Mimecast Transfer Impact Assessment

    Data privacy regulations are designed to protect Personal Data (as defined in our standard Data Processing Addendum) and, accordingly, impose obligations on organizations that collect, process, and/or store Personal Data, no matter where they may be located. Mimecast is committed to compliance with those data privacy regulations which are applicable to the services we provide as a processor of Personal Data (as defined in applicable data protection regulations), and to assist our customers in their compliance efforts as well. This document aims to provide our customers who are data exporters from the European Economic Area ("EEA")/European Union ("EU") or the United Kingdom (“UK”) with the information they need when completing their own data transfer impact assessments pursuant to the Schrems II decision and the standard contractual clauses.

    Section 1: Overview

    What Products/Services does Mimecast provide?

    We empower more than 40,000 customers to help mitigate risk and manage complexities across a threat landscape driven by malicious cyberattacks, human error, and technology fallibility. Our advanced solutions provide the proactive threat detection, brand protection, awareness training, and data retention capabilities that evolving workplaces need today. Mimecast solutions are designed to transform email and collaboration security into the eyes and ears of organizations worldwideAn overview of the different Products offered by Mimecast can be viewed here.

    What types of Personal Data does Mimecast process?

    Our customers control Customer Data (defined in our General Terms and Conditions) processed via Mimecast’s services, and Personal Data within Customer Data that may relate to any end users (including employees, customers, or suppliers) as further described in Mimecast’s Processing Details. No sensitive data or special categories of data are intended to be processed through the services but may be contained in the content of, or attachments to, messages. Customers remain responsible for any further compliance requirements which may apply to such Personal Data including ensuring a lawful basis for processing.

    Contractual basis for processing

    Where Mimecast processes Personal Data as a data processor, Mimecast complies with the obligations set out in Mimecast’s General Terms and Conditions and, where the customer has opted to sign a data processing agreement, Mimecast’s Data Processing Addendum (“DPA”). The DPA includes the data processor obligations required under Art. 28 GDPR and incorporates dynamic links to Mimecast’s Processing Details, Third-Party Subprocessors, and Technical and Organizational Measures. The DPA also incorporates the EU SCCs and UK Addendum (as defined below).

    Where do we process and store Personal Data?

    Depending on the Services purchased, Personal Data is processed and stored in the Hosting Jurisdiction selected by our customers upon onboarding. Primary Hosting Jurisdictions are located in Germany, UK, South Africa, Jersey, USA, Australia, and Canada. All Hosting Jurisdictions are identified on our Customer ordering documentation.


    Additionally, pursuant to Section 2 below, Personal Data may be processed in these regions, as well as others identified on the Trust Center, for the purposes of providing technical support, ensuring the proper working of the services, and/or as otherwise identified in Mimecast’s General Terms and Conditions.

    Section 2: Details of Data Transfers

    Mimecast Support

    Mimecast is a global organization with a “follow the sun” support model. Customer Data, primarily message metadata (e.g., to/from email addresses, headers, dates), may be accessed by our personnel globally for the purposes of providing technical support, ensuring the proper working of the services, and/or as otherwise identified in our General Terms and Conditions. Message content would generally be accessed by support personnel when a customer submits a request which includes the necessary data. Support may be provided from any of our Support Locations.

    Any manual access rights are restricted to a small set of Mimecast personnel who have been approved by Mimecast’s security team, assigned specific permissions, and are under a duty of confidentiality. Access to content of messages by Mimecast personnel requires a logged reason and activity is visible on our customersaudit logs. Additionally, such access is logged in Mimecast’s internal Security Information and Event Management System and monitored by Mimecast’s security team. Security and privacy controls are consistent across the organization and Personal Data will be as protected as if it is resident within the Hosting Jurisdiction.

    For the purposes of cross-border transfers for the purposes described above, Mimecast affiliates have entered into an Intercompany Agreement which incorporates the Standard Contractual Clauses as a data transfer mechanism.

    Third-Party Subprocessors

    Mimecast engages Third-Party Subprocessors to assist with the provision of certain services. Mimecast takes measures to evaluate the data privacy and security practices of each Third-Party Subprocessor prior to permitting the processing of any Personal Data. We enter into written data processing agreements with all our Third-Party Subprocessors which include commitments regarding their security and data protection controls, including onward transfers. As required under applicable data protection regulations, we remain liable for the acts and omissions of these Third-Party Subprocessors.

    Details of Mimecast’s Third-Party Subprocessors (including their processing locations and reason for transfer) can be found here.

    Section 3: Adequate Safeguards

    The EU and UK granted adequacy decisions to certain countries where a comparable level of protection of Personal Data to that of the EU and UK is offered. These adequacy decisions are published here:

    • https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data- protection/adequacy-decisions_en
    • https://www.gov.uk/government/publications/uk-approach-to-international-data- transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation

    For those countries without an adequacy decision, Mimecast currently relies on standard contractual clauses, as approved by the relevant supervisory authority or applicable law, as a valid transfer mechanism.

    • For transfers from the EU, Mimecast implements the standard contractual clauses set out in the European Commissions Decision of 2021/914 of 4 June 2021 (EU SCCs), with the appropriate module(s) selected (e.g., controller-to-processor, or processor-to-processor).

    • For transfers from the UK, Mimecast implements the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018 (“UK Addendum”)

    Mimecast has implemented Technical and Organizational Measures designed to protect Personal Data. This includes encrypting Personal Data with a high standard of encryption while at rest and in transit.Mimecast has deployed an Information Security Management System (ISMS) that serves as the foundation of our information security practices. Mimecast and its ISMS has been and continues to be assessed by an independent, external auditor and currently receives attestations under:

    1. ISO 27001
    2. ISO 22301
    3. ISO 27701
    4. SOC II Type 2
    6. CSA STAR Level 2
    7. CJIS ACE
    8. IRAP

    Attestations, certifications, and any accompanying reports may be found on Details of Mimecast’s various our Trust Center.

    For those customers and prospects who wish to take a deeper dive into Mimecast’s controls, policies and certifications, Mimecast makes available a Security Pack which includes copies of Mimecast’s Information Security & Business Continuity Policies, ISO certifications and our independently audited SOC Report. Customers and prospects should reach out to their Mimecast Representative for further details.

    Section 4: US Surveillance Laws

    On June 21, 2021, the European Data Protection Board (EDPB) published guidance on the Schrems II decision, which recommended that data importers provide data exporters with information to assess whether there is a risk to Personal Data being subject to mass surveillance or unauthorized access where the EU/UK has determined the regulations of the data importer’s country are inadequate.

    Transfers to the US

    For certain services and Hosting Jurisdictions, Mimecast makes onward transfers to Third-Party Subprocessors in the U.S. Technical support may also be provided by Mimecast’s Affiliate in the U.S.


    Is Mimecast subject to U.S. Executive Order 12333 ("E.O. 12333")?

    No. E.O. 12333 is a general directive organizing U.S. intelligence activities and does not contain any authorizations for U.S. agencies or authorities to compel private companies to disclose personal data.

    Is Mimecast subject to 50 U.S.C. § 1881A (also known as S.702 of the Foreign Intelligence Surveillance Act, "FISA S. 702")?

    Mimecast Services Limited is a UK headquartered entity with affiliates incorporated worldwide, including the U.S. (see our locations listed here). From time-to-time, Mimecast North America, Inc. may receive U.S. government requests, subpoenas, and court orders, including those issued by the Foreign Intelligence Surveillance Court under FISA S. 702.

    Does Mimecast fall within the definition of “Electronic Communications Service Provider” under FISA S. 702?

    “Electronic Communications Service Provider” is defined broadly and encompasses telecommunication carriers, providers of electronic communications services, and remote computing services (e.g., cloud storage providers). The Department of Justice has also confirmed that other communications service providers that have access to wire or electronic communications (in transit or in storage) are included in the definition. Under this broad definition, Mimecast (as a cloud storage provider) would be considered an electronic communications provider.

    How would Mimecast respond to government requests to access personal data of our customers?

    We do not disclose Customer Data in response to government requests unless we are required to do so to comply with applicable laws, regulations, legally valid subpoenas or binding court orders. From time-to- time, Mimecast North America, Inc. receives U.S. government requests, subpoenas and court orders, including those issued by the Foreign Intelligence Surveillance Court under FISA S. 702.

    It is often the case that Mimecast either does not have or is not the appropriate source for the data requested. Mimecast offers a cloud-based subscription service for email management. We do not host our customers’ email servers.

    We carefully review any government requests we receive to ensure they satisfy applicable law and we respond in accordance with our General Terms and Conditions. Where allowed by law, Mimecast will provide reasonable prior written notice to the customer to permit customer to seek a protective order and will provide reasonable assistance to customers wishing to challenge the validity of the order (at the customer’s expense). Mimecast will disclose only that data that is reasonably necessary to meet the applicable legal order or requirement.

    What safeguards are in place in the U.S. for governmental access to data?

    The Executive Order signed by the U.S. President on 7 October 2022 on ‘Enhancing Safeguards for United States Signals Intelligence Activities'. ("E.O.") introduces new binding safeguards to address the concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020 by limiting access to EU data by U.S. intelligence services and establishing a Data Protection Review Court. Specifically, the E.O. provides for:

    • Binding safeguards that limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security;
    • The establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court (‘DPRC') to investigate and resolve complaints regarding access to their data by U.S. national security authorities; and
    • The E.O. requires U.S. intelligence agencies to review their policies and procedures to implement these new safeguards.

    may be viewed here: https://www.whitehouse.gov/briefing-room/presidential- actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence- activities/

    To what extent can individuals enforce rights and seek redress in relation to both data protection infringements and public disclosure / surveillance activity through judicial and/or administrative processes?

    The E.O. creates a multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated pursuant to the E.O., to obtain independent and binding review and redress of claims that their personal data collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O.: https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president- biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/

    Section 5: Risk to Data Subjects

    Risk Assessment

    The transfer of Personal Data to Mimecast is an integral part of the services which Mimecast provides to its customers.

    Mimecast offers a cloud-based subscription service for email management. We do not actually host our customers’ email servers. Therefore, Mimecast does not believe that it holds personal data that is of interest to U.S. authorities. Relevant data would be more likely held by other vendors, and U.S. authorities would be likely to approach those other vendors directly.

    Further, it should be noted that for most services, the applicable Hosting Jurisdiction and retention periods are selected by our customers. Therefore, if the customer does not select the U.S. as its Hosting Jurisdiction, there would be limited data transferred or accessed in the U.S., except for the purposes described in Section 3. Once our customer’s selected retention period has expired, Customer Data is deleted in accordance with Mimecast’s data deletion policies, unless otherwise required by applicable law.

    Based on the information provided herein, the residual risk to data subjects as a result of a transfer to the U.S. via Mimecast services would be considered to be low and a significant risk of harm does not appear to be present. Based on this assessment, the protection measures set out in Section 3 above, together with the additional safeguards provided under the E.O., would be deemed sufficient to limit the risk of harm to data subjects.

    Terug naar boven