Security & Data Protection Policy

Last updated: April 2026

Overview

At Magentic AI, security is not a feature we add after deployment — it is a design constraint we enforce from the first discovery call. Every client engagement begins with an explicit security scoping exercise that defines data handling protocols, compliance requirements, access boundaries, and infrastructure architecture before a single line of code is written or a single workflow is deployed.

This document outlines how Magentic AI approaches security across all service lines: Custom AI Automation, Enterprise Platform Development, AI Voice Automation, AI Content Creation, AI Corporate Training, and AI Staffing Services.

1. Pre-Engagement Security Scoping

Before any engagement begins, Magentic conducts a structured Security & Compliance Discovery session with the client's designated stakeholders. This session produces a written Security Scope Document that becomes a binding annex to the Master Service Agreement.

The Security Scope Document defines:

• Data Classification — What categories of data the AI system will access, process, or store (PII, financial records, healthcare data, HR data, proprietary business data, etc.)
• Regulatory Obligations — Which compliance frameworks apply to the engagement (HIPAA, SOC 2, GDPR, CCPA, PCI-DSS, TCPA, or others) based on the client's industry and geography
• Infrastructure Model — Whether the deployment will be cloud-hosted in the client's private environment, on-premise within client-owned infrastructure, or in a Magentic-managed private cloud
• Access Control Architecture — Role-based access controls (RBAC), authentication requirements, and human-in-the-loop checkpoints for critical workflows
• Data Retention & Deletion Policy — How long data is stored, where, under what encryption standard, and how it is permanently purged at engagement end or on client request
• Incident Response Protocol — Defined escalation paths, notification timelines, and remediation responsibilities in the event of a security incident

No deployment proceeds without a signed Security Scope Document. This is non-negotiable across all service lines.

2. Data Sovereignty & Model Isolation

Your data never trains public models.

This is the foundational commitment of every Magentic engagement. Specifically:

• Client data is never used to fine-tune, retrain, or improve any publicly accessible AI model, including foundation models operated by third-party providers
• Client data never passes through shared multi-tenant inference environments where cross-contamination is possible
• All AI workflows are deployed in isolated environments — either client-owned cloud infrastructure, dedicated private cloud instances, or on-premise hardware — depending on the security scope agreed at engagement start
• Where third-party AI providers are used (such as LLM APIs), Magentic contractually ensures zero-data-retention agreements are in place with those providers, meaning prompts and outputs are not logged, stored, or used for model improvement by the provider
• All proprietary client assets — brand guidelines, internal documents, training data, workflow logic, prompt libraries — remain exclusively owned by the client and are returned or destroyed at engagement end per the agreed retention policy

3. Compliance Frameworks

Magentic AI designs engagements to be compliant with applicable regulatory frameworks. The following standards are scoped, implemented, and verified in partnership with certified, accredited third parties where formal certification is required.

SOC 2 Type II

SOC 2 Type II compliance is available for enterprise engagements that require it. Where SOC 2 is scoped, Magentic works with accredited third-party auditors to ensure that the infrastructure, access controls, and operational procedures supporting the deployment meet the Trust Services Criteria covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. Clients requiring SOC 2 attestation will receive documentation from the auditing body as part of the engagement deliverables.

HIPAA

For healthcare and adjacent engagements involving Protected Health Information (PHI), Magentic designs all systems to HIPAA-compliant architecture standards. This includes end-to-end encryption of PHI in transit and at rest, strict access control and audit logging, Business Associate Agreements (BAAs) executed with all relevant subprocessors, and deployment within HIPAA-eligible infrastructure environments. HIPAA compliance is verified in partnership with certified healthcare IT compliance consultants who review architecture and sign off prior to go-live.

GDPR

For engagements involving personal data of EU residents, Magentic operates as a Data Processor under GDPR. Data Processing Agreements (DPAs) are executed at engagement start. All data processing activities are documented, lawful bases are established, and data subject rights (access, portability, erasure) are supported within the system architecture. Cross-border data transfers comply with applicable transfer mechanisms including Standard Contractual Clauses where required.

CCPA

For engagements involving California residents' personal data, Magentic implements the technical and contractual controls required under the California Consumer Privacy Act, including data subject request handling, opt-out mechanisms where applicable, and service provider agreements that restrict secondary use of personal information.

PCI-DSS

For voice automation or platform engagements that involve payment card data or payment processing workflows, Magentic scopes and implements PCI-DSS compliant architecture. This includes tokenization of card data, scoped network segmentation, and where necessary, engagement of a Qualified Security Assessor (QSA) to validate compliance.

TCPA

For outbound voice automation engagements, all dialing logic, consent management, and call recording workflows are designed in compliance with the Telephone Consumer Protection Act. Consent records are captured, stored, and auditable.

4. Infrastructure Security Standards

Regardless of deployment model, all Magentic-deployed systems meet the following baseline infrastructure security standards:

Encryption

• All data encrypted in transit using TLS 1.2 or higher
• All data encrypted at rest using AES-256 or equivalent
• Key management handled through dedicated key management services (AWS KMS, Azure Key Vault, or equivalent), never hardcoded

Access Controls

• Role-based access control (RBAC) implemented for all system components
• Principle of least privilege enforced — every system component and every human operator is granted only the minimum permissions required for their function
• Multi-factor authentication (MFA) required for all administrative access
• Service-to-service authentication uses short-lived tokens or private key pairs, never static credentials

Network Security

• Deployed systems operate within private virtual networks, not exposed to the public internet unless explicitly required
• API endpoints protected by rate limiting, authentication, and where appropriate, IP allowlisting
• Network traffic between system components encrypted and logged

Logging & Audit Trails

• Comprehensive action logging enabled for all AI agent activity, workflow executions, and data access events
• Audit logs are immutable, timestamped, and stored separately from operational systems
• Log retention periods are defined in the Security Scope Document and comply with applicable regulatory requirements
• Clients have access to their audit logs on demand

Uptime & Reliability

• All deployed AI systems are designed for 99.9% uptime with redundancy built into the infrastructure architecture
• Monitoring, alerting, and automated failover are standard components of every production deployment

5. Human-in-the-Loop Controls

Magentic does not deploy fully autonomous AI into high-stakes decision workflows without explicit client authorization and appropriate human review checkpoints.

During the Security Scoping phase, workflows are classified by risk level:

• Low-risk, high-volume tasks (data entry, content formatting, scheduling, routing) — autonomous AI execution is appropriate
• Medium-risk tasks (lead qualification decisions, draft communications, report generation) — AI executes and outputs are reviewed by a designated human before action
• High-stakes tasks (financial approvals, compliance filings, hiring decisions, patient-affecting actions) — AI provides analysis and recommendations; human authorization is required before any action is taken

These classifications are documented in the workflow design specification and enforced in the system architecture, not merely recommended in training materials.

6. Vendor & Subprocessor Management

Magentic maintains a controlled list of approved subprocessors (third-party AI providers, cloud infrastructure vendors, and tooling platforms) used in client engagements. For each subprocessor:

• Data Processing Agreements or equivalent contractual protections are in place
• Zero-data-retention or equivalent data handling agreements are secured where client data is processed
• Subprocessors are reviewed for security posture and compliance certifications prior to use in regulated engagements

Clients may request the list of subprocessors applicable to their engagement at any time. Where a client's compliance requirements restrict the use of specific subprocessors or geographies, this is documented and enforced in the Security Scope.

7. Security in AI Staffing Engagements

For AI Staffing engagements, where Magentic sources, vets, and places AI-native professionals into client teams, the following security practices apply:

• All candidates undergo background verification appropriate to the role and industry
• Placed professionals sign confidentiality and data handling agreements that align with the client's security requirements before commencing work
• For placements in regulated industries, candidates are specifically vetted for familiarity with applicable compliance frameworks (HIPAA, GDPR, SOC 2, etc.)
• Clients retain full control over system access permissions granted to placed staff, with Magentic providing guidance on least-privilege configuration

8. Security in AI Training Engagements

For AI Corporate Training engagements, security education is integrated into the curriculum:

• All training materials that reference client systems, workflows, or data are treated as confidential and not shared beyond the training cohort
• Prompt engineering and AI tool usage training explicitly covers secure AI practices — what data should and should not be submitted to external AI tools, how to identify AI-related compliance risks, and how to escalate concerns
• Post-training support periods include guidance on maintaining secure AI usage habits as the organization scales adoption

9. Incident Response

In the event of a security incident affecting a client's deployed systems:

• Magentic's response team is notified immediately upon detection
• The client's designated security contact is notified within the timeframe specified in the Security Scope Document (standard is within 24 hours of confirmed incident identification)
• Affected systems are isolated and assessed
• A written incident report is delivered to the client documenting the nature of the incident, affected data, containment actions taken, and remediation steps
• Post-incident, a root cause analysis is conducted and findings are shared with the client along with architectural improvements to prevent recurrence

Notification timelines are adjusted to meet regulatory requirements where applicable (for example, GDPR's 72-hour supervisory authority notification requirement).

10. Client Responsibilities

Security is a shared responsibility. Magentic fulfills its obligations as outlined in this document. Clients are responsible for:

• Providing accurate and complete information about their regulatory obligations during the Security Scoping phase
• Maintaining the security of credentials and access controls within their own organization
• Notifying Magentic promptly of any changes to their compliance requirements during the engagement
• Ensuring that internal users of Magentic-deployed systems complete any required security training

Contact

For security inquiries, compliance documentation requests, or to discuss the security requirements of a prospective engagement, contact:

hello@gomagentic.com