Elizabeth Ruhl

Trust Matters at Mimecast

by Elizabeth Ruhl - Director, Governance, Risk and Compliance at Mimecast

Mimecast recently announced it has completed two important security tests: the Health Insurance Portability and Accountability Act (HIPAA) Security Compliance Assessment and Service Organization Control 2 Type 1 (SOC 2 Type 1) Independent Service Audit. Both third-party reports affirm the security, availability and integrity of Mimecast’s operations and applications, and reflect Mimecast’s commitment to making email safer for business.

Trust is the foundation of our business, and security, privacy and data protection are built into everything we do. This is why we regularly update and maintain certifications and audit reports, which allow us to be transparent to our customers and partners.

Transparency in reporting.
The SOC Reporting Framework allows companies to communicate how their products and services achieve the ‘Trust Principles of Confidentiality, Availability, Integrity, Privacy or Security.’ This is a meaningful way for companies to describe their internal controls to their customers, potential customers and partners through an internationally accepted independent audit. Mimecast understands the importance of these trust principles to our customers, partners, shareholders and investors. These reports are intended to meet the needs of a broad range of users that must understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy. This expands our ability to demonstrate trust, transparency and meaningful controls beyond our Information Security Management System (ISMS), already certified through ISO 27001 (information security management system) and ISO 27018 (controls for the protection of personally identifiable information in the public cloud) to the service environment provided by Mimecast to our customers.

Protecting confidential customer healthcare data.
The HIPAA Privacy, Security and Breach Notification Rules, as updated by the HIPAA Final Omnibus Rule 2 in 2013, set forth how certain entities, including most healthcare providers, must protect and secure patient information. The Health Information Technology for Economic and Clinical Health (HITECH) Act (HITECH) directly regulates Business Associates (BAs) and directly imposes the same privacy and security obligations required for Covered Entities (CEs). Mimecast is a Business Associate for several customers, and we sign Business Associate Agreements (BAAs) with those customers. This means the company has legal, regulatory and contractual obligations to protect Mimecast customer information, including electronic Protected Healthcare Information (ePHI). Mimecast’s HIPAA/HITECH Security Compliance Assessment Report is available on request to prospects that sign the appropriate NDA and to existing customers under service agreement confidentiality.

Interested in learning more? Contact us for additional information about our certifications and audit reports.