F5 Application Security Cloud and Bot Protect Services Privacy Statement

Published on: 10 October 2019


F5’s Application Security Cloud and Bot Protect service (the “Service”) monitors visits to F5 customers’ online properties and provides the customers with an assessment of the security/fraud risk of a particular visit. The customer may then decide whether to permit the visit, subject it to additional screening, block it, or take other actions.  This Privacy Statement applies to the data that the Service uses.

Roles of the Parties

Under the data protection laws of the EU and similar jurisdictions, F5 is a controller of the personal data we collect and create through the Service.  The customer is also a controller of the data that we collect from their online properties or share with the customer about visits to those properties.  F5 and the customer have contractually agreed to limitations on their use of the data obtained through the Service.

Personal Data Collected by the Service

The Service collects data from two sources:

  • The browsers and devices of visitors to the customer’s online properties.  We use automated means such as cookies, web beacons, JavaScript, mobile-device functionality and other computer code to collect this data.  These technologies are described more generally in the F5 Privacy Notice.
  • F5 hardware or plugins integrated with F5 customer’s application and associated logs, in the customer’s network.

The following data are collected:

  • Current IP address of the device that is visiting the customer’s online properties;
  • Other information about the device, such as operating system information and browser brand and configuration;
  • A unique F5-assigned code for that particular device (such as in the form of a unique number that F5 may store in a cookie on the device);
  • Information about the device’s interactions with the online property, including a record of visits;
  • Other technical data that may be used to screen for malicious activity; and
  • In limited cases, a username or other similar information about the visitor to the customer’s online property.

Data Retention

F5 currently intends to retain the personal data it collects through the Service as long as it remains useful for the security purposes described below.  F5 will conduct periodic testing and analysis to determine and confirm this retention period.  F5 anticipates that this period will exceed one year, given the security usefulness of the data, and given the long-term relationship that many users have with our customers’ online properties.  When F5 determines that further retention of the data does not improve security, F5 will delete it unless legally required to retain it.  The period of time for which F5 may be legally required to retain the data will vary depending on the nature of the legal requirement.  Data kept in backups may persist longer than the original data.

Use and Sharing of the Personal Data

F5 uses and shares the data to protect the security of the online properties that use the Services.  This involves providing a customer with (i) some of the information we collect about the user or their device in connection with that customer’s online property and (ii) our opinion of the security risk of the user’s visit.  To help with this process, F5 observes the user’s device over time as it visits the online properties of multiple F5 customers.

Subject to F5’s contract with the customer, we also use the data in the ways described in Section 2 of the F5 Privacy Notice (except the purposes relating to marketing, advertising, surveys).

Legal Basis for Processing

The laws in some jurisdictions require companies to tell you about the legal grounds that allow them to use or disclose your personal data.  When those laws apply, our legal ground for the core operation of the Service (including collecting the data, analyzing it, and providing risk scores and related data to our customers) is the legitimate interest that we and our customers have in protecting the security of our customers’ online properties.  Depending on the customer, this processing also is justified by its necessity for the performance of a task carried out in the public interest (i.e., cybersecurity, including the protection of personal data).  Some customers may also obtain user consent to the processing.  Information about the legal basis for our other processing activities appears in Section 3 of the F5 Privacy Notice.

What to Do If Your Access to an Online Property Has Been Blocked

If you believe that the Service has improperly blocked or restricted your access to a customer’s online property, please contact that customer to request restoration of your access.

More Information

For more information about F5’s privacy practices, including how to contact us to exercise any rights you may have regarding the personal data that we collect through the Service, please see the F5 Privacy Notice. To exercise your rights with respect to data that a customer receives about you from the Service, please contact the customer.