Data Privacy & Information Security FAQs

Frequently Asked Questions about magicplan's Data Privacy and Information Security.

We've compiled a list of frequently asked questions (FAQs) regarding magicplan's Data Privacy & Information Security. Your privacy is our top priority, and we want to ensure you have all the information you need to feel secure while using magicplan.

Review our full Data Privacy & Information Security policy here. 

Table of Contents

1. Why do you need my email address?
2. What are the key aspects of your Cybersecurity Program?
3. What is the technical architecture of the magicplan app and cloud?
4. How is access to the system and data handled?

5. Do you offer Single Sign-on with Google or Active Directory?

6. Where is data stored?
7. Do magicplan developers have access to data or images of users?

8. What are your Development Security Operations practices?

9. How do you protect the application in production from unauthorized changes?

10. How do you enforce separation between development and production?

11. Do you have a secure coding standard?

12. What are your processes for security testing of code?

13. Do you take regular back-ups and keep them in a separate and safe place?

14. How do you ensure recipient names are correct before sending an email, especially when sending sensitive content?

15. How do you share secure passwords for encrypted documents?

16. How do you train your employees in information security awareness? 

17. Do documented business continuity and disaster recovery plans exist? 

18. Describe how you deploy firewall, anti-spyware and virus-checking tools on your system?

Frequently Asked Questions 

1. Why do you need my email address? 

• magicplan requires users to provide their email address for essential account management purposes. The email address is a unique identifier, enabling us to securely authenticate users, manage account-related activities, and communicate important updates such as account verifications, password resets, and relevant notifications.
• magicplan does not use your email address for marketing purposes without your consent.
• We prioritize the privacy and security of your information, ensuring that your email address is handled with the utmost confidentiality. It is not shared with third parties for marketing purposes, and we are committed to complying with data protection regulations to safeguard your personal information.
• By collecting your email address, we aim to provide a personalized and secure experience within the Magicplan platform while keeping you informed about important account-related matters.

2. What are the key aspects of your Cybersecurity Program?

• magicplan has a Cybersecurity Program overseen and managed by designated staff as well as an external data protection consultant.
• We are regularly monitoring for malicious or unrecognized activity.
• We document system configuration changes and monitor user access levels.
• Our Server Administration vendor applies contractually documented security updates to production servers monthly.
• magicplan employees use two-factor authentication whenever possible.
• No telecommunications equipment or services covered in the list of excluded parties in the System for Award Management (SAM) by the US government (https://www.sam.gov) is used in the production or maintenance of magicplan.
• All magicplan staff complete certified cyber security training annually.

3. What is the technical architecture of the magicplan App and Cloud?

• All data is stored on the user's mobile device (Android or Apple iOS) and then synced to Amazon Web Services hosting infrastructure.
• Data is encrypted in-transfer.
• magicplan is not hosting any customer data on its own servers.
• The magicplan mobile application can be used offline to create and edit projects, exports are generated and stored in the cloud-hosted by Amazon Web Services data centers.

4. How is access to the system and data handled?

• Access to magicplan for end-users: All accounts are password protected. Mandatory Email confirmation of every magicplan user to authenticate the user.
• Administrators of a workspace have access to all projects of their end-users within that workspace. Team administrators have access to all projects of their end-users within that specific team. End Users of a workspace who are not administrators can only see and edit their own projects. Workspace Administrators can add to and remove users from their workspace independently.
• Technical: magicplan will process customer data only in accordance with our license agreement, privacy policies, and Terms & Conditions. Anonymized data is used for assessing product performance and product improvements.

5. Do you offer Single Sign-on with Google or Active Directory?

• SSO is possible via SAML/OAuth for Enterprise customers.

6. Where is data stored?

• Data is stored within the United States on Amazon Web Services hosting infrastructure. AWS data centers and network architecture meet the requirements of the most security-sensitive organizations.

7. Do magicplan developers have access to data or images of users?

• Personalized user data is accessible to trained technical staff on a need-to-know basis - meaning staff in customer support and technical support. As Technologies Sensopia Inc is a daughter company of the EU-based Enapt GmbH, magicplan handles personal data in compliance with GDPR and therefore fulfills the highest information security standards for handling personal data.
• All employees are trained in information security and data privacy awareness and on-boarding/off-boarding checklists are in place.

8. What are your Development Security Operations practices?

• Clear and strict access management is in place.
• security@magicplan.app is used as an inbox for any security-related information. Each request is reviewed quickly and thoroughly, sensitively handled disclosures are rewarded with bounty payments.
• Server systems are monitored for availability.
• AWS Web Application Firewall is set up to detect and prevent suspicious activity.
• Application-level error monitoring is in place and centrally collected. Issues are monitored constantly and tracked.
• Bi-yearly automated penetration tests are being established.

9. How do you protect the application in production from unauthorized changes?

• The production environments are only accessible by authorized employees who are responsible for deployments and maintenance. Authorized employees are documented.
• MFA is required to access production hosting accounts.
• We use personalized accounts for production access, and only with Public/Private keys.
• An Administration firm is contracted to monitor systems and do regular security updates on the systems.

10. How do you enforce separation between development and production?

• The entire development environment is reproducible locally for development using a number of docker containers. No access to either Staging or Production systems is needed for developers to work on the systems and test their code.
• magicplan has a Production System and a Staging System. There are no inter-dependencies. They are technically as close as possible but managed using fully-separated AWS accounts.
• magicplan uses separated credentials for external systems (e.g. separated accounts for payment providers).

11. Do you have a secure coding standard?

• Code is reviewed by at least one peer before being merged.
• We are keeping our technical dependencies current in order to have security patches as soon as possible.
• We aim to use the frameworks use to their full extent security-wise (e.g. CORS middlewares).
• Scanning for OWASP is part of regular penetration testing.
• Code is lined and statically analyzed to catch especially mistakes early.
• There is a centralized permission checking module in place to ensure customer-data separation.

12. What are your processes for security testing of code?

• Regularly scheduled code reviews.
• Tasks and changes are monitored for security-relevant changes manually.

13. Do you take regular back-ups and keep them in a separate and safe place? 

• A formal backup strategy has been implemented, and automated tools are used to perform scheduled backups.
• The user is responsible for implementing backups of the magicplan virtual appliance configuration and content on their device.

14. How do you ensure recipient names are correct before sending an email, especially when sending sensitive content?

• Mandatory Email confirmation for every magicplan user.

15. How do you share secure passwords for encrypted documents?

• We are using a company-own on-time-use secrets encryption tool.

16. How do you train your employees in information security awareness

• Online training courses on
  • fundamentals of data protection and privacy, breach notification, and information security
  • GDPR compliant behavior;
  • awareness of fishing or other tricks to get staff to give out personal details.

• Instructions on 
  • Use of strong passwords (Tool: 1Password);
  • Polite and appropriate customer communication. magicplan does not tolerate offensive or disrespectful behaviour.

• Comprehensive documentation in staff handbook (online guide).

17. Do documented business continuity and disaster recovery plans exist? 

• Defined and implemented recovery objectives and business continuity and disaster recovery plans exist. 

18. Describe how you deploy firewall, anti-spyware and virus-checking tools on your system?

• An external Server Administration vendor applies security updates to production servers monthly.
• All updates are contractually documented.