Find out more about or approach to data processing, privacy, and information security.
1. Responsible Data Controller
- The responsible data controller for the “magicplan” App, Cloud, and Website, is Technologies Sensopia Inc., 465 Rue St Jean, Suite #1003, Montréal, Québec, H2Y 2R6, Canada („Sensopia“).
- enapt GmbH, Goethestr. 25A, 80336 Munich, Germany („enapt“) is the German parent company of Technologies Sensopia, Inc.
- Sensopia and its affiliated parent company enapt are jointly responsible data processors. In this respect, the companies have defined in an agreement which of them fulfills which data protection obligation. The essential content of this agreement is available to you from Sensopia or enapt on request.
- enapt has an external Data Protection Officer:
PROLIANCE GmbH / datenschutzexperte.de
Leopoldstr. 21
80802 München
Germany
Email: datenschutzbeauftragter@datenschutzexperte.de - For further questions or inquiries please contact: security@magicplan.app
2. Privacy Policy & GDPR
- Data Protection Information For Applicants
- Information on data protection regarding our processing of customer and prospect data pursuant to Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)
3. Technical & Organizational Measures
3.1 Access Control
- All entrances to the building are secured with locks. Employees get access with a registered key.
- Service providers and freelancers also get access to the building with a registered key.
- Keys are issued only to authorized persons. It is documented which persons have access to the building. If an employee or other authorized person leaves, the key is returned and documented.
- Visitors have to ring the bell and are picked up by an employee at the door. Strangers do not stay in the office unaccompanied.
- All windows in the office are lockable from the inside.
- Servers are not owned by Enapt GmbH or Technologies Sensopia Inc., magicplan is hosted by Amazon Web Services. The technical and organizational measures of the contractors apply. For more information see section 3.10.
3.2 Information Security
- HR documents are housed in a lockable cabinet. Only staff responsible for human resources management have access to it.
- Only authorized persons have access to digital documents.
- Hardware is locked away when not in use for a long time
- Paper files are locked away when not in use for a long time.
- The stock of hardware is documented and recorded digitally. The issue and return of hardware to employees are digitally documented.
- Different levels of access are regulated so that each employee only receives the privileges in the IT system, which they also need for their activities.
- An authorization concept applies.
- Each employee has an individual user account with their own password.
- There is a password policy. Depending on the application, the complexity and length of the password is technically forced.
- Depending on the application, changing the password is technically enforced and user access is blocked after multiple incorrect entries.
- There is a time-controlled automatic screen lock of the PCs/laptops.
- Employees are instructed to lock their screens when leaving the workplace.
- The WLAN is encrypted with WPA 2.
- The number of system administrators is limited to the bare minimum.
- There is a clean desk policy.
3.3 Entry Control
- Logging of the activities of the IT system itself for all security-related aspects at the operating system level.
- Logging of the activities of IT administrator activities at the level of individual computers.
- Installation of new software only from the Apple App Store or certified developers. Software can only be ordered via a central office and is purchased and purchased through secure providers.
- Exclusive use of mobile data carriers left by the company and purchase centrally by the IT department. Purely internal use.
3.4 Job Control
- Order processing contracts are concluded according to Art. 28 GDPR.
- Clear design of the order processing contracts.
- Control of technical and organizational measures of contractors.
- Return or deletion of data after completion of the contract ensured by contractual arrangements.
3.5 Separation Control
- Separation of data concerning different customers/clients by multi-client capable system at the application level.
- Separation of data that is processed for different purposes, through multi-client-enabled system at the application level or through the use of different applications with different data storage.
- There is a deletion concept.
3.6 Relay Control
- WLAN backup according to the WPA2 standard.
- Private Wi-Fi available.
- SSL data encryption when transferring data electronically.
- The e-mail communication is provided with a transport encryption. Sensitive data is transmitted in encrypted ZIP folders.
- Disposal of unneeded paper files with a shredder.
- Disposal of data CDs / DVDs with a shredder.
3.7 Availability and Resilience (Article 32 (1) (b) GDPR)
- Relevant data is available as cloud backup and is redundantly mirrored by authorized persons.
- Fire extinguishers, surge protection, smoke detectors on-site.
- There is an emergency plan for the failure of the IT infrastructure.
- There is an emergency plan for data breaches.
- There are clear reporting channels for emergencies (both IT emergencies and data breaches).
- Notification of IT administrators in case of disruptions of the IT system.
3.8 Organizational Control
- All employees are obliged to confidentiality.
- All employees have completed training on data protection.
- There is a privacy policy.
- A procedure for risk assessment and risk management has been established and documented.
- There is a guideline for working in the home office.
- There is a guideline for the use of company internet access and the company e-mail account.
9. Effectiveness Checks
- Regular checks on the effectiveness of the technical and organizational measures.
- Regular monitoring whether and to what extent existing measures still comply with requirements and corporate development. In addition, authorizations, used hardware, etc. are checked and adjusted on a case-by-case basis (eg staff change).
- After reports by partners/service providers, event-related analyses of the present protocols are carried out.
- The maintenance of the internal systems is the responsibility of a trained IT specialist (internal employee) for system integration.
- Unusual events and alerts are reported to management and appropriate action is taken.
- Audit by external service providers, every two years.
- Penetration tests are carried out based on the application.
3.10 Hosting, Data Center Location and Infrastructure
- Data is hosted in the United States in Amazon Webservices data centers.
- AWS data centers and network architecture meet the requirements of the most security-sensitive organizations. AWS Customer Agreement: https://aws.amazon.com/agreement/
- AWS has certificates issued in relation to the ISO 27001 certification, the ISO 27017 certification, and the ISO 27018 certification.
- AWS has implemented and will maintain robust technical and organizational measures for the AWS network. More on AWS Cloud Security: https://aws.amazon.com/security/
- AWS will notify its customers of a security incident without undue delay after becoming aware of the security incident.
- The AWS GDPR Data Processing Addendum has been contracted: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
- AWS will process customer data only in accordance with customer instructions. The Supplementary Addendum on Customer Data Requests has been contracted: https://d1.awsstatic.com/Supplementary_Addendum_to_the_AWS_GDPR_DPA.pdf
3.11 Application Security and Assurance
- Access to live databases is handed to developers on a need-to-know basis, depending on CEO approval
- A list of employees authorized to access customer data is available and regularly updated.
- Data between apps and systems is exclusively transmitted using industry-standard encryption technology
- Employees have been educated for GDPR compliance and explicitly self-committed.
- Access credentials are stored and organized using industry-standard encryption technology and clear access privilege rules are established.
3.12. Third-Party Back Office Applications
- HubSpot
- Monday.com
- ClickUp
- Aircall
- Seamless.AI
- Tableau
- Google G Suite
- MailJet
- Slack
- Atlassian: Trello, Confluence, Jira
- Segment
- Google Firebase
- Microsoft Office 365
4. Frequently Asked Questions
What are the key aspects of your Cybersecurity Program?
- magicplan has a Cybersecurity Program overseen and managed by designated staff as well as an external data protection consultant.
- We are regularly monitoring for malicious or unrecognized activity.
- We document system configuration changes and monitor user access levels.
- Our Server Administration vendor applies contractually documented security updates to production servers monthly.
- magicplan employees use two-factor authentication whenever possible.
- No telecommunications equipment or services covered in the list of excluded parties in the System for Award Management (SAM) by the US government (https://www.sam.gov) is used in the production or maintenance of magicplan.
- All magicplan staff complete certified cyber security training annually.
What is the technical architecture of the magicplan App and Cloud?
- All data is stored on the user's mobile device (Android or Apple iOS) and then synced to Amazon Web Services hosting infrastructure.
- Data is encrypted in-transfer.
- magicplan is not hosting any customer data on its own servers.
- The magicplan mobile application can be used offline to create and edit projects, exports are generated and stored in the cloud-hosted by Amazon Web Services data centers.
How is access to the system and data handled?
- Access to magicplan for end-users: All accounts are password protected. Mandatory Email confirmation of every magicplan user to authenticate the user.
- Administrators of a workspace have access to all projects of their end-users within that workspace. Team administrators have access to all projects of their end-users within that specific team. End Users of a workspace who are not administrators can only see and edit their own projects. Workspace Administrators can add to and remove users from their workspace independently.
- Technical: magicplan will process customer data only in accordance with our license agreement, privacy policies, and Terms & Conditions. Anonymized data is used for assessing product performance and product improvements.
Do you offer Single Sign-on with Google or Active Directory?
- SSO is possible via SAML/OAuth for Enterprise customers.
Where is data stored?
- Data is stored within the United States on Amazon Web Services hosting infrastructure. AWS data centers and network architecture meet the requirements of the most security-sensitive organizations.
Do magicplan developers have access to data or images of users?
- Personalized user data is accessible to trained technical staff on a need-to-know basis - meaning staff in customer support and technical support. As Technologies Sensopia Inc is a daughter company of the EU-based Enapt GmbH, magicplan handles personal data in compliance with GDPR and therefore fulfills the highest information security standards for handling personal data.
- All employees are trained in information security and data privacy awareness and on-boarding/off-boarding checklists are in place.
What are your Development Security Operations practices?
- Clear and strict access management is in place.
- security@magicplan.app is used as an inbox for any security-related information. Each request is reviewed quickly and thoroughly, sensitively handled disclosures are rewarded with bounty payments.
- Server systems are monitored for availability.
- AWS Web Application Firewall is set up to detect and prevent suspicious activity.
- Application-level error monitoring is in place and centrally collected. Issues are monitored constantly and tracked.
- Bi-yearly automated penetration tests are being established.
How do you protect the application in production from unauthorized changes?
- The production environments are only accessible by authorized employees who are responsible for deployments and maintenance. Authorized employees are documented.
- MFA is required to access production hosting accounts.
- We use personalized accounts for production access, and only with Public/Private keys.
- An Administration firm is contracted to monitor systems and do regular security updates on the systems.
How do you enforce separation between development and production?
- The entire development environment is reproducible locally for development using a number of docker containers. No access to either Staging or Production systems is needed for developers to work on the systems and test their code.
- magicplan has a Production System and a Staging System. There are no inter-dependencies. They are technically as close as possible but managed using fully-separated AWS accounts.
- magicplan uses separated credentials for external systems (e.g. separated accounts for payment providers).
Do you have a secure coding standard?
- Code is reviewed by at least one peer before being merged.
- We are keeping our technical dependencies current in order to have security patches as soon as possible.
- We aim to use the frameworks use to their full extent security-wise (e.g. CORS middlewares).
- Scanning for OWASP is part of regular penetration testing.
- Code is lined and statically analyzed to catch especially mistakes early.
- There is a centralized permission checking module in place to ensure customer-data separation.
What are your processes for security testing of code?
- Regularly scheduled code reviews.
- Tasks and changes are monitored for security-relevant changes manually.
Do you take regular back-ups and keep them in a separate and safe place?
- A formal backup strategy has been implemented, and automated tools are used to perform scheduled backups.
- The user is responsible for implementing backups of the magicplan virtual appliance configuration and content on their device.
How do you ensure recipient names are correct before sending an email, especially when sending sensitive content?
- Mandatory Email confirmation for every magicplan user.
How do you share secure passwords for encrypted documents?
- We are using a company-own on-time-use secrets encryption tool.
How do you train your employees in information security awareness
- Online training courses on
- fundamentals of data protection and privacy, breach notification, and information security
- GDPR compliant behavior;
- awareness of fishing or other tricks to get staff to give out personal details.
- Instructions on
- Use of strong passwords (Tool: 1Password);
- Polite and appropriate customer communication. magicplan does not tolerate offensive or disrespectful behaviour.
- Comprehensive documentation in staff handbook (online guide).
Do documented business continuity and disaster recovery plans exist?
- Defined and implemented recovery objectives and business continuity and disaster recovery plans exist.
Describe how you deploy firewall, anti-spyware and virus-checking tools on your system?
- An external Server Administration vendor applies security updates to production servers monthly.
- All updates are contractually documented.
Last Updated: August 2022