Privacy

    Privacy

    ISO-27001    ISO-22301    ISO-27701    SOC2    HIPAA

    References in this section refer to attestations and reports which can be provide by on request - tmo@mimecast.com

    SOC2 (Trust Principle section)
    Complementary controls

    HIPAA
    Section 4 - HIPAA Security Rule
    SOC2 (Trust Principle section)
    Tests of operating effectiveness

    HIPAA
    Section 4 - HIPAA Security Rule
    SOC2 (Trust Principle section)
    Complementary controls

    HIPAA
    Section 4 - HIPAA Security Rule
    ISO-27001
    Policy (section 5 controls)
    Classification of information (section 8 controls)

    ISO-27701
    Customer agreement (section 8 controls)

    ISO-22301
    General (section 8 controls)

    SOC2 (Trust Principle section)
    Components of the system
    Additional criteria for Privacy

    HIPAA
    Section 4 - HIPAA Security Rule
    Mimecast maintain a documented data protection program with administrative, technical, and physical safeguards for the protection of scoped data.

    Mimecast is ISO-27701 certified and can provide tenants with our Statement of Applicability and Information Security Policy.

    No third parties have logical access to customer data nor is data shared with affiliates. Outside of the email service that Mimecast provides, which gives customers the ability to transfer data, Mimecast does not transfer customer information. Mimecast is an email archive and we do not provide functionality to amend previously sent or received emails. End user details however can be amended.

    Personally Identifiable Information and Personal Health Information is specific to the customers environment and the customer would be in control of what data was transmitted over email. The Mimecast offering is to process and store email not to collect personal information for the provision of the services apart from account set up information. Customer Data is only hosted within the country where their production grid was selected and contractually agreed upon, however there are occasions where Mimecast transfers data cross-border to Third Countries to Mimecast affiliates and certain third parties to provide its services to Customers. In these cases, Mimecast utilise government approved Standard Contractual Clauses and secure communication methods.

    Access Control Policy/Procedures and aligned NIST controls govern Mimecast commitment to need to know access. Such activity is controlled through documentation, authorisation/deauthorisation, and periodic review.
    Back to Top