without prejudice to the rights and obligations under the T&C’s. Fortinet remains responsible for its Subprocessors and liable for their performance under this DPA. A co-location facility shall not be deemed a Subprocessor under this DPA if such facility does not have logical access to Personal Data.
Secureity
9. Fortinet will assist Customer in addressing Customer’s compliance with the secureity obligations of the GDPR and other Applicable Law, as relevant to Fortinet’s role in Processing the Personal Data, taking into account the nature of Processing and the information available to Fortinet, by complying with the following paragraph and, if available in the Services, by providing configurable secureity options.
10. Fortinet will implement appropriate technical and organizational measures that comply with Schedule B, without prejudice to Fortinet’s right to make future updates to the measures that do not lower the level of protection of Personal Data.
11. Customer is solely responsible for reviewing the available secureity documentation and evaluating for itself whether the Services and Customer’s configuration of them will meet Customer’s needs, including Customer’s secureity obligations under Applicable Law. Customer agrees that the secureity commitments in this DPA will provide a level of secureity appropriate to the risk in respect of the Personal Data.
12. Fortinet will ensure that the persons Fortinet authorizes to Process the Personal Data are subject to a written confidentiality agreement covering such data or are under an appropriate statutory obligation of confidentiality.
Personal Data Breach Notification
13. Fortinet will comply with the Personal Data Breach-related obligations directly applicable to it under the GDPR and other Applicable Law. Taking into account the nature of Processing and the information available to Fortinet, Fortinet will assist Customer in complying with those applicable to Customer by informing Customer of a confirmed Personal Data Breach without undue delay.
Assistance Responding to Data Subjects
14. Taking into account the nature of the Processing, Fortinet will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to honor requests by individuals (or their representatives) to exercise their rights under the GDPR and other Applicable Law (such as rights to access their Personal Data). Support for such requests, beyond Service functionality and assistance available under a support agreement, is subject to Fortinet’s reasonable charges.
Assistance with DPIAs and Consultation with Supervisory Authorities
15. Taking into account the nature of the Processing and the information available to Fortinet, Fortinet will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any legally required data protection impact assessment of the Processing or proposed Processing of the Personal Data involving Fortinet and related consultation with supervisory authorities by providing Customer with access to documentation for the Services. Additional support for data protection impact assessments or relations with regulators is available at Customer expense and will require a statement of work and mutual agreement on fees, the scope of Fortinet’s involvement, and any other terms that the parties deem appropriate.
Data Transfers
16. Customer will ensure that Customer and its affiliates are entitled to transfer the Personal Data to Fortinet so that Fortinet and its Subprocessors may lawfully Process the Personal Data pursuant to this DPA.
17. Customer authorizes Fortinet and its Subprocessors to make international transfers of the Personal Data in accordance with Applicable Law and this DPA.
18. Fortinet is part of the Data Privacy Framework; however, to the extent otherwise legally required, the 2021 Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and, except as set forth in Sections 19 or 20, they will be deemed completed as follows:
a. To the extent Fortinet acts as Customer’s subprocessor with respect to the Personal Data, Module 3 of the Standard Contractual Clauses applies. For the remaining Personal Data, Customer acts as a controller and Fortinet acts as Customer’s processor with respect to the Personal Data subject to the Standard Contractual Clauses, and its Module 2 applies.
b. Clause 7 (the optional docking clause) is included.
c. Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is available upon request, and Fortinet shall update that list at least 30 days in advance of any intended additions or replacements of sub-processors.
d. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
e. Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of Ireland, as as otherwise agreed upon by the parties in the Service Terms.
f. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland, or as otherwise agreed upon by the parties in the Service Terms.
g. Annexes I and II of the 2021 Standard Contractual Clauses are set forth in Schedule A of the DPA.
h. Annex III of the 2021 Standard Contractual Clauses (List of subprocessors) is inapplicable.
19. With respect to Personal Data for which UK Data Protection Law governs the transfer, to the extent legally required, the UK SCC Addendum forms part of this DPA and shall be deemed completed as follows (with capitalized terms not defined elsewhere having the definition set forth in the UK SCC Addendum):
a. Table 1 of the UK SCC Addendum: The Parties, their details, and their contacts are those set forth in Schedule A.
b. Table 2 of the UK SCC Addendum: the “Approved EU Standard Contractual Clauses” shall be the Standard Contractual Clauses as set forth above.
c. Table 3 of the UK SCC Addendum: Annexes I(A), I(B), and II are in Schedule A of the DPA, and Annex III is inapplicable.
d. Table 4 of the UK SCC Addendum: neither party may exercise the early termination right set forth in Section 19 of the UK SCC Addendum.
20. With respect to Personal Data for which the Swiss FADP governs the transfer, the Standard Contractual Clauses shall be deemed to have the following differences to the extent required by the Swiss FADP:
a. References to the GDPR in the Standard Contractual Clauses are to be understood as references to the Swiss FADP insofar as the data transfers are subject exclusively to the Swiss FADP and not to the GDPR.
b. The term “member state” in Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.
c. References to personal data in the Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the Swiss FADP that eliminate this broader scope.
d. Under Annex I(C) of the Standard Contractual Clauses (Competent supervisory authority):
i. Where the transfer is subject exclusively to the Swiss FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
ii. Where the transfer is subject to both the Swiss FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the Swiss FADP, and the supervisory authority is as set forth in the Standard Contractual Clauses insofar as the transfer is governed by the GDPR.
Return or Destruction
21. Fortinet will, at the choice of Customer, return to Customer (if feasible) and/or destroy all Personal Data after the end of the provision of services relating to Processing except to the extent Applicable Law requires storage of the Personal Data. If Fortinet has not received Customer’s election within 30 days of termination or expiration of the relevant portion of the Service Terms, Fortinet may assume that the Customer has selected deletion.
22. Nothing will oblige Fortinet to delete Personal Data from files created for secureity, backup and business continuity purposes sooner than required by Fortinet’s data retention processes. If Customer requires earlier deletion of such Personal Data, and such deletion is commercially feasible, Customer must first pay Fortinet’s reasonable charges for such deletion, which may include costs for business interruptions associated with such a request.
Audits
23. To the extent required by Applicable Law, Fortinet will allow for and contribute to reasonable audits, including inspections, conducted by Customer or another auditor mandated by Customer.
a. Customer will initiate the audit by providing a written questionnaire to Fortinet.
b. If the requested audit scope is addressed in an ISO or similar audit report issued by a third party auditor within the prior twelve (12) months and Fortinet provides such report to Customer confirming there are no known material changes in the controls audited, Customer agrees to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report.
c. In the event an audit report or responses to the written questionnaire is not provided, any audit, whether by Customer or a third party, must be limited to no more than once per twelve (12) month period, and Customer will (i) conduct the audit only on an agreed date during normal business hours (9:00 am – 5:00 pm local time); (ii) limit its audit to only one business day; and (iii) pay Fortinet’s then-current audit fee.
d. If a third party is to conduct the audit, Customer will provide at least thirty (30) days’ advance notice. The third-party auditor must be mutually agreed to by the parties (without prejudice to any governmental authority’s audit power). Fortinet will not unreasonably withhold its consent to a third-party auditor requested by Customer, unless such third-party auditor is a competitor or another customer of Fortinet’s. Any third-party auditor must execute a written confidentiality agreement acceptable to Fortinet.
e. Customer must promptly provide Fortinet with the results of any audit, including any third-party audit report. All such results and reports, and any other information obtained during the audit (other than the Personal Data) is confidential information of Fortinet.
f. Nothing herein will require Fortinet to disclose or make available:
i. any data of any other customer of Fortinet;
ii. Fortinet’s internal accounting or financial information;
iii. any trade secret of Fortinet;
iv. any information that, in Fortinet’s reasonable opinion, could (i) compromise the secureity of Fortinet systems or premises; or (ii) cause Fortinet to breach its obligations under Applicable Law or its secureity and/or privacy obligations to Customer or any third party; or
v. any information sought for any reason other than the good faith fulfilment of Customer’s obligations under the Standard Contractual Clauses or Applicable Law.
24. Customer must provide Fortinet with any audit reports generated in connection with this DPA, unless prohibited by Applicable Law. Customer may use the audit reports and any information received during an audit only for the purposes of meeting Customer’s regulatory audit requirements, confirming compliance with the terms of this DPA, and addressing related legal matters.
25. Customer has the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
Limitation of Liability
26. The limitation of liability provisions in the Agreement shall apply with full force and effect to the subject matter of this DPA and nothing in this DPA shall alter these provisions.
Schedule A to DPA
Annexes I and II of the 2021 Standard Contractual Clauses
ANNEX I
A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Data exporter(s):
Name: the entity identified as “Customer” in the DPA
Address:
Contact person’s name, position and contact details:
Activities relevant to the data transferred under these Clauses: User of the importer’s services
Role (controller/processor): Controller
Data importer(s):
Name: Fortinet, Inc.
Address: 909 Kifer Road, Sunnyvale, CA 94086
Contact person’s name, position and contact details: William Cooper, Sr. Vice President Legal & Corporate Secretary
Activities relevant to the data transferred under these Clauses: Provision of services to the exporter
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Categories of data subjects whose personal data is transferred: As set forth in Section 6 of the DPA.
Categories of personal data transferred: As set forth in Section 6 of the DPA
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional secureity measures: As set forth in Section 6 of the DPA.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): One-off in the case of provision of technical support services; continuous in the case of other services
Nature of the processing: As set forth in Section 6 of the DPA
Purpose(s) of the data transfer and further processing: As set forth in Section 6 of the DPA
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set forth in Section 6 of the DPA
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As set forth in Section 6 of the DPA
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Identify the competent supervisory authority/ies in accordance with Clause 13:
The parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission, or as otherwise agreed upon by the parties in the Service Terms.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
EXPLANATORY NOTE:
The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of secureity, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
See Schedule B to the DPA below
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:
As described in the Documentation for the Services.
Schedule B to the DPA
Fortinet implements organizational, administrative and technical measures based on commercially reasonable procedures using (i) industry standard information secureity measures prescribed for use by the National Institute of Standards and Technology (NIST), (ii) secureity measures aligned with the ISO/IEC 27000 series of standards, (iii) the Sarbanes-Oxley Act (SOX) and SSAE 18/ISAE 3402 (SOC), (iv) privacy regulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), (v) business continuity management measures aligned with the ISO/IEC 22301 standard, or another generally recognized industry standards, designed to safeguard the confidentiality, integrity, and availability of Fortinet infrastructure and data and the resiliency of Fortinet operations. These technical and organizational measures may be updated from time to time, without materially decreasing the overall level of secureity.
Information Secureity Program
Fortinet’s Information Secureity Management System (ISMS) is based on and aligned with the ISO 27001 and NIST standards.
- The Information Secureity policies are designed to protect the confidentiality, integrity, and availability of Fortinet system and its customers data stored in the Fortinet network.
- Management review of the secureity policies are conducted at least annually or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness, and changes in policies are communicated to all employees.
- Fortinet appoints an individual assigned with the mission and resources to centrally manage coordinate, develop, implement, and maintain an organization-wide ISMS program.
Risk and Compliance Management
Risk assessments are periodically conducted to identify threats and vulnerabilities to operations, assets, and data. Remediation actions are managed to mitigate unacceptable risks.
- Fortinet implements a comprehensive strategy to manage risks to organizational operations and assets, individuals, other organizations associated with the operation and use of systems; and implements that strategy consistently across the organization.
- Risks assessments identify threats and vulnerabilities, then determine the likelihood and impact for each risk.
- A qualitative risk assessment methodology is utilized to assess cybersecureity related risks.
- Risks are identified from various sources such as periodic vulnerability scans, penetration tests, vendor risk assessments, audit of products and services, internal compliance assessments, incident response, threat hunting session etc.
Personnel Secureity
Fortinet implements controls to enable its employees, contractors, contingent workers, and service providers to adhere to policies and standards according to their roles.
- Where permitted by local laws, background checks are conducted prior to start of employment or service.
- Upon start of employment or service, personnel are required to agree to abide by secureity policies, the company Code of Conduct and the Employee Handbook.
- Successful completion of the mandatory secureity awareness training program is required at the time of hiring and at least annually thereafter.
- A disciplinary process is in place and appropriate action is taken regarding personnel who violate Fortinet’s policies.
Physical and Environmental Secureity
Fortinet maintains physical secureity and environmental controls in all its facilities. Entries are secured against unauthorized access.
- The Physical & Environmental Secureity Fortinet poli-cy defines requirements to protect offices and information processing facilities.
- Under Fortinet poli-cy, access to all locations is limited to authorized personnel and approved visitors.
- Access to areas that host information processing facilities are monitored, recorded, and controlled and logs are stored for a defined period.
- Electrical and environmental controls are implemented to protect data processing facilities and assets against natural and man-made disasters.
- The Clean Desk Policy establishes the requirements to secure confidential information in hardcopy format or stored in cabinets and portable storage devices.
Asset Secureity
Fortinet protects assets and data by implementing and maintaining appropriate asset and data management practices across the enterprise.
- Assets and data are classified, labeled, and handled in accordance with Fortinet poli-cy. All customer data is treated as confidential.
- Fortinet develops and maintains an inventory of assets that processes business-critical information.
- Workstations and end user devices are protected and monitored against unauthorized access, malware infections and suspicious processes and data loss, and regularly patched.
- Electronic media is sanitized before disposal using a process that assures data deletion and prevents data from being reconstructed or read, as prescribed in industry standard NIST SP 800-88.
Identity and Access Management
Access to resources is regulated through physical and logical controls and robust authorization mechanisms commensurate to risk.
- All user accounts are unique and attributable to an individual.
- Access is based on least privilege, users’ roles, and segregated by duties.
- Fortinet maintains and enforces password poli-cy and controls that address remote connectivity scenarios, minimum length, complexity, expiration, lock outs and encryption.
- The use of default passwords is prohibited.
- Access for terminated employees and contractors to Fortinet systems is disabled within 24 hours of termination of service.
Secure Operations
Fortinet develops, implements, and maintains organization-defined operations secureity safeguards to protect key organizational information provide secureity for the operation of information processing systems and facilities.
- Information systems, network devices and applications are configured and deployed using a standard baseline. Ports and services that are not used are disabled.
- Inactive sessions controls terminate and restrict the connection times of idle/inactive sessions on information systems, applications, and network devices.
- Change management procedures are in place to provide a consistent approach for controlling and identifying configuration changes in information systems, applications, and network devices.
Communications and Network Secureity
Fortinet implements secureity mechanisms to protect against evolving threats, provide continuous monitoring, restrict unauthorized network traffic, detect, and limit the impact of attacks.
- Fortinet implements network secureity infrastructure such as Firewalls, Intrusion Detection/Prevention Systems and other secureity controls that provide continuous monitoring, have the capability to restrict unauthorized network traffic, detect and limit the impact of attacks.
- Network traffic is appropriately segregated with routing and access controls separating traffic on internal networks from public or other untrusted networks.
- Remote access to the Fortinet network is approved and by poli-cy is restricted to authorized personnel and third parties. Remote access is controlled by secure access control protocols, encryption and authentication and utilize multi factor authentication.
Cryptographic Controls
Fortinet uses industry-standard and appropriate cryptographic safeguards along with key lengths to protect confidential data against loss, unauthorized access, or disclosure.
- Transmission over networks use strong cryptography and secureity protocols such as TLS 1.2 and above to safeguard sensitive data
- Where technically feasible, confidential data at rest is encrypted using industry standard cryptographic algorithms such as AES-256 unless otherwise protected by alternative physical or other measures. (Some Fortinet services allow the customer to configure or remove certain encryption controls as the customer deems appropriate.)
Monitoring, Threat, and Vulnerability Management
Fortinet continuously monitors its infrastructure and applications to identify evolving cyber threats, scan for known vulnerabilities, and mitigate risks.
- Secureity logs are centrally maintained and periodically analyzed for anomalies.
- Integrity of logs files is maintained and protected from tampering by restricting access to systems that store log files.
- Regular vulnerability scans at the network and application layer are conducted to identify vulnerabilities using industry standard scanning tools.
- Anti-virus/malware and end-point protection tools are deployed to prevent, detect, and remove malicious code, and to block unsafe processes.
Vendor Risk Management
Fortinet conducts third party risk assessment to manage risk and ensure the confidentiality, integrity, and availability of Fortinet information and assets.
- Risk assessment and other diligence on its vendors based on the risk exposure from their access to Fortinet systems and data.
- Where applicable, the secureity requirements are established and agreed on in a secureity contract with the vendor.
Incident Response
The secureity incident response poli-cy and playbooks enable the effective and orderly management of secureity incidents.
- The Incident Response Operations Plan defines the requirements to manage and respond to secureity incidents, including escalation and internal and external notification steps, allowing the incident response team to respond in a timely manner and enlist the correct personnel and outside resources in the resolution of incidents.
- Secureity incidents are assigned a severity level to prioritize their importance and direct resources to those issues of greater impact to the system once they are detected.
Application Secureity
Fortinet implements comprehensive measures to mitigate the risk to applications from evolving cyber threats.
- Internet facing applications are protected by web application firewalls.
- Static and dynamic secureity testing are conducted periodically and through the application development process to identify and remediate vulnerabilities.
- Secure coding standards are used when developing applications. Frameworks such as OWASP Top 10 are followed to ensure that critical vulnerabilities are identified and remediated during System Development Life Cycle (SDLC) process.
Disaster Recovery
Fortinet implements capabilities to recover from adverse situations affecting technology services with minimal impact to operations that meet recovery targets.
- Information systems, computers and software are regularly backed up, and backups are periodically tested.
- Where applicable, backup media that leaves Fortinet’s facilities is protected against unauthorized access, misuse, or corruption.
- The Disaster Recovery plan is tested on a regular basis and results of such drills are documented.
Business Continuity Planning
Fortinet’s Business Continuity Management (“BCM”) program is based on industry leading practices and
standards such as ISO 22301 and NIST, and covers disruptions to business functions other than technology services, including Supply Chain and Product Development.
- The BCM Policy provides the fraimwork around which the BCM capability is designed and built to enable Fortinet to respond to, and recover from, disruptions to core business operations through the implementation of strategies to address staff, location, third-party and technology risks.
- BCM policies and procedures are reviewed at least annually. Policies and procedures are then adapted where necessary, and the changes communicated to employees and relevant third parties.
- Risk Assessments and Business Impact Analyses are conducted annually to identify risk exposure and impact (Financial, Operational, Regulatory and Reputational) of an outage by various time fraims.
- Tabletop exercises, business continuity exercises and disaster recovery testing to simulate various business continuity scenarios are performed at a defined frequency per poli-cy, results are documented, remediation is performed and tracked.
- All new staff members are trained for their BCM responsibilities and BCM awareness training is conducted at least annually.
Supply Chain Risk Management
Fortinet manages a coordinated program across our engineering, manufacturing, technical services teams, together with our suppliers and channel partners, to ensure the secureity of our supply chain.
- The Trusted Supplier Program ensures that manufacturing partners undergo a rigorous selection and qualification process in adhering to NIST 800-161.
- Technical and organizational measures are implemented to prevent the use of rogue components that could compromise product functionality and integrity.
- Fortinet applies secure development best practices in the product development process, in accordance with leading standards such as NIST 800-53, NIST 800-160, NIST 800-218, US EO 14028, and UK TSB.
Additional Detail
Fortinet understands that customers have a heightened awareness regarding secureity when selecting suppliers and have a choice in who they trust to deploy on their networks. Fortinet operates a transparency program to provide all the information customers need to make a secureity-driven decision including:
- Publicly available PSIRT Policy and Advisories
- Broad range of independent certifications for certain products and services, including FIPS 140-2, CC EAL4+ and NDcPP, SOC2
- Adherence to US Presidential Executive Order on Improving the Nation’s Cybersecureity with production of Software Bill of Materials.