// Trust & Security Report

    Fortinet, Inc. (acquired Lacework, Inc. August 2024) logo

    Fortinet, Inc. (acquired Lacework, Inc. August 2024)

    FortiCNAPP (Cloud-Native Application Protection Platform) - comprehensive cloud security suite combining CSPM (Cloud Security Posture Management), CWPP (Cloud Workload Protection Platform), CIEM (Cloud Infrastructure Entitlement Management), CDR (Cloud Detection and Response), and code security (SAST, SCA, IaC scanning).

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 (listed as a Fortinet corporate compliance certification in the Compliance section of Fortinet's Trust Resource Center). Note: this is a Fortinet, Inc. corporate certification; a FortiCNAPP/Lacework product-specific SOC 2 Type II report post-acquisition was not independently confirmed. The prior proof quote was a pre-acquisition 2018 Lacework press release from a third-party newswire, not the vendor's own domain.

    Verify on trust.fortinet.com
    ISO 27001
    HELD

    ISO/IEC 27001 (listed in the Compliance section of Fortinet's Trust Resource Center as a Fortinet corporate certification). SOCaaS certified in both ISO27001 and SOC 2') does not appear on the cited product-certifications page and was fabricated.

    Verify on trust.fortinet.com
    ISO 27017:2015
    HELD

    ISO/IEC 27017:2015 (listed in the Compliance section of Fortinet's Trust Resource Center as a Fortinet corporate certification).

    Verify on trust.fortinet.com
    ISO 27018:2019
    HELD

    ISO/IEC 27018:2019 (listed in the Compliance section of Fortinet's Trust Resource Center as a Fortinet corporate certification).

    Verify on trust.fortinet.com
    GDPR
    HELD

    We are committed to complying with the GDPR and supporting our partners and customers in their efforts to comply with the GDPR.

    Verify on fortinet.com
    CSA STAR
    HELD

    CSA STAR (listed in the Compliance section of Fortinet's Trust Resource Center as a Fortinet corporate certification).

    Verify on trust.fortinet.com
    ISO 9001:2015
    HELD

    ISO 9001:2015 (listed in the Compliance section of Fortinet's Trust Resource Center as a Fortinet corporate certification).

    Verify on trust.fortinet.com
    Common Criteria (ISO/IEC 15408)
    HELD

    Common Criteria (listed as a Fortinet certification on Fortinet's Trust Resource Center and product-certifications pages; applies to select Fortinet security products, not necessarily FortiCNAPP).

    Verify on trust.fortinet.com
    > Show 2 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    HIPAA appears as a compliance item in the Compliance section of Fortinet's Trust Resource Center, but there is no formal 'HIPAA certification' (HIPAA is a US regulation, not a certifiable standard). FortiCNAPP offers HIPAA compliance-mapping as a product feature (see products/notes); this is not a vendor certification. No public evidence of a vendor HIPAA attestation for the product.

    source: trust.fortinet.com
    PCI DSS Compliance Mapping
    NOT CONFIRMED

    This is a FortiCNAPP product feature (compliance mapping), not a vendor certification.

    source: fortinet.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Multiple regions with regional data hosting options. Lacework's historical policy mentioned EU data hosted in Frankfurt, APAC data in Australia. Now subject to Fortinet's data residency policies.

    Fortinet's privacy policy does not explicitly address ML/AI model training on customer data or opt-out mechanisms. The policy states Fortinet may use data 'to analyze and improve the Fortinet Services, including responding to new threats and developing new features' but does not specify whether this includes training ML models. For Processor Data (customer data Fortinet handles), companies must request choices directly through their Fortinet customer account. Recommend contacting dsar@fortinet.com for clarification.

    // Security controls

    Encryption in Transit

    TLS/SSL encryption for data in transit

    fortinet.com

    Data Handling - Processor Model

    For most customer data, Fortinet acts as a data processor subject to contractual obligations and GDPR requirements

    fortinet.com

    Regional Data Residency

    Supports regional data hosting with customer choice for data location

    lacework.com

    Zero Trust Architecture

    FortiCNAPP supports zero trust security model with continuous identity and permission assessment

    fortinet.com

    Patented ML Technology

    Lacework acquisition brought 225 patents including cloud security and AI/ML technology to Fortinet

    fortinet.com

    // Products & data scope

    FortiCNAPP - Cloud Security Posture Management (CSPM)Cloud Security

    data: Scans cloud infrastructure configurations (AWS, Azure, GCP) for misconfigurations and compliance violations

    Supports compliance mapping for SOC 2, ISO 27001, PCI DSS, HIPAA, NIST, FedRAMP

    FortiCNAPP - Cloud Workload Protection Platform (CWPP)Cloud Security

    data: Runtime protection for containerized workloads and Kubernetes environments

    Detects threats in running containers and orchestration platforms

    FortiCNAPP - Cloud Infrastructure Entitlement Management (CIEM)Identity & Access

    data: Analyzes cloud identity permissions and access across multi-cloud environments

    Continuous visibility into user roles, groups, and excessive permissions

    FortiCNAPP - Cloud Detection and Response (CDR)Threat Detection

    data: Runtime monitoring and anomaly detection for cloud workloads

    Detects compromised credentials, ransomware, cryptojacking

    FortiCNAPP - Code Security (SAST/SCA/IaC)Code Security

    data: Scans source code and infrastructure-as-code templates for vulnerabilities

    Shift-left security with SAST, SCA, and IaC scanning capabilities

    // What to watch

    • IDENTITY COMPLEXITY: Lacework was acquired by Fortinet (August 1, 2024). The product is now branded as FortiCNAPP, but vendor slug remains 'lacework'. AIFOXX listing title should clarify 'FortiCNAPP (formerly Lacework)' to avoid confusion.
    • CERT INHERITANCE UNCLEAR: Lacework's historical SOC 2 Type II (Sept 2018) is pre-acquisition. It is unclear whether this certification carries forward under Fortinet/FortiCNAPP or whether a new assessment was required post-acquisition. Recommend verifying current FortiCNAPP product-specific certifications via trust.fortinet.com.
    • OVER-CLAIM RISK: Marketing materials state FortiCNAPP 'supports' or 'maps to' compliance frameworks (SOC 2, ISO 27001, HIPAA, PCI DSS). This describes a PRODUCT FEATURE (helping customers meet compliance), not vendor certifications. Marketing should clearly separate 'compliance-mapping capabilities' from 'Fortinet's own certifications'.
    • ML TRAINING UNCLEAR: No explicit policy statement found regarding whether Fortinet trains machine learning models on customer data or offers opt-out. Fortinet's privacy policy mentions using data 'to improve services and develop new features' but does not specify ML training. This gap should be flagged for vendor clarification.
    • RECENT ACQUISITION: Acquisition completed August 2024 (less than 2 years old). Product certifications post-integration with Fortinet may be in transition. Recommend contacting Fortinet to confirm whether FortiCNAPP has been assessed for separate product-level certifications or inherits Fortinet corporate certs.

    // At a glance

    Pricing model

    SaaS subscription-based, pricing typically per cloud asset or resource unit, with tiered enterprise plans

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Fortinet, Inc. (acquired Lacework, Inc. August 2024)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.fortinet.com

    > Browse all vendor trust reports