Compliance

FortiAppSec Cloud helps ensure compliance with data protection regulations by offering features like secure data handling, access control, and audit logging, supporting your operational needs.

• General

• WAF

• Advanced Bot Protection

• GSLB

Notable Data Protection Regulations

The following list highlights widely recognized regulations but is not exhaustive of all data protection and privacy laws that may apply.

• General Data Protection Regulation (GDPR) is an EU regulation that governs the processing of personal data of individuals in the European Economic Area (EEA) to protect data privacy.

  While there is no single, universally recognized GDPR certificate, organizations that handle personal data of EU residents can undergo third-party audits to verify compliance. FortiAppSec Cloud supports GDPR compliance by enabling secure data transfer and ensuring that data belonging to EU residents remains within EU-based data centers.

• Health Insurance Portability and Accountability Act (HIPAA) is a U.S. regulation that protects personal health information (PHI) by enforcing strict security and privacy standards.

  While there is no official HIPAA certification, companies handling PHI can undergo third-party audits to verify compliance.

Different countries may have specific regulations that apply. It is important to stay informed and up to date on the regulations relevant to your regions of operation, and configure your settings accordingly. For assistance, please contact our support team.

General

Logging and Auditing

Maintaining traffic logs and server access logs is crucial for audit trails and compliance with data access and processing requirements. By monitoring and logging security events, including incidents and anomalies, you can track potential security breaches and unauthorized access attempts.

Geo-location tagging and traffic monitoring can help identify whether any breaches or violations, such as those required by HIPAA or GDPR, have occurred by providing detailed logs of access requests to specific data centers.

Sample Regulations to Note

• General Data Protection Regulation (GDPR):

  • Article 30 requires audit logs to ensure proper handling of Personally Identifiable Information (PII).

  • Article 33 requires breach logs to identify when and how breaches occurred.

How to meet regulations with FortiAppSec Cloud

FortiAppSec supports regulatory compliance providing robust audit and logging capabilities. It logs every administrative action and configuration change, and securely retains all audit logs for future review and accountability. These logs help demonstrate operational transparency and support forensic analysis if needed.

• Go to General > Audit Logs to view logs.

• Go to General > Reports to configure scheduled email reports.

WAF

Secure data processing

The Web Application Firewall's features help ensure compliance with regulatory frameworks concerning technical measures for securing data processing by preventing attacks, securing access, logging events, and ensuring real-time monitoring.

The WAF and Threat Analytics services are also SOC 2 compliant.

Sample Regulations to Note

• General Data Protection Regulation (GDPR): The following articles outline key aspects of the GDPR that FortiAppSec Cloud WAF can help support through secure configuration. For complete details, please refer to the full text of each article.

  • Article 25 – Data protection by design and by default: Requires the integration of data protection measures from the outset.

  • Article 32 – Security of processing: Mandates the implementation of technical and organizational measures to ensure a level of security appropriate to the risks.

How to meet regulations with WAF

FortiAppSec Cloud's WAF service is SOC 2 compliant, indicating that it has met rigorous standards for security, availability, and confidentiality. To further strengthen your application’s data protection posture, enable WAF modules such as Data Loss Prevention, Machine Learning-based Threat Detection, Security Rules, File Protection, and Information Leakage Prevention.

For instructions on enabling WAF modules, please refer to Add and Remove Modules.

Advanced Bot Protection

Data Protection

Advanced Bot Protection supports regulatory compliance by helping you demonstrate appropriate technical measures for securing personal data.

Sample Regulations to Note

• General Data Protection Regulation (GDPR): The following articles outline key aspects of the GDPR that FortiAppSec Cloud can help support through secure configuration. For complete details, please refer to the full text of each article.

  • Article 5 - Personal Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

  • Article 32 - Security measures used to protect personal data must be regularly tested, assessed, and evaluated to ensure they remain effective.

How to meet regulations with Advanced Bot Protection

Enable Advanced Bot Protection to demonstrate "appropriate technical measures" under GDPR by reducing the risk of unauthorized processing and enabling timely detection, reporting, and response to security incidents.

Our professional engagement team will analyze your application and apply tailored protections for you, so you do not need to configure specific settings yourself to meet regulatory requirements.

GSLB

Data Region

Data Region regulations dictate restrictions on where data must be stored and processed, or the requirements associated with moving data between regions.

Sample Regulations to Note

• General Data Protection Regulation (GDPR): The following articles outline key aspects of the GDPR that FortiAppSec Cloud can help support through secure configuration. For complete details, please refer to the full text of each article.

  • Articles 44-50 - Restricts the transfer of personal data outside the EU to countries with an adequacy decision or to those with appropriate safeguards in place, such as Standard Contractual Clause (SCCs), Binding Corporate Rules (BCRs), or other measures like approved codes of conduct or certifications.

How to meet regulations with GSLB

To ensure compliance with legal data boundaries, limit the geographic areas to which sensitive data is routed. For example, traffic from the EU should only be routed to servers in countries that have received GDPR Adequacy decisions.

You can achieve this by using regional data centers and geolocation-based routing. To deploy regional data centers,

1. Go to Virtual Server > Data Center.

2. Click Add Data Center.

3. Set the Region to a location that complies with your applicable data protection regulations.

4. Repeat steps 1 through 3 until you have covered all desired regions of operation.

To use geolocation-based routing, please refer to Virtual Server Configuration Example: Load-Balancing by Geolocation.