DPA FAQs

Mimecast DPA - Frequently Asked Questions

As part of our Services to our customers, Mimecast Processes Customer Data which may contain Personal Data. Certain data protection legislation (including the GDPR) requires a written agreement to be put in place which sets out the legal framework under which Mimecast Processes Personal Data. For this reason, we make our standard pre-signed Data Processing Addendum (“DPA”) available if you require one.

Mimecast’s DPA is specifically tailored to our unique, cloud-based platform and is aligned with the way our Services and multi-tenant infrastructure work. To help you develop a better understanding of our DPA, we have put together these FAQs to answer some of the most commonly asked questions. All capitalized terms used in this document will have the same meaning as set out in our DPA.

Contents:

Is my organisation’s own DPA suitable?

No. This is because we provide standardized, off-the-shelf, SaaS services globally to more than 42,000 customers, we need to ensure that our contractual commitments and obligations remain consistent across our entire customer base. Accepting bespoke changes for specific customers would lead to inconsistency in our processes and we need to be able to serve all customers spanning a range of industry sectors with differing priorities.

To date, we have not seen a customer DPA that fully reflects our unique, cloud-based Services. We have found that negotiating customer DPAs can cause significant delays and incur legal expenses for both sides. So, to facilitate customer onboarding, we have designed a document which reflects the endpoint of standard negotiations.

Mimecast’s DPA has been carefully drafted with customer requirements in mind and addresses matters such as audit rights, breach notification, transfers of data, and the technical and organizational measures we have implemented. The DPA also incorporates other requirements under Article 28 of the GDPR for contracts between controllers and processors, the requirements for businesses and service providers under the California Consumer Privacy Act of 2018, as amended by the CPRA (“CCPA”), as well as certain other requirements pursuant to Applicable Data Protection Law. Mimecast’s DPA is also drafted to interoperate seamlessly with Mimecast’s General Terms and Conditions and other relevant Mimecast documentation.

What are the respective roles of Mimecast and Customer under the DPA?

For the purposes of the GDPR and other Applicable Data Protection Law, we act as a Data Processor with respect to Personal Data transferred by customers via the Services and we Process such data only in accordance with the Customer’s documented Instructions. Where the CCPA applies, we act as a ‘service provider’ and the Customer is the ‘business’. This is set out in the preamble of Mimecast’s DPA.

Which Customer entities can be a party to the DPA?

Customers who contract directly with Mimecast or who purchase through a reseller but have a services agreement directly with Mimecast may be a party to the DPA. Further details can be found in the “How this DPA Applies” section of the DPA. If you purchase our services through an MSP, distributor, or otherwise have a different contractual relationship in place with us, please contact your MSP, distributor, or your Mimecast Representative for clarification.

Can our affiliates be a party to Mimecast’s DPA?

Because the DPA is an addendum to our services agreement, it should be entered into by the Customer entity who is a party to the services agreement and the Mimecast entity providing the Services. However, the DPA expressly covers any of your Authorized Affiliates who are subject to Applicable Data Protection Law, provided they are Permitted Users under your services agreement with us. The limitations of liability in the services agreement apply to the DPA (as well as any Standard Contractual Clauses). Neither you, nor your Authorized Affiliates are able to recover more than once in respect of the same claim under the DPA.

How can we execute Mimecast’s DPA?

The DPA is an addendum to the Mimecast services agreement. Customers who have a services agreement in place with Mimecast may download a copy of our pre-signed DPA. Once it has been countersigned by an authorized representative from your organization and acknowledged by your Mimecast Representative, it will become a legally binding agreement between us. Further details on how to execute the DPA can be found in the “How to Execute this DPA” section of the DPA.

What data does Mimecast process?

The categories of data processed through Mimecast’s Services are determined by you. Mimecast’s processing details for our different service offerings can be found here.

Where is my data stored?

The Hosting Jurisdiction of your data will be indicated in the Services Order issued to you by Mimecast.

What technical and organizational measures are in place?

Mimecast has implemented appropriate technical and organizational measures to protect the data you entrust to us as part of Mimecast’s Services. It is important to note that we have no control over the volume, categories, and sensitivity of Personal Data Processed through the Services by you or your Permitted Users. We publish the technical and organizational measures on the Trust Center so that you are able to evaluate and determine if they are satisfactory for the protection of the Personal Data that you Process through our Services.

Details of Mimecast’s various attestations, certifications, and any accompanying reports may be found on our Trust Center.

For those customers and prospects who wish to take a deeper dive into Mimecast’s controls, policies, and certifications, Mimecast makes available a Security Pack which includes copies of Mimecast’s Information Security & Business Continuity Policies, ISO certifications, external penetration tests and our independently audited SOC Report. Mimecast’s Confidential Security Pack is available to those customers and prospects who have signed confidentiality terms in place with us. If you would like to receive a copy, please reach out to your Mimecast Representative.

Can we ask Mimecast to agree to our own security measures?

No. Given that Mimecast provides standardized services within a multi-tenant environment, we are unable to accept customer-specific security requirements as we have no means of implementing these across our shared platform. If you have questions regarding Mimecast’s technical and organizational measures or security practices, please reach out to your Mimecast Representative.

Does Mimecast transfer personal data to Third Countries? If so, what valid transfer mechanisms are in place?

Yes. As is common in the SaaS industry, we may engage our Affiliates as part of our ‘Follow-the-Sun’ support model which enables us to offer the service levels and support set out in our Service Level Agreement. In addition, and as mentioned below, we also engage certain Third-Party Subprocessors to assist with the provision of Services. For further details, including the valid transfer mechanisms we have put in place, please refer to our Transfer Impact Assessment.

We have a DPA in place which incorporates the ‘old’ Standard Contractual Clauses (SCCs) – can we get these updated?

Yes. If you need to update your current DPA with Mimecast to include the ‘new’ SCCs which are valid from June 4th 2021, please download our pre-signed SCC Amendment here (available in both English and German). Alternatively, you may also download and countersign our most recent DPA which incorporates the ‘new’ SCCs by reference.

Does Mimecast engage subprocessors?

Yes. As is common practice in the SaaS industry, Mimecast engages Third-Party Subprocessors to assist with the provision of certain Services. Mimecast takes measures to evaluate the data privacy and security practices of each Third-Party Subprocessor prior to permitting the Processing of any Personal Data. We enter into written data processing agreements with all our Third-Party Subprocessors which include commitments regarding their security and data protection controls, including onward transfers.

Details of Mimecast’s Third-Party Subprocessors (including their processing locations and reason for transfer) can be found here.

How will Mimecast notify me of new subprocessors?

Notice of changes to Mimecast’s Third-Party Subprocessors may be provided to you electronically, including but not limited to a notice in the Mimecast Administrative Console of the Services, updates on the Trust Center, and/or in an email (provided you have subscribed to such Trust Center updates via Mimecast’s online Preference Center). Further details are found in clause 8 of Mimecast’s DPA.

How will Mimecast notify me in the event of a Security Breach?

In the event of a declared Security Breach, Mimecast will notify Customers without undue delay and in no event later than 48 hours with periodic updates to follow. Customers will be notified through their Administrative Console and/or via email or telephone pursuant to the then-current contact information within Mimecast’s database. It is the Customer’s responsibility to ensure that they notify Mimecast of any changes to this contact information.

Can we be notified within 24 hours instead of 48 hours of a Security Breach?

We provide services in a multi-tenant environment and, as such, are unable to agree to bespoke notification requirements on a customer-by-customer basis that are not aligned with our standard, audited security incident response process. If there is a Security Breach that impacts multiple customers, we cannot effectively manage differing customer notification requirements as this will slow down our incident response process and could hinder whatever investigation and remediation we are conducting. We contractually commit to notification in no event later than 48 hours under our DPA. This is a shorter timeframe than that required under the GDPR (which merely requires a notification by the Processor “without undue delay”).

What happens upon termination of the Services? Do we automatically get our data back?

Once the Services come to an end, we will, at your request, assist you with the return of a copy of your data. Please note that our Services do incorporate a functionality which allows you to extract a copy of your data at any time, including upon termination. Should you not wish to do this yourself, you may engage us in a professional services project to assist you. Additional fees may apply. Upon termination of your Services (and, where agreed, upon return of a copy of your data pursuant to the above), we will delete your data in accordance with our data deletion processes (unless applicable laws require it to be retained).

How are data subject access requests handled?

If we receive a Data Subject Request and it is clear from the nature of the request that you are the applicable controller without us having to conduct an independent investigation, we will refer the Data Subject to you (unless otherwise required by applicable law).

Please note that our Services already incorporate functionalities (such as conducting searches, exporting data etc.) to enable Customers to respond to a DSAR themselves. Further details of these tools can be viewed here. If you do not wish to make use of these functionalities and require our assistance, you may engage us in a professional services project to assist you. Additional fees may apply.

How will Mimecast assist us if we need to conduct a Data Protection Impact Assessment?

We understand that you may need to conduct Data Protection Impact Assessments from time to time as required under applicable data privacy regimes, which is why we have published information on our Trust Center to assist our customers with their compliance journeys.

For those customers who wish to take a deeper dive into Mimecast’s controls, policies, and certifications, Mimecast makes available a Security Pack which includes copies of Mimecast’s Information Security & Business Continuity Policies, ISO certifications and our independently audited SOC 2 Report. Mimecast’s Confidential Security Pack is available to those customers who have signed confidentiality terms in place with us. If you would like to receive a copy, please reach out to your Mimecast Representative.

Is Mimecast certified under the EU-U.S. Data Privacy Framework, the UK extension and the Swiss-U.S. Data Privacy Framework?

Mimecast has submitted its self-certification application under the EU-US Data Privacy Framework and the UK extensions to the EU-U.S. Data Privacy Framework, as well as the Swiss-U.S. Data Privacy Framework. Further details may be viewed here.

Has Mimecast appointed a Data Protection Officer and, if so, how can they be reached?

Yes. Mimecast’s Data Protection Officer is Michael Paisley. Mimecast’s DPO may be reached under DPO@mimecast.com or privacy@mimecast.com.

What if we have additional data privacy-related questions regarding the Services?

If you have any additional questions about how Mimecast processes Customer Data, please reach out to your Mimecast Representative.