General Data Protection Regulation (GDPR)

Data Privacy

Magnetic is compliant with the EU General Data Protection Regulation (GDPR). By the terms of this regulation, we act as both a controller and a processor of data.

As a data processor, we enable you, the client, to act as a data controller. This means that your company and its activities must comply with the regulations set out in the GDPR. Magnetic is obligated to assist authorities in ensuring that GDPR compliance is met by any data controllers we enable. Even if you are not based in the European Union, the GDPR applies to your company if you store any personal information for any European Union citizen.

As a controller of data, we collect the following personal data from our users.


Client Relation Data

We collect your full names (as given during sign-up), email address(es) and contact numbers. This data is used by our sales representatives and implementation specialists in order to contact you regarding your Magnetic account, so as to set it up and provide support. We also collect information regarding your place of work, which is rendered from your employer and is necessary to associate users to their company.


Diagnostic Data

We collect IP addresses and behavioural data for two reasons: as part of our obligations as a data processor to keep a record of processing events and to assist our team in diagnosing any problems you encounter while using our system.


Analytic Data

In order to provide the best possible experience, we make use of analytic third-party systems which may track any of the information above. These third-party applications are listed below.


Future Data Storage

In the future, Magnetic may extend the personal data we store as needed to provide an inclusive, accessible and useful system to our clients. All this data will be obtained with your explicit knowledge and consent, and we will explain exactly how we intend to use it.


Third-Party Services

Magnetic makes use of several third-party services in order to provide utility to you, the client, and to assist us in diagnosing issues and improving the user experience. Some of these third-party services are optional integrations for our clients to use in their work as data controllers.

All of these third-party services are listed below, along with links to their own GDPR information pages. All our third-party services are GDPR compliant.

Intercom

We use Intercom to broadcast updates to clients and to run automated follow-ups to ensure the on-boarding process goes smoothly.

How we’re preparing for GDPR

Freshdesk

Freshdesk is our support and ticketing system, which we use to assist our clients with any queries and issues they have with our system.

Data Protection & Commitment to GDPR

NewRelic

NewRelic is a system diagnosis tool we use to monitor the speed and stability of our application. All user data is anonymized before being sent to this service.

FAQ – GDPR

FullStory

FullStory is a diagnostic tool we use to analyse user behaviour in order to diagnose issues and improve the user experience. Sensitive fields are excluded from the data sent to FullStory, and IP addresses are discarded once the sessions are recorded.

GDPR and FullStory

Google Analytics

Google Analytics is a diagnostic tool used to monitor user retention and satisfaction, as well as average session duration and other important metrics. These are then used to improve pain points in the system.

Google Cloud – GDPR

Amazon AWS

Our servers and our databases are hosted by Amazon AWS.

All AWS Services GDPR Ready

Sentry

Sentry is an error reporting tool which Magnetic uses to get ahead of bugs in our system, even if they go unnoticed or unreported by our users.

GDPR, Sentry and You

Campaign Monitor (optional)

Campaign Monitor is an optional service client can opt into, which lets them keep tabs on ongoing email campaigns.

GDPR overview and best practices

Zapier (optional)

Zapier is an automation service that clients can integrate with. This lets them set up triggers to automate actions based on events that happen in Magnetic, or in other third-party services.

Please note that Magnetic cannot give assurances as to whether or not all the systems Zapier integrates with are GDPR compliant. As data controllers, clients are expected to ensure that all use of Zapier integrations conforms to the regulations set out in the GDPR.

GDPR

BinaryCanary

BinaryCanary is an uptime monitoring service Magnetic uses to track our availability metrics. It receives no personal data whatsoever.

Sage (optional)

Sage is an accounting system available to integrate into Magnetic.

GDPR

Navision (optional)

Dynamics NAV is a Microsoft platform Magnetic clients can integrate with.

Get GDPR Compliant with Dynamics NAV

Xero Accounting (optional)

Xero is an accounting system available to integrate into Magnetic.

GDPR centre

Dropbox (optional)

Dropbox is a cloud storage platform. Magnetic users are able to link files from Dropbox to Magnetic and share them with their colleagues.

Welcome to Dropbox’s GDPR Guidance Center

Google Cloud (optional)

Magnetic allows clients to integrate with Google Cloud, providing email, calendar and storage integration.

Google Cloud & the GDPR


What has Magnetic done to comply with the GDPR?

As a global company which handles sensitive information for our clients, Magnetic takes the protection of our client’s data and privacy very seriously. We have conducted an extensive review of all our third-party applications, their GDPR compliance and data policies, and the data transfer contracts we have with each of them. Sensitive information is stored as securely as possible, and we have a comprehensive security module to ensure that data can only be accessed by those who have explicit approval.

Internally, we have a strict policy regarding the access of data, both via our back-end system and in terms of our support and ticketing services.

We have also conducted a review of our logging and record policies to ensure that we comply with the logs and records required from data processors.

We commit to responding timeously to requests for erasure, and requests for access, from any potential data subject who can provide sufficient proof of identity. We also have available systems for our clients to download their uploaded data for portability.

In the unlikely event of a data breach, we commit to notifying affected parties within 72 hours of becoming aware that such a breach has occurred. In this time, we will conduct as extensive an investigation as possible, so as to inform affected parties of the consequences of the breach as transparently as possible.