This is the Privacy Policy of Gatlab™, and its wholly-owned subsidiaries (collectively, Gatlab,” “we,” “our,” or “us”). We provide security solutions that help protect the data and systems of our business customers from continually evolving risks. It is Gatlab™ policy to provide security and privacy. Each is important, and they are sometimes co-dependent. We believe in Security by Design and Privacy by Design.

This Privacy Policy covers Gatlab handling of two categories of information:

• Personal data that our partners and customers ask us to process on their behalf (“Processor Data”). Gatlab™ offers security products and services, and related support and professional services (the Gatlab Services”). With some exceptions as identified below, under applicable law, in certain contexts Gatlab is considered the “processor” of the personal data we receive through the Gatlab Services, and our customer is (or acts on behalf of) the “controller” of the data (i.e., the company with the right to decide how the data is used).
• Personal data that we handle for our own business (“Controller Data”), other than for our human resources and recruiting operations. Under applicable law, Gatlab is a “controller” of this data.

This Privacy Policy includes details specific to Processor Data, details specific to Controller Data, and information relevant to our handling of both kinds of data.

1. Privacy Practices Specific to Processor Data

  a. Types of Processor Data We Collect

We receive information from or on behalf of our customers and their users, and for most of such data, we act as a “processor.” Because of the nature of the Gatlab Services, this information may contain any type of personal data. For example, we may collect the following categories of information, that may be Processor Data, through the Gatlab Services:

• Device identifiers, such as IP addresses, device name, model, manufacturer, firmware versions, operating system, metadata, time zone, language, MAC addresses, and other information about computing systems, applications, filenames and file paths, usernames, and technical data about the operating system instructions flow and networks
• Contact details and registration information (including identifiers), such as names, aliases, usernames, emails, age, gender, phone numbers, addresses, and photographs.
• Internet or other electronic network or device activity information, such as system logs, traffic, URLs, metadata, and antivirus and other malware statistics.
• Other information that identifies or can be reasonably associated with you, including information contained in files, activity logs, analysis reports, communications content and metadata, distribution lists, and information provided to us through dashboards or portals associated with the security and firewall solutions of the Gatlab Services, such as troubleshooting requests and security inquiries regarding files, systems.

Some of the technical information listed above is considered personal data in certain contexts. Gatlab also collects Processor Data through the technology described in the “Cookies and Similar Automated Data Collection” section below. We use Processor Data as described in the following section.

  b. Uses of Processor Data

Subject to our contractual obligations, and depending on the particular Gatlab Services, we may use and disclose the information described above (sometimes in combination with other information we obtain, such as from our customers) as follows:

• To provide the Gatlab Services, including by:
  • Providing maintenance and technical support
  • Providing product upgrades
  • Addressing security and business continuity issues
  • Analyzing and improving the Gatlab Services, including responding to new threats and developing new features
• To enforce the legal terms that govern the Gatlab Services.
• To comply with law and protect rights, safety, and property.
• For other purposes requested or permitted by our customers or users, or as reasonably required to perform our business.

Many Gatlab Services use automated technology to recognize and defend against cybersecurity risks, such as by blocking or quarantining suspected malicious data. To better protect our customers and assist them with their own security compliance, some Gatlab Services use external threat information gathered in these situations to improve security for customers of Gatlab Services in similar situations. For example, if certain Gatlab services determine that a hacker is attacking some of our customers, we may use information about that threat in order to help protect other customers from similar attacks. This provides our customers’ data with much better protection than what would be possible if our services could not learn from experience. We handle “Threat Data” like this as described in the “Privacy Practices Specific to Controller Data” section below.

  c. Disclosures of Processor Data

Subject to our contractual obligations, and depending on the particular Fortinet Services, we may disclose the information described above as follows:

• To provide the Fortinet Services, which can involve sharing personal data with our customer and with third parties selected by the customer or its users (for example, to detect security incidents, and protect against malicious, deceptive, fraudulent, or illegal activity, we process data about third-party threat actors such as the IP address of certain hacker-controlled devices that attempt cyberattacks on our customers).
• To enforce the legal terms that govern the Fortinet Services.
• To comply with law, and where we deem disclosure appropriate to protect rights, safety and property (for example, for national security or law enforcement).
• As part of an actual or contemplated business sale, merger, consolidation, change in control, transfer of substantial assets or reorganization.
• For other purposes requested or permitted by our customers or users, or as reasonably required to perform our business.

For those purposes, we may share information with our affiliates and other entities that help us with the activities described in this Privacy Policy.

2. Privacy Practices Specific to Controller Data

  a. Types of Controller Data We Collect

As described above, we act as a processor for most of the Fortinet Services. We are, however, a “controller” under applicable law with respect to Controller Data. Controller Data includes two general categories of data: Business Data and Threat Data.

For example, we may collect certain data about customers, prospective customers, partners and their personnel (“Business Data”), which may include:

• Contact details and professional details, such as name, email address, address, phone number, title and name of company.
• Online identifiers, such as IP address and account ID information.
• Information about users’ experience with our products, services, events and online forums and communities, such as the Fortinet Developer Network and CTAP end-user reports.
• Information about actual or prospective customer personnel’s other interactions with Fortinet, e.g., procurement, customer service, and point of sale data.
• Data we handle in connection with the Network Security Expert Institute, the Fortinet Network Security Academy and other training and certification programs, including contact information, identity documents and other personal data collected for authentication of the candidate’s identity and test security, and testing results.
• Audio or video information, such recordings of meetings, or photographs collected from certification candidates for identity verification and security checks.
• Information about actual or prospective users’ interests.
• Financial data, such as payment information for Fortinet products and services.
• Investor relations-related data.
• Other business-related data collected on our websites (such as online forum registrations) and elsewhere for our own business (such as at events).

We obtain Business Data directly from the relevant individuals or their employers, and also from third-party sources, such as distributors, resellers and partners, credit card issuers, clearinghouses, data brokers, fraud databases, referrals from customers and users, as well as publicly available sources such as company websites.

In connection with some Fortinet Services, Fortinet is also considered a controller of certain personal data relevant to security threats, i.e. “Threat Data.” To the extent it is personal data, IP addresses, device identifiers, URLs, and other data associated with malicious activity are part of Threat Data. We obtain Threat Data through Fortinet Services, publicly available sources such as online forums, other security providers and researchers, and independent research.

Fortinet also collects Business Data and Threat Data through the technology described in the Cookies and Similar Automated Data Collection section below. We use all Controller Data as described in the following section.

  Uses of Controller Data (Business Data and Threat Data)

Fortinet uses Controller Data as follows:

• To provide our products, services, events, websites, communities, training, certifications, and other business offerings.
• For marketing, advertising, and other communications (including customizing and tailoring all of them for the particular recipient).
• To manage our relationships with customers, partners, suppliers, event attendees, and others.
• For surveys and other market research.
• For cybersecurity research.
• To analyze, improve, and create Fortinet Services and other business offerings.
• To enforce the legal terms that govern our business and online properties.
• To provide security and business continuity.
• To comply with law and protect rights, safety, and property.
• For other purposes requested or permitted by our customers or users, or as reasonably required to perform our business.

  c. Disclosures of Controller Data (Business Data and Threat Data)

Subject to our contractual obligations, we share the information described above as follows:

• For the uses of information described above
• As part of an actual or contemplated business sale, merger, consolidation, change in control, transfer of substantial assets or reorganization.
• For other purposes requested or permitted by our customers or users, or as reasonably required to perform our business.

For those purposes, we may share information with our affiliates and other entities that help us with the activities described in this Privacy Policy.

  d. Legal Bases for Processing Controller Data (Business Data and Threat Data)

The laws in some jurisdictions require companies to tell you about the legal ground they rely on to use or disclose your personal data. To the extent those laws apply, our legal grounds for processing Controller Data are as follows:

• For marketing, advertising, and other communications (including customizing and tailoring all of them for the particular recipient).
• Protecting our business, personnel and property
• Providing cybersecurity, including for the protection of personal data
• Customer service
• Marketing
• Analyzing and improving our business; and/or
• Managing legal issues

We may also process personal data for the same legitimate interests of our customers and business partners.

• To honor our contractual commitments to the individual: Some of our processing of personal data is to meet our contractual obligations to individuals, or to take steps at the individuals’ request in anticipation of entering into a contract with them.
• Consent: Where required by law, and in some other cases, we handle personal data on the basis of consent. Where legally required (e.g., for the use of fingerprints for security purposes in certain jurisdictions), this is explicit consent.
• Legal compliance: We need to use and disclose personal data in certain ways to comply with our legal obligations.

3. Additional Information About Our Privacy Practices (applicable to both Processor Data and Controller Data)

  a. Personal Data Rights and Choices (including Direct Marketing Opt-Out)

We offer the options described below for exercising rights and choices under applicable law. Many of these are subject to important limits or exceptions under applicable law.

• To exercise rights or choices with respect to Processor Data, please make your request directly to the Fortinet customer for whom we process the data, particularly if the self-service options described below do not fully resolve your concern.
• You may review and update certain user information by logging in to the relevant portions of the Fortinet Services or Fortinet websites or online services.

In addition, the law of your jurisdiction (for example, within the European Economic Area) may give you additional rights to request access to and rectification or erasure of certain of your personal data we hold. In some cases, you may be entitled to receive a copy of the personal data you provided to us in portable form or to request that we transmit it to a third party. The law may also give you the right to request restrictions on the processing of your personal data, to object to processing of your personal data, or to withdraw consent for the processing of your personal data (which will not affect the legality of any processing that happened before your request takes effect).

You may contact us as described below to make these requests.

3. 3. Personal data directly provided by a user

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut abore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea com modo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore fugiat.

3. Protecting the personal data

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut abore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea com modo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore fugiat.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut abore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip