Security

At Magpie Meetings, we take security seriously and implement industry-standard practices to protect your data. This page outlines our security measures and how we safeguard your information.

1. Data Encryption

1.1 Data in Transit

All data transmitted between your browser and our servers is encrypted using:

• TLS/SSL encryption: HTTPS connections with modern cipher suites
• Secure protocols: TLS 1.2 or higher for all communications
• Certificate validation: Valid SSL certificates from trusted authorities

1.2 Data at Rest

Sensitive data stored on our systems is protected through:

• Password encryption: Passwords are hashed using strong, one-way cryptographic algorithms (bcrypt)
• Database security: Access-controlled database servers with encryption capabilities
• API tokens: Secure storage of third-party integration tokens with encryption

2. Access Controls

2.1 Authentication

• OAuth 2.0: Support for Google OAuth and other trusted identity providers
• Magic link login: Passwordless authentication option for enhanced security
• Session management: Secure session tokens with automatic expiration
• Account security: Users are responsible for protecting their login credentials

2.2 Administrative Access

• Principle of least privilege: Team members have access only to the data necessary for their role
• Multi-factor authentication: Required for administrative and production system access
• Access logging: All administrative actions are logged and monitored
• Regular audits: Periodic review of access permissions and privileges

3. Infrastructure Security

3.1 Application Security

• Input validation: All user inputs are validated and sanitized to prevent injection attacks
• CSRF protection: Cross-Site Request Forgery tokens on all state-changing operations
• XSS prevention: Output encoding and Content Security Policy headers
• SQL injection protection: Parameterized queries and prepared statements

3.2 Server Security

• Regular updates: Operating systems and software packages are kept up to date
• Firewall protection: Network-level access controls and firewall rules
• Intrusion detection: Monitoring for suspicious activity and unauthorized access attempts
• Dependency management: Regular updates and security patches for third-party libraries

4. Monitoring and Logging

• Activity logs: System events, user actions, and API requests are logged
• Error monitoring: Automated detection and alerting for system errors and anomalies
• Security monitoring: Real-time monitoring for potential security threats
• Audit trails: Comprehensive logs for incident investigation and compliance

Logs are retained for a limited period and are used solely for security, troubleshooting, and service improvement purposes.

5. Incident Response

5.1 Security Incident Handling

In the event of a security incident, we follow a structured incident response process:

• Detection: Identify and assess the nature and scope of the incident
• Containment: Take immediate action to limit impact and prevent further damage
• Investigation: Analyze the incident to determine root cause and affected data
• Remediation: Implement fixes and security improvements to prevent recurrence
• Notification: Inform affected users and authorities as required by law

5.2 Data Breach Notification

If a data breach occurs that affects your personal data, we will:

• Notify you via email within 72 hours of discovering the breach (as required by GDPR)
• Provide details about what data was affected and the potential impact
• Explain the steps we are taking to address the breach
• Offer guidance on actions you can take to protect yourself

6. Third-Party Security

6.1 Service Provider Vetting

We carefully select third-party service providers (sub-processors) who handle your data. All providers must:

• Maintain appropriate security standards and certifications
• Sign Data Processing Agreements (DPAs) as required by GDPR
• Comply with our security and privacy requirements

See our Sub-processors page for a complete list of third-party services we use.

6.2 Integration Security

When you connect third-party services (Google Calendar, Zoom, etc.):

• You control what data is shared through OAuth permission scopes
• You can revoke access at any time from your account settings
• We request only the minimum permissions necessary to provide the functionality
• Integration tokens are stored securely and encrypted

7. Third-Party Audits and Compliance

While Magpie Meetings is currently a free service, we are committed to transparency and security best practices:

• Regular security reviews: Internal audits of code, infrastructure, and processes
• Vulnerability scanning: Automated and manual security testing
• GDPR compliance: Adherence to EU data protection regulations (see our DPA)
• Industry standards: Following OWASP guidelines and security best practices

As the service grows, we may pursue formal security certifications such as SOC 2 Type II or ISO 27001.

8. Vulnerability Disclosure

8.1 Responsible Disclosure Policy

We welcome and appreciate responsible disclosure of security vulnerabilities. If you believe you have found a security issue:

• Report it: Email details to support@magpiemeetings.com with "Security Vulnerability" in the subject line
• Provide details: Include steps to reproduce, potential impact, and any proof-of-concept code
• Do not disclose publicly: Please do not publicly disclose the vulnerability until we have had a chance to address it
• Response time: We will acknowledge your report within 48 hours and provide updates on our investigation

8.2 What to Report

Examples of security vulnerabilities we want to hear about:

• SQL injection, XSS, or CSRF vulnerabilities
• Authentication or authorization bypass
• Remote code execution or server-side request forgery
• Data exposure or unauthorized access to user data
• Any other security issue that could compromise user data or system integrity

9. User Responsibility

While we implement strong security measures, users also play a critical role in security:

• Keep credentials secure: Do not share your password or login credentials
• Use strong passwords: Choose unique, complex passwords (or use OAuth providers)
• Review integrations: Periodically review and remove unnecessary third-party connections
• Report suspicious activity: Contact us immediately if you notice unauthorized account access
• Keep software updated: Use up-to-date browsers and operating systems

10. Security Updates

We regularly update our security practices in response to new threats and industry developments. This page will be updated to reflect significant changes to our security posture. Check the "Last updated" date at the top of this page.

11. Contact Us

For security-related questions, concerns, or to report a vulnerability, contact us at:

• Security Reports: support@magpiemeetings.com (subject: Security Vulnerability)
• General Support: support@magpiemeetings.com
• Privacy Inquiries: privacy@magpiemeetings.com

For all contact options, visit our Contact page.