Exponential-e Ltd

Cloud Email Security (Mimecast Email Security M2A)

Make email safer with Mimecast M2A. Mimecast extends traditional gateway security with Targeted Threat Protection that addresses ransomware, impersonation, spear-phishing and other advanced threats. An independent archive protects data from human error, technical failure and malicious intent while providing accessibility for employees and admins


  • Comprehensive email security including protection from weaponized attachments
  • Protection from malicious URLs and impersonation attacks
  • Highly secure and resilient offsite, cloud-based perpetual email archive
  • Email attachment scanning to control/block sensitive information
  • Efficient management through an integrated web console
  • Keep employees secure and productive.
  • Easy to use add-in for Outlook, Mac and mobile apps


  • Highly Secure and Resilient offsite,cloud based email Archive
  • All features managed through a single, web-based console.
  • Full email and attachment scanning to control/block sending sensitive information
  • Advanced security capabilities
  • Continuity service with RPO / RTO
  • Mimecast plug-in for Outlook apps available for iOS Android Windows

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Microsoft office 365
Cloud deployment model Public cloud
Service constraints See Service Level Agreement
System requirements
  • An existing messaging platform
  • On Premise Exchange, Office 365, Google Apps

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 4 hour SLA for first line support
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels Exponential-e will use reasonable endeavours to ensure that the availability of the service purchased by the customer in a given calendar month equals the applicable Availability Commitment. Target Availability - 99.9%
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Exponential-e is able to offer on-boarding through a variety of technologies and techniques. provide access to the Mimecast connect wizard for guided step by step process for implementation.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction The customer may extract their data through EML or PST format provided by Mimecast At the end of the term and/or if the contract is terminated, the Service Migration provisions will apply. If customised data transportation, an off-boarding service request must be raised via the Exponential-e Service Desk and due to the fact those services have not been not included within Exponential-e’s G-Cloud catalogue entry and thus do not fall within the Framework Agreement and Call Off Agreement, Exponential-e’s standard terms and conditions for professional services would apply.
End-of-contract process At the point of termination, all customer data, accounts and access will be permanently deleted after the aforementioned data has been extracted, and will not be able to be subsequently recovered or restored.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
  • Other
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The service provided is by mobile application as opposed to the Browser Plug in
Service interface No
What users can and can't do using the API Yes these are available as custom built APIs dependent on the application
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation - Web and application console interfaces can be customized.
-Secure messaging
-Large file send
-Sync and Recover
-Internal email protect


Independence of resources We continuously monitor the utilisation of our underlying grid architecture data centre and ensure that additional infrastructure is deployed to maintain a 30% buffer to maximum utilisation.


Service usage metrics Yes
Metrics types Graphical or Tabular reporting around message flow, bandwidth usage. Provided on a scheduled basis. Customer Service reports around threats and product feature usage.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Reseller providing extra support
Organisation whose services are being resold Mimecast

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Via secure FTP download or the provision of an encrypted disk
Data export formats Other
Other data export formats
  • EML
  • PST
Data import formats Other
Other data import formats
  • EML
  • PST

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network Exponential-e are a Stage 2 accredited HSCN CN-SP and our network operability conforms to HSCN Framework Obligations.

Availability and resilience

Availability and resilience
Guaranteed availability https://www.mimecast.com/globalassets/documents/termsandconditions/sla_and_support_terms.pdf
Approach to resilience https://www.mimecast.com/globalassets/documents/termsandconditions/sla_and_support_terms.pdf
Outage reporting https://www.mimecast.com/globalassets/documents/termsandconditions/sla_and_support_terms.pdf

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Authentication can be accomplished via a Mimecast cloud password, Active Directory pass-through authentication, Mimecast’s 2-step Authentication, ADFS, Azure AD, and SAML 2.0 compliant authentication platforms for two factor authentication and SSO. Active Directory integration is performed via LDAP/LDAP(S).
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 13/04/2018
What the ISO/IEC 27001 doesn’t cover N/A
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 13/04/2018
CSA STAR certification level Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover Details available on request.
PCI certification No
Other security certifications Yes
Any other security certifications
  • ISO 22301
  • ISO 20000
  • ISO 9001
  • ISO 50000
  • ISO 14001
  • Cyber Essentials PLUS
  • Commissum Information Assurance Certification
  • PIMS 686040

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards Exponential-e are a Stage 2 accredited HSCN CN-SP and our network operability conforms to HSCN Framework Obligations.
Information security policies and processes Mimecast’s information security policies and processes are in alignment with ISO27001 and NIST

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach High impact changes have been identified and are subject to a documented change control procedure which includes support tracking, approved workflows, and fall back procedures. Updates to the service follow a regular schedule and the impact is communicated to relevant parts of the business and customers. Changes to systems that could impact or compromise existing security and control procedures are subject to review by the Mimecast Information Security Team prior to acceptance.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Mimecast monitors vendor security bulletins for vulnerabilities to platforms in use and utilizes several vulnerability scanners which both continually scan and provide static analysis of the environment for new vulnerabilities. Vulnerability Results are correlated against events and suspicious activities logged within the organizations SIEM. The severity of vulnerabilities are assessed based on their impact and likelihood and risks are adjusted accordingly against both manual analysis and system events. Critical discovered vulnerabilities are discussed within one working day of the vulnerability being discovered. Mimecast has the capability to roll out patches globally within minutes if required.
Protective monitoring type Supplier-defined controls
Protective monitoring approach System and network logs are aggregated to a centralized SIEM and configured for alerting and monitoring by the Security team.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Mimecast has a formal incident reporting process. All Mimecast staff who deal with client systems are trained on what constitutes an information security event and how to report it. The incident management roles and responsibilities of Mimecast staff, contractors and third-parties are formalized and documented. Mimecast has established an Incident Response Team, which also includes regional incident handlers for each territory of operation. Mimecast implements the SANS Institute Six-Step Incident Response Methodology that covers; 1. Preparation; 2. Identification; 3. Containment; 4. Eradication; 5. Recovery; and 6. Followup and Lessons Learnt

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £104.31 per user per year
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑