Mimecast Transfer Impact Assessment

    Data privacy regulations are designed to protect Personal Data (as defined in our standard Data Processing Addendum) and, accordingly, impose obligations on organizations that collect, process, and/or store Personal Data, no matter where they may be located. Mimecast is committed to compliance with those data privacy regulations which are applicable to the services we provide as a processor of Personal Data (as defined in applicable data privacy regulations), and to assist our customers in their compliance efforts as well. This document aims to provide our customers who are data exporters from the European Economic Area ("EEA")/European Union ("EU"), the United Kingdom (“UK”) or Switzerland with the information they need when completing their own data transfer impact assessments pursuant to the Schrems II decision and the applicable standard contractual clauses.

    Section 1: Overview

    What Products/Services does Mimecast provide?

    Mimecast is an AI-powered, API-enabled connected Human Risk Management platform, purpose-built to protect organizations from the spectrum of cyber threats. Integrating cutting-edge technology with human-centric pathways, our platform enhances visibility and provides strategic insight that enables decisive action and empowers businesses to protect their collaborative environments, safeguard their critical data and actively engage employees in reducing risk and enhancing productivity. More than 42,000 businesses worldwide trust Mimecast to help them keep ahead of the ever-evolving threat landscape. From insider risk to external threats, with Mimecast customers get more. More visibility. More insight. More agility. More security.

    An overview of the different Products offered by Mimecast can be viewed here.

    What types of Personal Data does Mimecast process?

    Our customers control Customer Data (defined in our General Terms and Conditions) processed via Mimecast’s services, including any Personal Data within Customer Data that may relate to any end users (such as employees, customers, or suppliers) as further described in Mimecast’s Mimecast’s Processing Details. No sensitive data or special categories of data are intended to be processed through the services but may be contained in the content of messages and/or files. Customers remain responsible for any further compliance requirements which may apply to such Personal Data – including ensuring a lawful basis for processing.

    Contractual basis for processing

    Where Mimecast processes Personal Data as a data processor, Mimecast complies with the obligations set out in Mimecast’s General Terms and Conditions and, where the customer has opted to sign a data processing agreement, Mimecast’s Data Processing Addendum  (“DPA”). The DPA includes the data processor obligations required under Art. 28 GDPR and UKGDPR and incorporates dynamic links to Mimecast’s Processing Details, Third-Party Subprocessors, and Technical and Organizational Measures. The DPA also incorporates the EU SCCs and UK Addendum (as defined below).

    Where do we process and store Personal Data?

    Depending on the Services purchased, Personal Data is processed and stored in the Hosting Jurisdiction selected by our customers upon onboarding. Primary Hosting Jurisdictions are located in Germany, UK, South Africa, Jersey, USA, Australia, and Canada. All Hosting Jurisdictions are identified on our Customer ordering documentation.

    Additionally, pursuant to Section 2 below, Personal Data may be processed in these regions, as well as others identified on the Trust Center, for the purposes of providing technical support, ensuring the proper working of the services, or as otherwise identified in Mimecast’s General Terms and Conditions.

    Section 2: Details of Data Transfers

    Mimecast Support

    Mimecast is a global organization with a “follow the sun” support model. Customer Data, primarily message metadata (e.g., to/from email addresses, headers, dates) or file activity metadata (e.g. name, email address, IP address), may be accessed by our personnel globally for the purposes of providing technical support, ensuring the proper working of the services, and/or as otherwise identified in our General Terms and Conditions. Message and/or file content would generally be accessed by support personnel when a customer submits a request which includes the necessary data. Support may be provided from any of our Support Locations.

    Any manual access rights are restricted to a small set of Mimecast personnel who have been approved by Mimecast’s security team, assigned specific permissions, and are under a duty of confidentiality. Access to content of messages and/or files by Mimecast personnel requires a logged reason and activity is visible on our customers’ audit logs. Additionally, such access is logged in Mimecast’s internal Security Information and Event Management System and monitored by Mimecast’s security team. Security and privacy controls are consistent across the organization and Personal Data will be as protected as if it were resident within the Hosting Jurisdiction.

    For the purposes of cross-border transfers pursuant to the above, Mimecast affiliates have entered into an Intercompany Agreement which incorporates the EU and UK Standard Contractual Clauses as a data transfer mechanism.

    Third-Party Subprocessors

    Mimecast engages Third-Party Subprocessors to assist with the provision of certain services. Mimecast takes measures to evaluate the data privacy and security practices of each Third-Party Subprocessor prior to permitting the processing of any Personal Data. We enter into written data processing agreements with all our Third-Party Subprocessors which include commitments regarding their security and data protection controls, including onward transfers. As required under applicable data protection regulations, we remain liable for the acts and omissions of these Third-Party Subprocessors.

    Details of Mimecast’s Third-Party Subprocessors (including their processing locations and reason for transfer) can be found here.

    Section 3: Adequate Safeguards

    The EU and UK granted adequacy decisions to certain countries where a comparable level of protection of Personal Data to that of the EU and UK is offered. These adequacy decisions are published here:

    For those countries without an adequacy decision, Mimecast currently relies on standard contractual clauses, as approved by the relevant supervisory authority or applicable law, as a valid transfer mechanism.

    • For transfers from the EU, Mimecast implements the standard contractual clauses set out in the European Commission’s Decision of 2021/914 of 4 June 2021 (“EU SCCs”), with the appropriate module(s) selected (e.g., controller-to-processor, or processor-to-processor).

    • For transfers from the UK, Mimecast implements the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018 (“UK Addendum”).

    Mimecast has implemented Technical and Organizational Measures designed to protect Personal Data. This includes encrypting Personal Data with a high standard of encryption while at rest and in transit.

    Mimecast has a mature Assessment, Certification and Attestation Program in place which provides assurance of effective risk management through Mimecast’s compliance with established, widely recognized, frameworks and programs.

    More information around Mimecast’s Assessment, Certification and Attestation Program, including details of Mimecast’s information Management Systems, certifications and attestations may be found on our Trust Center.

    For those customers and prospects who wish to take a deeper dive into Mimecast’s controls, policies and certifications, Mimecast makes available a confidential Security Pack which includes copies of Mimecast’s Information Security & Business Continuity Policies, ISO certifications and our independently audited SOC Report. Customers and prospects should reach out to their Mimecast Representative for further details.

    Section 4: US Surveillance Laws

    On June 18, 2021, the European Data Protection Board (EDPB) published its final guidance on the Schrems II decision, which includes a recommendation that data importers provide data exporters with information to assess whether there is a risk to Personal Data being subject to mass surveillance or unauthorized access where the EU/UK has determined the regulations of the data importer’s country are inadequate.

    Transfers to the US

    For certain services and Hosting Jurisdictions, Mimecast makes onward transfers to Third-Party Subprocessors in the U.S. Technical support may also be provided by Mimecast’s Affiliate in the U.S.

    Is Mimecast subject to U.S. Executive Order 12333 ("E.O. 12333")?

    No. E.O. 12333 is a general directive organizing U.S. intelligence activities and does not contain any authorizations for U.S. agencies or authorities to compel private companies to disclose personal data.

    Is Mimecast subject to 50 U.S.C. § 1881A (also known as S.702 of the Foreign Intelligence Surveillance Act, "FISA S. 702")?

    Mimecast Services Limited is a UK headquartered entity with affiliates incorporated worldwide, including the U.S. (see our locations listed here). From time-to-time, Mimecast North America, Inc. may receive U.S. government requests, subpoenas, and court orders, including those issued by the Foreign Intelligence Surveillance Court under FISA S. 702 with respect to Personal Data imported from the UK, Switzerland and/or the EU.

    Does Mimecast fall within the definition of “Electronic Communications Service Provider” under FISA S. 702?

    “Electronic Communications Service Provider” is defined broadly and encompasses telecommunication carriers, providers of electronic communications services, and remote computing services (e.g., cloud storage providers). The Department of Justice has also confirmed that other communications service providers that have access to wire or electronic communications (in transit or in storage) are included in the definition. Under this broad definition, Mimecast (as a cloud storage provider) would be considered an electronic communications provider.

    How would Mimecast respond to government requests to access personal data of our customers?

    We do not disclose Customer Data in response to government requests unless we are required to do so to comply with applicable laws, regulations, legally valid subpoenas or binding court orders. From time-to-time, Mimecast North America, Inc. receives U.S. government requests, subpoenas and court orders, including those issued by the Foreign Intelligence Surveillance Court under FISA S. 702.

    It is often the case that Mimecast either does not have or is not the appropriate source for the data requested. Mimecast offers an AI-powered, API-enabled connected Human Risk Management Platform. We do not host our customers’ email servers.

    We carefully review any government requests we receive to ensure they satisfy applicable law and we respond in accordance with our General Terms and Conditions. Where allowed by law, Mimecast will provide reasonable prior written notice to the customer to permit customer to seek a protective order and will provide reasonable assistance to customers wishing to challenge the validity of the order (at the customer’s expense). Mimecast will disclose only that data that is reasonably necessary to meet the applicable legal order or requirement.

    What safeguards are in place in the U.S. for governmental access to data?

    The Executive Order signed by the U.S. President on 7 October 2022 on ‘Enhancing Safeguards for United States Signals Intelligence Activities'. ("E.O.") introduces new binding safeguards to address the concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020 by limiting access to EU data by U.S. intelligence services and establishing a Data Protection Review Court. Specifically, the E.O. provides for:

    • Binding safeguards that limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security;
    • The establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by U.S. national security authorities; and
    • The requirement for U.S. intelligence agencies to review their policies and procedures to implement these new safeguards. The E.O. may be viewed here.

    To what extent can individuals enforce rights and seek redress in relation to both data protection infringements and public disclosure or surveillance activity through judicial and/or administrative processes?

    The E.O. creates a multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated pursuant to the E.O., to obtain independent and binding review and redress of claims that their personal data collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O. More information can be found at: https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/

    Section 5: Data Privacy Framework

    The EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. Data Privacy Framework (“UK Extension”) and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) were developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar) and Switzerland that are consistent with EU, UK, and Swiss law.

    Mimecast North America, Inc. has self-certified its compliance with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF to the International Trade Administration and publicly commits to the DPF Principles here.

    For more information on how Mimecast collects, uses, transfers, discloses, and/or retains certain Personal Data that we receive in the United States from the European Economic Area, the United Kingdom and Switzerland, please visit our Data Privacy Framework Statement  on the Trust Center.

    Section 6: Risk to Data Subjects

    Risk Assessment

    The transfer of Personal Data to Mimecast is an integral part of the services which Mimecast provides to its customers.

    Mimecast offers an AI-powered, API-enabled connected Human Risk Management Platform. We do not actually host our customers’ email servers. Therefore, Mimecast does not believe that it holds personal data that is of interest to U.S. authorities. Relevant data would be more likely held by other vendors, and U.S. authorities would be likely to approach those other vendors directly.

    Further, it should be noted that for most services, the applicable Hosting Jurisdiction and retention periods are selected by our customers. Therefore, if the customer does not select the U.S. as its Hosting Jurisdiction, there would be limited data transferred or accessed in the U.S., except for the purposes described in Section 3. Once our customer’s selected retention period has expired, Customer Data is deleted in accordance with Mimecast’s data deletion policies, unless otherwise required by applicable law.

    Based on the information provided herein, the residual risk to Data Subjects as a result of a transfer to the U.S. via Mimecast services would be considered to be low and a significant risk of harm does not appear to be present. Based on this assessment, the protection measures set out in Section 3 above, together with the additional safeguards provided above, would be deemed sufficient to limit the risk of harm to Data Subjects.

    “Data Subjects”, means all individuals, understood as natural persons, which are identified under Processing Details on Mimecast’s Trust Center.

    In addition to the above, the Department for Science, Innovation and Technology (“DSIT”) has analyzed the relevant legal framework and practice in the US in relation to the UK Extension in order to determine whether it provides an adequate level of protection for personal data.

    On the basis of the analysis set out here, DSIT considers that the provisions of the UK Extension and other relevant US laws and practices provide an adequate level of protection for UK personal data, and do not undermine the level of protection that UK Data Subjects enjoy under the UK GDPR, when that data is transferred to certified US organizations.

    Back to Top