Large File Send and Secure Messaging Services Privacy Statement

    LFS & SM Privacy Statement

    Large File Send and Secure Messaging Services Privacy Statement

    Effective 15 April 2022

    This Large File Send and Secure Messaging Services Privacy Statement (the “Statement”) provides you with information about how Mimecast processes and protects your personal data while delivering email and other content to you on behalf of our customers who have subscribed to our services (the “Services”). If you received an email containing login credentials enabling you to access content within a communication originally sent by one of our customers (the “Sender”), this Statement describes the categories of your personal data that Mimecast is processing on behalf of the Sender, as well as the processing operations, locations of processing and the security measures we have in place to protect your personal data while it is processed. At the end of this Statement, we provide you with contact information in the event you have any questions regarding how we process personal data.

    If you have any questions or concerns regarding how to access an email that was sent to you by one of our customers, please contact the Sender for more information. Alternatively, you may review the login troubleshooting article which may provide assistance with routine issues:

    Categories of Personal Data

    The following are categories of personal data that have been provided to us by the Sender in order for us to deliver the Services:

    • First and last name
    • Email address

    Locations of Processing

    Mimecast is a global company with offices throughout the world, including support locations in Europe, North America, Australia, and South Africa. Our customers are located in these jurisdictions and across the world. Depending where the Sender of the email is located, your personal data is processed in one of the following countries:

    • United Kingdom
    • Germany
    • South Africa
    • United States
    • Canada
    • Australia

    Security of Processing

    Mimecast employs the following technical and organizational measures to protect your personal data while it is processed:

    • Organized Information Security Structure. Our information security structure includes full-time dedicated trained/certified security personnel who report directly into Mimecast’s leadership team.
    • Information Security Management System. Our ISMS is assessed by external auditors and currently receives attestations for ISO 27001, ISO 27018, SOC II Type 2.
    • Protection of Physical Access. Mimecast has implemented measures designed to protect physical assets processing personal data, including industry certified third-party production data centers.
    • Limited System Access. We permit only approved, authenticated users to access our systems containing personal data.
    • Limited Data Access. Only designated personnel are permitted to access certain personal data under explicit authorization levels.
    • Data Transmission/Storage/Destruction. We use strong encryption during the transmission of personal data within our production data centers and personal data is encrypted at rest when stored within our service.
    • Confidentiality and Integrity. We ensure that our personnel are trained in various application security and secure coding practices and we employ a robust Secure Development Lifecycle.      
    • We maintain a robust Business Continuity/Disaster Recovery program.
    • Data Separation. We use logical separation within our multi-tenant architecture to enforce data segregation between our customers.
    • Incident Management. We maintain an up-to-date incident response plan that is regularly tested which identifies responsibilities, assessments, classifications and response plans.
    • We regularly test, assess and evaluate the effectiveness of these technical and organizational measures.

    For more detailed information about these measures, please click here.

    Contact Us

    If you have any questions regarding why your personal data was provided to us for processing, we encourage you to contact the Sender of the initial email you received. If you have any other questions about this Statement or any requests concerning your Personal Data, you can submit them to our Data Protection Officer by email to, or otherwise contact us at: 

    Attn: Data Protection Officer
    191 Spring Street
    Lexington, MA 02421 USA
    +1 (617) 393-7050

    Depending on the nature of your relationship with us, you will be able to exercise certain privacy rights by submitting a request through our DSAR portal here.  Please note that if we are not the controller of your personal data, you are encouraged to contact the Sender in order to more effectively administer your data privacy request.

    Back to Top