Privacy
ISO-27001 ISO-22301 ISO-27701 SOC2 HIPAA
References in this section refer to attestations and reports which can be provide by on request - tmo@mimecast.com
Processing Purposes
SOC2 (Trust Principle section)
Complementary controls
HIPAA
Section 4 - HIPAA Security Rule
Complementary controls
HIPAA
Section 4 - HIPAA Security Rule
Consent and Privacy Notice
SOC2 (Trust Principle section)
Tests of operating effectiveness
HIPAA
Section 4 - HIPAA Security Rule
Tests of operating effectiveness
HIPAA
Section 4 - HIPAA Security Rule
Authority to Process
SOC2 (Trust Principle section)
Complementary controls
HIPAA
Section 4 - HIPAA Security Rule
Complementary controls
HIPAA
Section 4 - HIPAA Security Rule
Policy and Procedures
ISO-27001
Policy (section 5 controls)
Classification of information (section 8 controls)
ISO-27701
Customer agreement (section 8 controls)
ISO-22301
General (section 8 controls)
SOC2 (Trust Principle section)
Components of the system
Additional criteria for Privacy
HIPAA
Section 4 - HIPAA Security Rule
Policy (section 5 controls)
Classification of information (section 8 controls)
ISO-27701
Customer agreement (section 8 controls)
ISO-22301
General (section 8 controls)
SOC2 (Trust Principle section)
Components of the system
Additional criteria for Privacy
HIPAA
Section 4 - HIPAA Security Rule
Mimecast maintain a documented data protection program with administrative, technical, and physical safeguards for the protection of scoped data.
Mimecast is ISO-27701 certified and can provide tenants with our Statement of Applicability and Information Security Policy.
No third parties have logical access to customer data nor is data shared with affiliates. Outside of the email service that Mimecast provides, which gives customers the ability to transfer data, Mimecast does not transfer customer information. Mimecast is an email archive and we do not provide functionality to amend previously sent or received emails. End user details however can be amended.
Personally Identifiable Information and Personal Health Information is specific to the customers environment and the customer would be in control of what data was transmitted over email. The Mimecast offering is to process and store email not to collect personal information for the provision of the services apart from account set up information. Customer Data is only hosted within the country where their production grid was selected and contractually agreed upon, however there are occasions where Mimecast transfers data cross-border to Third Countries to Mimecast affiliates and certain third parties to provide its services to Customers. In these cases, Mimecast utilise government approved Standard Contractual Clauses and secure communication methods.
Access Control Policy/Procedures and aligned NIST controls govern Mimecast commitment to need to know access. Such activity is controlled through documentation, authorisation/deauthorisation, and periodic review.
Mimecast is ISO-27701 certified and can provide tenants with our Statement of Applicability and Information Security Policy.
No third parties have logical access to customer data nor is data shared with affiliates. Outside of the email service that Mimecast provides, which gives customers the ability to transfer data, Mimecast does not transfer customer information. Mimecast is an email archive and we do not provide functionality to amend previously sent or received emails. End user details however can be amended.
Personally Identifiable Information and Personal Health Information is specific to the customers environment and the customer would be in control of what data was transmitted over email. The Mimecast offering is to process and store email not to collect personal information for the provision of the services apart from account set up information. Customer Data is only hosted within the country where their production grid was selected and contractually agreed upon, however there are occasions where Mimecast transfers data cross-border to Third Countries to Mimecast affiliates and certain third parties to provide its services to Customers. In these cases, Mimecast utilise government approved Standard Contractual Clauses and secure communication methods.
Access Control Policy/Procedures and aligned NIST controls govern Mimecast commitment to need to know access. Such activity is controlled through documentation, authorisation/deauthorisation, and periodic review.