Mimecast Trust Center

        IAPP_BRONZE.png CJIS-ACE-seal-2021.png
    ISO 22301

    General Data Protection Regulation (GDPR)

    On 25 May, 2018, a new European privacy law, the General Data Protection Regulation (GDPR), came into effect. GDPR imposes new obligations on companies and government agencies that market, track, or handle the personal data of individuals residing in the European Union (EU). 

    Mimecast is committed to GDPR compliance across our products and services and will provide GDPR related assurances in our contracts.

    Please visit our GDPR area for information on how Mimecast is assisting our customers in achieving GDPR compliance.

    ISO 22301 Certification

    ISO/IEC 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. The requirements specified in ISO 22301:2012 are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.

    ISO 27001 Certification

    ISO 27001 is the international standard which is recognised globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardised requirements for an Information Security Management System (ISMS). The standard adopts a process based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.

    ISO 27018 Certification

    ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. ISO/IEC 27018:2014 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.

    SOC 2 Attestation Reports

    These reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy. They are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls.

    Mimecast North America’s SOC 2 Type 1 report reported on the description of Mimecast's system and the suitability of the design of controls in place.

    Mimecast has also received the SOC 2 Type II attestation report that tested the operating effectiveness of Mimecast's global systems and operations for the Trust Services Principles for Security, Availability, Processing Integrity, and Confidentiality.

    Both reports are available on request to prospects that sign the appropriate NDA and to existing customers under their service agreement confidentiality.

    Reference: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpasoc2report.aspx


    HIPAA/HITECH Compliance Assessment Report

    The Health Insurance Portability and Accountability Act (HIPAA) Rules provide federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs). The HIPAA Privacy, Security, and Breach Notification Rules, as updated by the HIPAA Final Omnibus Rule 2 in 2013, set forth how certain entities, including most health care providers, must protect and secure patient information. The Health Information Technology for Economic and Clinical Health Act (HITECH) directly regulates business associates and directly imposes the same privacy and security obligations required for covered entities.

    Reference: https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf

    Mimecast Gender Symbols

    UK Gender Pay Gap Report 2018

    Mimecast has met a UK government requirement to publish its gender pay gap data. We believe that greater transparency and accountability will help us demonstrate and improve our commitments to equality and diversity.

    Download: https://www.mimecast.com/globalassets/documents/legal/gender-pay-gap-report-uk-2018.pdf

    CSA Star

    Cloud Security Alliance (CSA) STAR Assessment Report

    CSA STAR is the industry’s most-powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, harmonization of standards, with continuous monitoring also available as of late 2019. STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.

    Reference: https://cloudsecurityalliance.org/star-registrant/mimecast/


    IRAP: Attestation

    Australia: The Information Security Registered Assessors Program for the Australia public sector to ensure suitability to process, store or communicate government or sensitive information.


    The International Association of Privacy Professionals

    The International Association of Privacy Professionals (IAPP) is the largest and most comprehensive global information privacy community and resource, helping the Mimecast team develop and advance their careers and help our customers manage and protect their data.


    The Criminal Justice Information Services (CJIS) is a division of the US FBI that sets standard for information security, guidelines and agreements aimed at protecting the Criminal Justice Information (CJI). The standards are reflected in the CJIS Security Policy, which describes the appropriate controls to protect the transmission, storage and access to data. While there is no CJIS authorization body or standardized assessment approach determining CJIS compliance, Mimecast has engaged with CJIS ACE to perform an audit of the controls within our Public Sector Grid to ensure they meet the requirements of the CJIS. This resulted in obtaining a CJIS Ready badge demonstrating that Mimecast satisfies those requirements across the 13 policies outlined in the CJIS Security Policy.