MAGICapp System Security Summary

MAGICapp is hosted using Amazon Web Services (AWS), a global cloud-based application hosting solution. AWS provides MAGICapp with high availability and redundancy, as well as built-in security controls manage system access, monitor potential security events, and provide failover redundancy in the event of an outage or system compromise. 

MAGIC uses AWS Security Hub to globally manage security policy and incidents. AWS Security Hub continuously monitors MAGIC’s environment using automated security checks based on the AWS best practices and industry standards.  


Data Maintenance & Extraction 

MAGICapp is designed to protect the content our users enter, and minimize any barriers to extracting this information as needed: 

  1. Version maintenance.All versions of MAGICapp content are retained in their entirety. When content is published in MAGICapp (e.g. guidelines) MAGICapp saves a version in the database and  a PDF version, and these files are retained for each version. 
  2. Nondestructive deletions. When a user chooses to delete critical data, it is marked as deleted but retained. This allows MAGICapp to recover data such as deleted PICOs and recommendations in the case of an inadvertent deletion. Users can restore deleted PICOs and recommendations themselves, but deleted guidelines can only be restored by contacting MAGICapp support. 
  3. Daily snapshots.MAGICapp creates an image of the entire MAGICapp database hourly and retains these images for 35 days. 
  4. Data integrity. MAGICapp’s database is ACID (atomicity, consistency, isolation, and durability) compliant. 
  5. JSON exports (via the UI and API). Users can at any point generate a data-file copy of their whole guideline, or parts of it (e.g. single recommendations), for storage and dissemination outside of MAGICapp. 
  6. PDF exports (via the UI and API). Users can at any point generate a PDF copy of their guideline for storage and dissemination outside of MAGICapp. 
  7. Word export (via the UI and API). Users can at any point generate a Word copy of their guideline, PICO questions or recommendations, for storage and dissemination outside of MAGICapp. 

Data Protection 

  1. All MAGICapp users must agree to the MAGICapp Terms of Service prior to accessing the system. 
  2. MAGICapp users can configure a custom copyright statement and disclaimer for their content. 
  3. MAGICapp retains no personal data, beyond email addresses.  
  4. MAGICapp passwords are encrypted with bCrypt, and MAGIC is unable to decrypt them. 
  5. The MAGICapp database is encrypted at rest. 
  6. A full audit history is created and retained for all content edits. 
  7. MAGICapp requires an TLS 1.2 (encrypted) connection. 
  8. Cross-site request forgery (CSRF) protection is enabled to prevent clickjacking attacks. 
  9. All database queries are protected from SQL injection attacks. 
  10. MAGICapp’s API prevents any cross-site scripting (XSS) data from being saved, using allow lists to control requests. 
  11. All servers are behind at least 1 firewall. Servers with data are not accessible from the public internet. 
  12. All application logs are maintained on a separate logging server. 
  13. The MAGICapp UI uses strong content security policy (CSP) rules. 
  14. All MAGICapp servers are patched weekly. 
  15. All MAGICapp application secrets are vaulted. 
  16. Multi-factor authentication (MFA) is required to access anything development or deployment related by MAGIC staff. 
  17. MAGICapp has passed a World Health Organization two weeklong penetration test. 

 

Feedback and Knowledge Base