Data Privacy & Information Security

Find out more about or approach to data processing, privacy, and information security.

Summary of Data Privacy & Information Security

Technologies Sensopia Inc., based in Canada, is the data controller for the magicplan App, Cloud, and Website. enapt GmbH in Germany, the parent company, is also responsible for data processing. All data is hosted on Amazon Web Services (AWS) in the United States. The organizations have established a clear agreement that outlines the data protection responsibilities of each company. Additionally, the privacy policy is in compliance with GDPR and addresses various aspects of data protection.

magicplan implements various measures to ensure security, including strict organizational controls, regular effectiveness checks, external audits, and penetration tests. magicplan shares insights into its cybersecurity program, technical architecture, access management, storage locations, and development security operations. The commitment to information security is further demonstrated through regular training, adherence to secure coding standards, and the presence of disaster recovery plans. The information provided is current as of June 2023. 

Table of Contents

1. Responsible Data Controller 
2. Privacy Policy & GDPR
3. Technical & Organizational Measures
   1. 3.1 Access Control 
   2. 3.2 Information Security 
   3. 3.3 Entry Control
   4. 3.4 Job Control
   5. 3.5 Separation Control
   6. 3.6 Relay Control
   7. 3.7 Availability and Resilience (Article 32 (1) (b) GDPR) 
   8. 3.8 Organizational Control
   9. 3.9 Effectiveness Checks
   10. 3.10 Hosting, Data Center Location, and Infrastructure 
   11. 3.11 Application Security and Assurance
   12. 3.12 Third-Party Back Office Applications

Legal Documentation Below

---

1. Responsible Data Controller

• The responsible data controller for the “magicplan” App, Cloud, and Website, is Technologies Sensopia Inc., 465 Rue St Jean, Suite #1003, Montréal, Québec, H2Y 2R6, Canada („Sensopia“).
• enapt GmbH, Goethestr. 25A, 80336 Munich, Germany („enapt“) is the German parent company of Technologies Sensopia, Inc.
• Sensopia and its affiliated parent company enapt are jointly responsible data processors. In this respect, the companies have defined in an agreement which of them fulfills which data protection obligation. The essential content of this agreement is available to you from Sensopia or enapt on request.
• enapt has an external Data Protection Officer:
  PROLIANCE GmbH / datenschutzexperte.de
  Leopoldstr. 21
  80802 München
  Germany
  Email: datenschutzbeauftragter@datenschutzexperte.de
• For further questions or inquiries please contact: security@magicplan.app

2. Privacy Policy & GDPR 

• Privacy Policy for the App magicplan
• Privacy Policy for the website magicplan.app
• Social Media Privacy Policy
• Data Protection Information For Applicants
• Information on data protection regarding our processing of customer and prospect data pursuant to Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)

3. Technical & Organizational Measures

3.1 Access Control

• All entrances to the building are secured with locks. Employees get access with a registered key.
• Service providers and freelancers also get access to the building with a registered key.
• Keys are issued only to authorized persons. It is documented which persons have access to the building. If an employee or other authorized person leaves, the key is returned and documented.
• Visitors have to ring the bell and are picked up by an employee at the door. Strangers do not stay in the office unaccompanied.
• All windows in the office are lockable from the inside.
• Servers are not owned by Enapt GmbH or Technologies Sensopia Inc., magicplan is hosted by Amazon Web Services. The technical and organizational measures of the contractors apply. For more information see section 3.10.

3.2 Information Security

• HR documents are housed in a lockable cabinet. Only staff responsible for human resources management have access to it.
• Only authorized persons have access to digital documents.
• Hardware is locked away when not in use for a long time
• Paper files are locked away when not in use for a long time.
• The stock of hardware is documented and recorded digitally. The issue and return of hardware to employees are digitally documented.
• Different levels of access are regulated so that each employee only receives the privileges in the IT system, which they also need for their activities.
• An authorization concept applies.
• Each employee has an individual user account with their own password.
• There is a password policy. Depending on the application, the complexity and length of the password is technically forced.
• Depending on the application, changing the password is technically enforced and user access is blocked after multiple incorrect entries.
• There is a time-controlled automatic screen lock of the PCs/laptops.
• Employees are instructed to lock their screens when leaving the workplace.
• The WLAN is encrypted with WPA 2.
• The number of system administrators is limited to the bare minimum.
• There is a clean desk policy.

3.3 Entry Control

• Logging of the activities of the IT system itself for all security-related aspects at the operating system level.
• Logging of the activities of IT administrator activities at the level of individual computers.
• Installation of new software only from the Apple App Store or certified developers. Software can only be ordered via a central office and is purchased and purchased through secure providers.
• Exclusive use of mobile data carriers left by the company and purchase centrally by the IT department. Purely internal use.

3.4 Job Control

• Order processing contracts are concluded according to Art. 28 GDPR.
• Clear design of the order processing contracts.
• Control of technical and organizational measures of contractors.
• Return or deletion of data after completion of the contract ensured by contractual arrangements.

3.5 Separation Control

• Separation of data concerning different customers/clients by multi-client capable system at the application level.
• Separation of data that is processed for different purposes, through multi-client-enabled system at the application level or through the use of different applications with different data storage.
• There is a deletion concept.

3.6 Relay Control

• WLAN backup according to the WPA2 standard.
• Private Wi-Fi available.
• SSL data encryption when transferring data electronically.
• The e-mail communication is provided with a transport encryption. Sensitive data is transmitted in encrypted ZIP folders.
• Disposal of unneeded paper files with a shredder.
• Disposal of data CDs / DVDs with a shredder.

3.7 Availability and Resilience (Article 32 (1) (b) GDPR)

• Relevant data is available as cloud backup and is redundantly mirrored by authorized persons.
• Fire extinguishers, surge protection, smoke detectors on-site.
• There is an emergency plan for the failure of the IT infrastructure.
• There is an emergency plan for data breaches.
• There are clear reporting channels for emergencies (both IT emergencies and data breaches).
• Notification of IT administrators in case of disruptions of the IT system.

3.8 Organizational Control

• All employees are obliged to confidentiality.
• All employees have completed training on data protection.
• There is a privacy policy.
• A procedure for risk assessment and risk management has been established and documented.
• There is a guideline for working in the home office.
• There is a guideline for the use of company internet access and the company e-mail account.

3.9 Effectiveness Checks

• Regular checks on the effectiveness of the technical and organizational measures.
• Regular monitoring whether and to what extent existing measures still comply with requirements and corporate development. In addition, authorizations, used hardware, etc. are checked and adjusted on a case-by-case basis (eg staff change).
• After reports by partners/service providers, event-related analyses of the present protocols are carried out.
• The maintenance of the internal systems is the responsibility of a trained IT specialist (internal employee) for system integration.
• Unusual events and alerts are reported to management and appropriate action is taken.
• Audit by external service providers, every two years.
• Penetration tests are carried out based on the application.

3.10 Hosting, Data Center Location and Infrastructure

• Data is hosted in the United States in Amazon Webservices data centers.
• AWS is an active participant of the EU-U.S. Data Privacy Framework: https://www.dataprivacyframework.gov/list 
• AWS data centers and network architecture meet the requirements of the most security-sensitive organizations. AWS Customer Agreement: https://aws.amazon.com/agreement/ 
• AWS has certificates issued in relation to the ISO 27001 certification, the ISO 27017 certification, and the ISO 27018 certification.
• AWS has implemented and will maintain robust technical and organizational measures for the AWS network. More on AWS Cloud Security: https://aws.amazon.com/security/
• AWS will notify its customers of a security incident without undue delay after becoming aware of the security incident.
• The AWS GDPR Data Processing Addendum has been contracted:  https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
• AWS will process customer data only in accordance with customer instructions. The Supplementary Addendum on Customer Data Requests has been contracted: https://d1.awsstatic.com/Supplementary_Addendum_to_the_AWS_GDPR_DPA.pdf

3.11 Application Security and Assurance

• Access to live databases is handed to developers on a need-to-know basis, depending on CEO approval
• A list of employees authorized to access customer data is available and regularly updated.
• Data between apps and systems is exclusively transmitted using industry-standard encryption technology
• Employees have been educated for GDPR compliance and explicitly self-committed.
• Access credentials are stored and organized using industry-standard encryption technology and clear access privilege rules are established.

3.12. Third-Party Back Office Applications

• HubSpot
• ClickUp
• Aircall
• Apollo
• AWS
• GitHub
• Google G Suite
• MailJet
• Slack
• Sentry
• Google Firebase
• Microsoft Office 365

Last Updated: April 2025