// Trust & Security Report

    Fortinet, Inc. logo

    Fortinet, Inc.

    FortiAI - AI-driven security platform comprising three main components: FortiAI-Protect (real-time threat detection and AI governance), FortiAI-Assist (generative AI for SOC automation), and FortiAI-Secure (AI infrastructure and LLM data protection)

    Certifications held

    17

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Managed FortiGate Service is certified in both ISO 27001 and SOC2 Type 2. Additionally, as part of SOC 2 Type II audit, Fortinet worked with an independent auditor to achieve an additional level of certification against an expanded control set, including control alignment against the HIPAA Security Rule.

    Verify on fortinet.com
    ISO/IEC 27001
    HELD

    Managed FortiGate Service is certified in both ISO 27001 and SOC2 Type 2. SOCaaS is certified in both ISO27001 and SOC 2.

    Verify on fortinet.com
    ISO/IEC 27017:2015
    HELD

    Listed as a certified standard in Fortinet's Trust Resource Center certifications and compliance standards

    Verify on trust.fortinet.com
    ISO/IEC 27018:2019
    HELD

    Listed as a certified standard in Fortinet's Trust Resource Center certifications and compliance standards

    Verify on trust.fortinet.com
    GDPR Compliance
    HELD

    Fortinet supports and complies with GDPR. For certain Fortinet services where Fortinet acts as a processor, a data processing agreement is available upon request.

    Verify on fortinet.com
    HIPAA
    HELD

    Fortinet worked with an independent auditor to achieve SOC 2 Type II certification against an expanded control set, including control alignment against the HIPAA Security Rule. FortiCare Support System, FortiEDR System and MDR Services, FortiWeb Cloud, FortiSIEM Cloud, and FortiClient Cloud have SOC 2 Type II reports with HIPAA compliance coverage.

    Verify on fortinet.com
    CSA STAR
    HELD

    CSA STAR Registry listed among Fortinet's certifications and compliance standards in Trust Resource Center

    Verify on trust.fortinet.com
    Common Criteria (ISO/IEC 15408)
    HELD

    Common Criteria - An international standard (ISO/IEC 15408) operated by 17 certificate authorizing nations and accepted by 31 nations

    Verify on fortinet.com
    FIPS 140-2 and FIPS 140-3
    HELD

    FIPS standards - Standards and guidelines for federal computer systems developed by the National Institute of Standards and Technology (NIST)

    Verify on fortinet.com
    ISO 9001:2015
    HELD

    ISO 9001:2015 listed among Fortinet's certified standards

    Verify on trust.fortinet.com
    DoDIN APL (Department of Defense Information Network Approved Products List)
    HELD

    DoDIN APL listed among Fortinet's government and defense certifications

    Verify on fortinet.com
    NSA CSfC (Commercial Solutions for Classified)
    HELD

    NSA CSfC listed among Fortinet's government and defense certifications

    Verify on fortinet.com
    TAA Compliance (Trade Agreements Act)
    HELD

    TAA Compliance listed among Fortinet's government certifications

    Verify on fortinet.com
    ISMAP (Japan Information System Security Management and Assessment Program)
    HELD

    ISMAP listed among Fortinet's cloud and regional standards certifications

    Verify on fortinet.com
    TISAX (Automotive Industry, European)
    HELD

    TISAX listed among Fortinet's cloud and regional standards certifications

    Verify on fortinet.com
    EU Cyber Resilience Act (CRA)
    HELD

    EU CRA listed among Fortinet's certifications in Trust Resource Center

    Verify on trust.fortinet.com
    IEC 62443 (Industrial Control Systems Security)
    HELD

    IEC 62443 listed among Fortinet's certifications

    Verify on trust.fortinet.com
    > Show 1 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    Fortinet has added a new AI Governance card on their Trust Portal and published 'Fortinet Principles for Responsible Artificial Intelligence Use and Development', indicating alignment with ISO 42001:2023 principles. However, no formal ISO 42001 certification is claimed.

    source: fortinet.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region support available; customers can specify geographic location for data storage to comply with local data regulations like GDPR

    FortiAI explicitly does NOT use customer data to train its AI models. Models are trained on Fortinet's own threat intelligence dataset. Fortinet implements multiple safeguards including: (1) customer data is not exposed or provided access to the GenAI engine, (2) data used in GenAI assistant queries is not permitted to train the LLM, (3) queries are processed locally where possible to prevent data leaving the network, (4) sensitive information is blocked or masked before reaching the language model.

    // Security controls

    Encryption in transit

    Standard encryption for all cloud services and data transmission

    fortinet.com

    Data isolation

    Customer data isolation enforced; customer data not exposed to other customers or to AI training systems

    fortinet.com

    Threat intelligence foundation

    AI models trained on Fortinet's global threat intelligence dataset (world's largest and most diverse threat intelligence datasets)

    fortinet.com

    Global data centers

    Multi-region cloud infrastructure with optional data residency choices

    docs.fortinet.com

    // Products & data scope

    FortiAI-ProtectAI Security and Threat Detection

    data: Network traffic, file behavior, shadow AI detection, prompt monitoring

    Real-time threat blocking using deep learning. Detects emerging threats, prioritizes responses with contextual risk assessment, minimizes false positives. Discovers and categorizes AI applications in use and their risk levels. Blocks unauthorized prompts. Does not train on customer data.

    FortiAI-AssistGenerative AI for Security Operations

    data: Security events, incident investigation, threat hunting queries

    Guides and optimizes SOC analyst experience using generative AI. Automatically interprets security events, generates summaries, impact assessments, and remediation recommendations. Automates security tasks (policy updates, configuration corrections). Offers choice of OpenAI or Microsoft Azure OpenAI LLMs. Available cloud or on-premises deployment. Keeps customer data private; does not expose data or permit GenAI engine to use customer data for training.

    FortiAI-SecureAI Infrastructure and LLM Security

    data: AI models, LLM data, AI workloads, cloud AI applications

    Secures AI infrastructure from network-based threats. Prevents data leakage from large language models. Monitors cloud AI workloads for unusual behavior. Integrates multiple security components: real-time threat protection, application-layer security, cloud-native workload protection, data loss prevention. Available as part of Fortinet Security Fabric.

    // What to watch

    • FortiAI products do not have explicit product-level SOC 2 or ISO 27001 certifications listed on product pages. The certifications listed apply to Fortinet as a company and to specific services (Managed FortiGate Service, SOCaaS, FortiEDR, etc.) but not explicitly to FortiAI platform itself. Fortinet relies on company-level certifications but should clarify which FortiAI services inherit or are covered under specific audit reports.
    • ISO/IEC 42001 (AI Management System): Fortinet discusses alignment with AI governance principles and published 'Principles for Responsible Artificial Intelligence Use and Development' but does NOT hold a formal ISO 42001 certification. This is correctly marketed as a governance commitment rather than a certification.
    • PCI DSS: Fortinet provides tools and solutions to help achieve PCI DSS compliance (FortiDLP policy templates, FortiGate hardening guides) but does not claim FortiAI or other specific products are formally PCI DSS certified.
    • HIPAA coverage for FortiAI: The published HIPAA compliance applies to specific Fortinet products (FortiCare, FortiEDR, FortiWeb Cloud, FortiSIEM Cloud, FortiClient Cloud) with BAA available, but no explicit mention of FortiAI products being HIPAA-covered in published documentation.

    // At a glance

    Pricing model

    Not disclosed on product pages; likely subscription-based with per-appliance or per-seat pricing common for Fortinet products

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Fortinet, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.fortinet.com

    > Browse all vendor trust reports