Processing of (personal) data by the entity in charge of the online application process

1. Responsible Data Controller

• The responsible data controller for the “magicplan” App, Cloud, and Website, is Technologies magicplan Inc., 1275 Avenue des Canadiens-de-Montréal, 5th Floor, Montreal, QC H3B 0G4, Canada („magicplan“).
• enapt GmbH, Goethestr. 25A, 80336 Munich, Germany („enapt“) is the German parent company of Technologies magicplan, Inc.
• magicplan and its affiliated parent company enapt are jointly responsible data processors. In this respect, the companies have defined in an agreement which of them fulfills which data protection obligation. The essential content of this agreement is available to you from magicplan or enapt on request.

• magicplan is committed to protecting your personal data in accordance with applicable data protection and privacy regulations, including the EU General Data Protection Regulation (GDPR). In this context, magicplan’s internal Compliance Team acts as the company’s Data Protection Officer (DPO).

  You can contact our compliance team regarding any data protection or privacy-related matters at: security@magicplan.app.

  Our compliance team is responsible for:

  • Monitoring ongoing compliance with data protection laws and internal policies

  • Responding to data subject rights requests (access, rectification, erasure, etc.)

  • Cooperating with supervisory authorities

  • Advising the organization on its obligations under applicable data protection laws

2. Privacy Policy & GDPR 

• Privacy Policy for the App magicplan
• Privacy Policy for the website magicplan.app
• Social Media Privacy Policy
• Data Protection Information For Applicants
• Information on data protection regarding our processing of customer and prospect data pursuant to Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)
• 
  

3. Technical & Organizational Measures

The measures outlined in this section reflect our adherence to internationally recognized security standards, including SOC 2 and ISO/IEC 27001, and are designed to meet the data protection principles and requirements set forth by the General Data Protection Regulation (GDPR).

3.1 Access Control

• All entrances to the building are secured with locks. Employees get access with a registered key.
• Service providers and freelancers also get access to the building with a registered key.
• Keys are issued only to authorized persons. It is documented which persons have access to the building. If an employee or other authorized person leaves, the key is returned and documented.
• Visitors have to ring the bell and are picked up by an employee at the door. Strangers do not stay in the office unaccompanied.
• All windows in the office are lockable from the inside.
• Servers are not owned by Enapt GmbH or Technologies magicplan Inc., magicplan is hosted by Amazon Web Services. The technical and organizational measures of the contractors apply. For more information see section 3.10.
• 
  

3.2 Information Security

• HR documents are housed in a lockable cabinet. Only staff responsible for human resources management have access to it.
• Only authorized persons have access to digital documents.
• Hardware is locked away when not in use for a long time
• Paper files are locked away when not in use for a long time.
• The stock of hardware is documented and recorded digitally. The issue and return of hardware to employees are digitally documented.
• Different levels of access are regulated so that each employee only receives the privileges in the IT system, which they also need for their activities.
• An authorization concept applies.
• Each employee has an individual user account with their own password.
• There is a password policy. Depending on the application, the complexity and length of the password is technically forced.
• Depending on the application, changing the password is technically enforced and user access is blocked after multiple incorrect entries.
• Multi-factor authentication (MFA) or single sign-on (SSO) is enforced wherever supported for user access.
• There is a time-controlled automatic screen lock of the PCs/laptops.
• Employees are instructed to lock their screens when leaving the workplace.
• The WLAN is encrypted with WPA 2.
• The number of system administrators is limited to the bare minimum.
• There is a clean desk policy.
• 
  

3.3 Entry Control

• Logging of the activities of the IT system itself for all security-related aspects at the operating system level.
• Logging of the activities of IT administrator activities at the level of individual computers.
• Installation of new software only from the Apple App Store or certified developers. Software can only be ordered via a central office and is purchased and purchased through secure providers.
• Exclusive use of mobile data carriers left by the company and purchase centrally by the IT department. Purely internal use.
• 
  

3.4 Job Control

• Order processing contracts are concluded according to Art. 28 GDPR.
• Clear design of the order processing contracts.
• Control of technical and organizational measures of contractors.
• Return or deletion of data after completion of the contract ensured by contractual arrangements.
• 
  

3.5 Separation Control

• Separation of data concerning different customers/clients by multi-client capable system at the application level.
• Separation of data that is processed for different purposes, through multi-client-enabled system at the application level or through the use of different applications with different data storage.
• There is a deletion concept.
• 
  

3.6 Relay Control

• WLAN backup according to the WPA2 standard.
• Private Wi-Fi available.
• SSL data encryption when transferring data electronically.
• The e-mail communication is provided with a transport encryption. Sensitive data is transmitted in encrypted ZIP folders.
• Disposal of unneeded paper files with a shredder.
• Disposal of data CDs / DVDs with a shredder.
• 
  

3.7 Availability and Resilience (Article 32 (1) (b) GDPR)

• Relevant data is available as cloud backup and is redundantly mirrored by authorized persons.
• Fire extinguishers, surge protection, smoke detectors on-site.
• There is an emergency plan for the failure of the IT infrastructure.
• There is an emergency plan for data breaches.
• There are clear reporting channels for emergencies (both IT emergencies and data breaches).
• Notification of IT administrators in case of disruptions of the IT system.
• 
  

3.8 Organizational Control

• All employees are obliged to confidentiality.
• All employees have completed training on data protection.
• There is a privacy policy and a data management policy.
• A procedure for risk assessment and risk management has been established and documented.
• There is a guideline for working in the home office.  
• There is a guideline for the use of company internet access and the company e-mail account.
• 
  

3.9 Effectiveness Checks

• Regular checks on the effectiveness of the technical and organizational measures.
• Regular monitoring whether and to what extent existing measures still comply with requirements and corporate development. In addition, authorizations, used hardware, etc. are checked and adjusted on a case-by-case basis (eg staff change).
• After reports by partners/service providers, event-related analyses of the present protocols are carried out.
• The maintenance of the internal systems is the responsibility of a trained IT specialist (internal employee) for system integration.
• Unusual events and alerts are reported to management and appropriate action is taken.
• Audit by external service providers, every two years.
• Penetration tests are carried out based on the application.
• 
  

3.10 Hosting, Data Center Location and Infrastructure

• Data is hosted in the United States in Amazon Webservices data centers.
• AWS is an active participant of the EU-U.S. Data Privacy Framework: https://www.dataprivacyframework.gov/list 
• AWS data centers and network architecture meet the requirements of the most security-sensitive organizations. AWS Customer Agreement: https://aws.amazon.com/agreement/ 
• AWS has certificates issued in relation to the ISO 27001 certification, the ISO 27017 certification, and the ISO 27018 certification.
• AWS has implemented and will maintain robust technical and organizational measures for the AWS network. More on AWS Cloud Security: https://aws.amazon.com/security/
• AWS will notify its customers of a security incident without undue delay after becoming aware of the security incident.
• The AWS GDPR Data Processing Addendum has been contracted:  https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
• AWS will process customer data only in accordance with customer instructions. The Supplementary Addendum on Customer Data Requests has been contracted: https://d1.awsstatic.com/Supplementary_Addendum_to_the_AWS_GDPR_DPA.pdf
• 
  

3.11 Application Security and Assurance

• Access to live databases is handed to developers on a need-to-know basis, depending on CEO approval
• A list of employees authorized to access customer data is available and regularly updated.
• Data between apps and systems is exclusively transmitted using industry-standard encryption technology
• Employees have been educated for GDPR compliance and explicitly self-committed.
• Access credentials are stored and organized using industry-standard encryption technology and clear access privilege rules are established.
• 
  

3.12. Third-Party Back Office Applications

• HubSpot
• ClickUp
• Aircall
• AWS
• GitHub
• Google G Suite
• MailJet
• Slack
• Sentry
• Stripe
• Typeform
• Google Firebase
• Microsoft Office 365
• OpenAI
• Antrhopic