2019 State of Email Security Report
Actionable steps to improve your organization’s email security and cyber resilience.
Welcome to Mimecast! Mimecast is a global company, with offices in Europe, North America, Australia, United Arab Emirates, and South Africa. We serve companies that have offices in those jurisdictions and across the world. Our website (the “Site”), located at www.mimecast.com, provides information about our products and services and is operated by Mimecast Services Limited. Mimecast Services Limited has a registered office at 6th Floor, Citypoint, One Ropemaker Street, London, United Kingdom, EC2Y 9AW (registered in England and Wales, 4901524).
For individuals in Europe, please be advised that our local operating entities are Mimecast Services Limited and Mimecast Germany GmbH. Mimecast Germany GmbH has a registered office at Parkstadt Schwabing, Lyonel-Feininger-Straße 26, 80807 München, Germany (Registration: HRB 234744).
To note, if your company engages Mimecast to provide Mimecast’s products and services (collectively, the “Services”), your company and Mimecast will enter into a separate user agreement that will, among other things, govern the use of all of the information and data collected and maintained by Mimecast in connection with the operation of the Services, including data collected through certain features made available to customers through the Site. Any agreement between your company and Mimecast will take precedence over any conflicting provision in this Privacy Statement. Your user agreement applies to your use of our customer portal, and any Personal Data provided or generated by creating your user account and your use of the customer portal.
If you have questions about this Privacy Statement or our practices regarding your Personal Data, you can reach us by using the contact information provided below.
This Privacy Statement was last updated on September 11, 2019.
We generally collect contact and business information as well as other details of your engagement with Mimecast and use it to provide, improve, and develop our business and the Services we offer and to provide you support when you need it. We also may use the Personal Data to communicate with you, for example, about your account, security updates and product information. We also may use aggregated security data to protect our customers and the broader internet from threats.
The Personal Data we collect includes:
In some instances, we may combine one type of information with another, and store them together in our records. In all cases, however, we strive to limit the amount of Personal Data we collect and store.
We ask that you not send or otherwise share with us any sensitive Personal Data, which includes but is not limited to your government-issued ID numbers (e.g. Social Security number, national identification number, or driver’s license number), racial or ethnic information, political or religious opinions, or your health information.
We collect Personal Data in a variety of ways including:
As it is in our legitimate interest to be responsive to you and to ensure the proper functioning of our Services and organization, we will use your Personal Data in the following ways:
If you consent, or where we are permitted under applicable law, we will send you information we think you will find useful about our Services or, at your request, subscribe you to our newsletters and alerts concerning the Services we provide. You are able to change your subscription preferences anytime though our Preference Center by clicking here.
We may obtain information from third parties to combine with the Personal Data we have gathered as described in this Privacy Statement in order to improve our marketing activities and to ensure the Personal Data we hold are relevant and up-to-date. Also, if we provide a means for you to refer a third party to the Site, we will send the third party an email on your behalf with details about the Site. You can unsubscribe to emails by following the unsubscribe instructions in our Preference Center by clicking here, through marketing email communications sent to you, or you can raise a request via our dedicated online portal here or by post at the address provided below. We provide additional information about your Data Subject Rights and how you may exercise them below.
We share your Personal Data as described in this Privacy Statement or as necessary to provide any Services you have requested or authorized. We share Personal Data with Mimecast-controlled affiliates, partners, properly vetted sub-processors and third party service providers throughout the world, when required by law, to protect the security our customers with respect to the information that passes through our Services, as well as to protect the rights or property of Mimecast.
We do not sell or rent your Personal Data to third parties. We do not share Personal Data, except as expressly provided in this Privacy Statement. We share your Personal Data with the following recipients for the following reasons (keep in mind that all of these third parties and reasons may not be applicable to you):
Your Personal Data may be transferred to Mimecast-controlled affiliates and properly vetted sub-processors throughout the world. Your Personal Data may also be transferred to our third-party service providers who are under contractual obligations to ensure the safety and confidentiality of such data. Personal Data collected within the European Economic Area (“EEA”) may be transferred to countries outside of the EEA. We utilize a variety of mechanisms to ensure the security and legitimacy of these transfers.
The Personal Data that we collect from you will be transferred to, stored and processed by our affiliates, properly vetted sub-processors and third party service providers. These parties are engaged in, among other things, the provision of our Services, as well as support services, and maintenance and operation of the Site. By submitting your Personal Data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your Personal Data is treated securely and in accordance with this Privacy Statement. Each Mimecast subsidiary and affiliate receiving your Personal Data is bound by an Intercompany Agreement that complies with the standard contractual clauses for the transfer of Personal Data to controllers established in third countries set out in the European Commission Decision 2010/87/EU. All sub-processors and third party service providers are under appropriate contractual obligations to ensure the safety and confidentiality of your Personal Data.
We have a dedicated internal security organization that implements and operates a comprehensive set of security controls to protect your Personal Data.
At Mimecast, we are committed to maintaining the security of the Personal Data we collect from activity on this Site and from other marketing efforts, as well as through our Services. We have therefore implemented technical and operational measures that are intended to reduce the risk of accidental destruction or loss, or the unauthorized disclosure or access to Personal Data that are collected either through our marketing efforts or the Services. You can learn more about our technical and organizational measures by clicking here.
These technical and organizational measures are periodically reviewed and enhanced as necessary and only authorized personnel have access to Personal Data. While we use all reasonable efforts to prevent the loss or misuse of your Personal Data, we cannot guarantee the security of any Personal Data you submit via the Site or that the Personal Data that you supply will not be intercepted while being transmitted to and from us over the Internet. Therefore, you acknowledge and agree that we assume no liability regarding the theft, loss, alteration, or misuse of your Personal Data, including, without limitation, such Personal Data that has been provided to third parties or other users, or with regards to the failure of a third party to abide by the agreement between us and such third party.
In addition to the Personal Data described above, we collect technical data and other information when you use our Services or visit our Site. You provide some of this Personal Data directly, such as when you register for a webinar, administer your organization’s Mimecast account, or contact us for support. We collect some of it by recording how you interact with our Site by, for example, using technologies like cookies or collecting basic device information like your browser type. We provide more information about cookies below.
When you visit the Site, our systems automatically collect the following information about your visit (“Other Data”):
We also collect your public IP address (the unique address which identifies your computer on the internet). This IP address is typically collected on a country or regional level. We collect your IP address to verify that requests are legitimate and we may automatically cross-reference your public IP address with your domain name (identified collectively as “IP Information”). "Other Data" does not include IP Information.
We use this Other Data and IP information to assist us in:
We do not use Other Data and IP Information to learn any information about you personally but it may be associated by us or our third party service providers with Personal Data that has been provided by you or otherwise available to or held by us. The collection of this Other Data and IP Information will cease once your use of the Site has ceased, depending on your use of our Services your IP Information may still be collected. However, the Other Data and IP Information collected may be retained, accessed, and used by us as long as necessary for the purposes described herein.
We (or our third party service providers) may collect your Personal Data using cookies, pixel tags, web beacons, embedded web links, and similar technologies for:
For example, we use Google Analytics, a web analytics service provided by Google, Inc., to evaluate your use of the Site, compile reports on activity, and provide other services relating to Internet usage. Google Analytics uses first-party cookies that store information, such as what time the current visit occurred, whether the visitor has been to the web page before, and what site referred the visitor to the web page.
We have also implemented Display Advertising Remarketing with Google Analytics to advertise online. This means that third-party service providers, including Google, display our ads on sites across the Internet and that we and third-party service providers, including Google, use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie, see: http://www.google.com/doubleclick) together to inform, optimize, and serve ads based on your past visits to the Site.
By using the Site, you consent to the processing of data about you by Google in the manner and for the purposes set out above. If you choose, you can opt out of the processing of data about you by Google for Display Advertising and/or customize the ads by using Google's Ads Settings at: http://www.google.com/settings/ads. You can opt out of the processing of Personal Data about you by Google generally by turning off cookies in the preferences settings in your browser, or by downloading and installing Google Analytics Opt-out Browser Add-on at http://tools.google.com/dlpage/gaoptout. The Google Analytics Opt-out Browser Add-on does not prevent information from being sent to the Site itself or to other web analytics services.
For more information on Google Analytics, please visit: https://www.google.com/analytics/.
You can choose to reject certain collection technologies (such as cookies) but then you might not be able to take advantage of many of our features. You can read more about cookies here.
Our Site is not directed at children. Mimecast does not knowingly accept online Personal Data from children under the age of 18 through our Site. If you are under 18 or otherwise would be required to have parent or guardian consent to share Personal Data with Mimecast through our Site, you should not send any information about yourself to us through our Site.
The Site shall, from time to time, contain links to external sites. Our Privacy Statement does not apply to these other sites. We are not responsible for the privacy policies or the content of such sites and you should familiarize yourself with such policies upon use of those sites.
You have rights with respect to the processing of the Personal Data that you have provided to us. For example, you may view, edit, delete, or move your Personal Data. In certain circumstances, you may object or withdraw your consent to certain processing of your Personal Data. You may also lodge a complaint with a supervisory authority. Any of these rights may be exercised at any time. For customers of our customers, please contact your system administrator. For Mimecast direct customers/partners/contacts, you can exercise your rights via our dedicated online portal here. NOTE: We may ask you to verify your identity.
Personal Data rights. You have the right to access and receive a copy of Personal Data that we hold about you, to rectify any Personal Data held about you that is inaccurate or, in certain circumstances, request the deletion of Personal Data held about you. You also have the right of data portability for Personal Data you have provided to us – this means that you can obtain a copy of your Personal Data in a commonly used machine-readable electronic format so that you can manage and move it, or request that we send it to a third party. You may have the right to restrict or object to the processing of your Personal Data by us, including for direct marketing. You can exercise your rights via our dedicated online portal here.
Marketing. You have the right to ask us not to process your Personal Data for marketing purposes. You can exercise your right to prevent such processing at any time by contacting us at via our dedicated online portal here, or by managing your subscription preferences through our Preference Center by clicking here.
Complaints. In compliance with the Privacy Shield Principles, Mimecast commits to resolve complaints about our collection or use of your Personal Data. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact our dedicated online portal here and we will respond to your request. This is without prejudice to your right to file a claim with a supervisory authority (e.g. the Information Commissioner’s Office in the UK). If you have an unresolved concern relating to your Personal Data that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) JAMS for more information or to file a complaint.
We will occasionally update this Privacy Statement. When we do, we will post a prominent notice in this section of this Privacy Statement notifying users when it is updated. For material changes (i.e., substantially new practices you wouldn’t expect from us or that we didn’t previously tell you about), we may decide to give you notice via email.
To subscribe to notifications for changes to this and other GDPR related information, please click here and subscribe to the “GDPR Documents” feed.
We have a global data protection officer and team to provide you the support you need.
General Privacy Inquiries: Please submit any questions, concerns or comments you have about this Privacy Statement or any requests concerning your Personal Data to our Data Protection Officer by email to firstname.lastname@example.org, or writing to us at:
Mimecast North America, Inc.
Attn: Trust Department
191 Spring Street
Lexington, MA 02421 USA
+1 (617) 393-7050