On the 25th of May, 2018, The European Union will bring into force a regulation called GDPR. The General Data Protection Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data, ensuring data protection as a fundamental right of EU residents.
Companies with business or customers in the EU need to ensure they’re GDPR-complaint, while also ensuring that their providers (like Magiclane Inc) are also GDPR compliant. We write this to affirm that Magiclane Inc is, in fact, GDPR-compliant, and strictly enforces the EU’s regulation for data protection and storage for user data. Our Data Processing Agreement is kept up to date and has a list of our providers (data processors) available at all times.
Magiclane Inc and GDPR
The General Data Protection Regulation is summarized in the points below. In the following article, we identify and explain what the crux of this EU law is, and elucidate how Magiclane Inc is compliant with the GDPR. If you have any doubts, you can always contact us and we’ll help you.
We also maintain that all of Magiclane Inc’s backend partners, (like Stripe and GDC) are also GDPR compliant. For more information about this, you can refer to our DPA to see a full list of providers.
We at Magiclane Inc have made sure that all our employees responsible for software development and infrastructure maintenance are aware of the GDPR’s data requirements.
Also, code reviews are performed by the Data Protection Officers (as listed in this article), before any code deployment to the platform. This ensures security breaches and bad practices are not implemented by eg. a third party temporary contractor or a Magic Lane employee, even if aware of GDPR requirements (this plays as a double human safety check).
Information we hold
Magiclane Inc stores data on 2 kinds of parties:
- Companies that use our products, i.e. our customers who pay us.
- The customers of the companies that use our products, i.e. their customers who pay them.
Magiclane Inc never shares, re-sells, or distributes any kind of data, and neither is the data from either of these parties used for advertising. Our business model and revenue stream are solely based on paid subscriptions (ie. our users, or their users are not our product).
Information held on our users
Magiclane Inc collects account information on behalf of our customers, and that information is limited to:
The customers first and last name, email and profile picture
Their payment details (includes invoicing information, eg. company address and country — the credit card number is stored by Stripe)
Our system logs an IP address, our customers’ agents and time of connection. They are solely used for debugging and based on lawful purposes, we retain this information for a maximum of 1 year. This log retention policy is subject to the law of the United States (ie. if the judiciary system sends us a search warrant, we have to respond and provide logs up to 1 year, that contain the looked up information).
Information held on our customers’ end-users
Information held on our customers end-users include:
- Their email address (if provided by end-user, thus involving a consent)
- Their phone numbers (if provided by end-user, thus involving a consent)
- Their message exchanges
- Their activity date and time
- Their IP address
- Basic profile information
- Any other information given by our customers
Information on our dashboard given to us by the customers end-users is the sole responsibility of the company in question (i.e. the individual websites using Magiclane Inc). It is the responsibility of these companies and individuals to manage the data they hold in their personal Magiclane Inc Dashboard, i.e. to remove sensitive data if their end-users happen to share it with them (eg. Social Security Numbers, Aadhar Number etc.). It is Magiclane Inc’s responsibility to restrict access to this data, so that only website operators can access it and have a right to rectification and deletion.
Communicating Privacy Information
We at Magiclane Inc believe not only in consent, but informed consent. Our Privacy Information aims to explain in clear terms the privacy terms for Magiclane Inc customers and users.
The privacy terms of our client companies (i.e. the websites that use Magiclane Inc) are the sole responsibility of Magiclane Inc’s customers and should be announced on our customers’ website.
The crux of the GDPR is to provide citizens of the EU bloc a fundamental right: Data Protection. Under the ambit of this, there are various rights awarded to our customers.
- The right to be informed: We here at Magiclane Inc strive clearly inform our users about the use that will be made of their data
- The right of access: We’ve made sure that all our users can access all their data, without restriction, from the Magiclane Inc apps
- The right of rectification: You can simply contact us at email@example.com, and we’ll help you process all your rectification queries
- The right of erasure: Again, it’s as simple as contacting us at firstname.lastname@example.org, we’ll process all your erasure queries
- The right to restrict processing: We don’t externally process our customers’ data (and our customers end-users)
- The right to data portability: Our customer can contact us at email@example.com if they would like to get an export of their data at any time. This process often takes time given our isolated data stores.
- The right to object: The Magiclane Inc team is ready to handle all requests on this matter from our users and users’ end-users, you can simply contact us.
- The right not to be subject to automated decision-making including profiling: Magiclane Inc doesn’t do that.
Subject access requests
Magiclane Inc makes it a point to reply to all access requests (positively or negatively) under 2 weeks (the legal limit from GDPR is 1 month). We offer this free of charge for our customers (paid and free).
A lawful basis for processing personal data
Magiclane Inc only stores user transmission data that involves consent (emails, or chats, where a conversation was initiated by will by both parties).
Consent is provided by our customers explicitly when proceeding an action or task (eg. when they provide user data).
Data transmission can be automated using Magiclane Inc, using webhooks and/or email. This data must have been provided by the customers’ user in a consented way, as it will get propagated to Magiclane Inc in an automatic way (if the customer implemented such API in their source code).
Magiclane Inc does not, and will not offer online services to children by virtue of being a B2B company, which is why we don’t have age restrictions for users signing up for our services.
We understand, however, that children might interact with one of our Live Chat tools from the websites or apps of a Magiclane Inc customer. In this case, it is the responsibility of the company to check their own users and activities regarding children regulations.
The Magiclane Inc team closely monitors our systems and searches for any unauthorized attempts at access. We have various measures to reduce the likelihood of any attacks, which is proven by our track record of data security. In more than 2 years, Magiclane Inc has had 0 major security issues.
We’re big about constantly keeping on our toes, so we welcome researchers and users to submit security flaws. We distribute bounties for valid security flaws that are presented to us in a responsible manner.
In aid of that, we undertake a few measures to protect our customers’ data.
- Serve only on HTTPS.
- Use strong password hashes.
- Aggressive use of firewalls and network isolation in our infrastructure.
- Use of 2-Factor-Authentication on all our sensitive accounts (eg. hosting provider, etc.)
- Isolate data stores and sensitive backends.
Data Protection by Design and Data Protection Impact Assessments
When Magiclane Inc develops new software, we ensure that security development is a parallel build. All Magiclane Inc developers are rigorously trained in software and network security, ensuring that every product you use of ours is state of the art.
Data Protection Officers
Magic Lane designated a Data Protection Officer, as required by GDPR:
Name : Vinod H I
Email : firstname.lastname@example.org
Address : 212/A, Magic Lane Inc, 1st Main Road, Domlur 2nd Stage, Bangalore, India – 560071
Address : Magic Lane Inc, 1st Main Road, Domlur 2nd Stage, Bangalore, India – 560071