The General Data Protection Regulation (GDPR) is a comprehensive set of regulations made by the European Union that dictates what companies like Mago:Tech must do in order to properly protect our customers' data. Even though we are not a European company, we have many customers in the EU and we fully comply with these regulations. This document explains in simple terms what we're doing in order to ensure compliance.
Note: The full GDPR regulations are extremely long and complicated. This isn't meant to be a comprehensive list of every single thing we do to protect your data, but rather it's a simple summary so that you can have a good idea of the protections we have in place. Please feel free to reach out to us if you have questions about specific items that aren't addressed here.
GDPR is a sweeping regulation that covers many different topics. We will address each of the key points below. This information is intended for our customers, but we extend these protections to anyone who visits our website, uses our software, or otherwise interacts with us in any way.
How GDPR applies to Mago
GDPR defines three parties:
- Data subject - This is the person about whom data is being stored and used. Anyone that you enter into your CRM (i.e. your customer) is a data subject.
- Data controller - This is the person or company that is using the data that's being stored. You (our customer, and a user of Mago) are a data controller.
- Data processor - These are companies that create tools to actually store and take advantage of the data. We (Mago:Tech) are a data processor.
The data controller and processor both have different responsibilities to ensure that we are acting legally and ethically. This document explains what we do to comply with GDPR as a processor, but you should keep in mind that you also have responsibilities to the people who's information you put in the CRM.
Technical Security
As a CRM company, our customers entrust us with very important data for their businesses. Keeping your data secure and private is of the utmost importance, and so we are careful to follow industry best practices. A lot goes into online security, but here are some of the main things we do that might interest you:
- Our servers are hosted by Microsoft Azure. They are one of the largest and (in our opinion) most sophisticated hosting company in the world, and they have extensive physical and digital security in place. You can read about their GDPR compliance here.
- We use 256-bit encryption at all levels of our software. All connections to our website are encrypted (i.e. we encrypt “in transit”), our live database is encrypted (i.e. we encrypt 'at rest') and all of our data backups are encrypted.
- Our main servers are in California, USA at Azure's US-West data center. We also keep encrypted backups of data in other locations within the USA in case anything happens to the California data center. Even though GDPR is a European regulation, it does not necessarily require that data be hosted physically within the EU
- We regularly perform external vulnerability scans and application penetration tests to monitor the status of our security efforts.
Policy Security
In addition to making sure that our software is as secure as possible, we also have strict internal policies to ensure that no one at Mago does anything to jeopardize your data privacy. These include:
- We have strict policies around when a Mago employee can access a customer's data. We only allow this if a customer asks for our help or we're fixing a technical bug. We have monitoring and extensive activity logging in place on all employees to ensure that no one abuses this. No subcontractors can access your data.
- We never sell or share our customers' data with any third parties. The data you enter in your CRM is owned entirely by you.
- We only collect data about you that we actually need. You'll notice that on our signup form we don't ask for your phone number, company name, or any other information that we don't directly use to serve you.
- We have mapped out all of the ways data can enter and leave our system. We do use some third party service providers for things like our internal email hosting and phone system, and we have confirmed that all of our vendors are GDPR compliant.
- We practice “privacy by design”. What this means is that everything we build considers privacy as a core feature and not as an afterthought. In addition to every employee being trained in GDPR and privacy best practices, Michael Carducci, founder and original developer, is our designated Data Protection Officer (DPO) responsible for ensuring that privacy and security are built in to everything we do as well as full GDPR compliance.
- GDPR requires that we have a contract with our customers which specifies things like how we process data, that we will assist you in your GDPR obligations to your customers, etc. In our case, this contract is our standard Terms of Service which applies to all of our customers. You can read the details at https://mago.co/home/tos.
Data breach notification plan
We work hard to keep our software secure so that there are no data breaches, but in the event that there is a data breach, we have a plan in place that fully complies with the requirements laid out by GDPR. The basic idea is that if we become aware of a data breach, we will notify any of our customers who may have been impacted, and provide them with the appropriate information so that they can also comply with their responsibilities as a data controller.
Lawful basis for processing
GDPR requires that we establish that our data processing is legally justified. They give a variety of reasons it might be valid, and the following is the one that applies to us:
"...processing is necessary for the purposes of the legitimate interests pursued by the controller…"
Our interpretation of this is that you, as the controller, have legitimate business interests in using a CRM and we're assisting you in pursuing those interests. Keep in mind that this only applies so long as the controller (you) respects the individual rights of the data subjects.
Your responsibilities
As explained above, we are in the role of data processor and you are the data controller. If you enter your customers' information into our software, you can be confident that we are handling GDPR compliance for the data processing side, but you are still responsible for being compliant as a data controller. This would be true regardless of what CRM you use, so there's no avoiding it. If you're concerned that you aren't in compliance, we encourage you to research this topic in more detail, but a good starting point is to ensure that you honor the individual rights laid out in the GDPR regulations to your customers.
Revisiting GDPR compliance regularly
As part of our commitment to remaining GDPR compliant and respecting the privacy of our users, we will revisit this document at least once per year to ensure that all of the information is accurate and up-to-date.