is hosted using Amazon Web Services (AWS), a global cloud-based application hosting solution. AWS provides with high availability and redundancy, as well as built-in security controls manage system access, monitor potential security events, and provide failover redundancy in the event of an outage or system compromise.
MAGIC uses AWS Security Hub to globally manage security policy and incidents. AWS Security Hub continuously monitors MAGIC’s environment using automated security checks based on the AWS best practices and industry standards.
Data Maintenance & Extraction
is designed to protect the content our users enter, and minimize any barriers to extracting this information as needed:
- Version maintenance. All versions of content are retained in their entirety. When content is published in ( guidelines) saves a version in the database PDF version, and these files are retained for each version.
- Nondestructive deletions. When a user chooses to delete critical data, it is marked as deleted but retained. This allows to recover data such as deleted PICOs and recommendations in the case of an inadvertent deletion. Users can restore deleted PICOs and recommendations themselves, but deleted guidelines can only be restored by contacting support.
- Daily snapshots. creates an image of the entire database hourly and retains these images for 35 days.
- Data integrity. database is ACID (atomicity, consistency, isolation, and durability) compliant.
- JSON exports (via the UI and API). Users can at any point generate a data-file copy of their whole guideline, or parts of it ( single recommendations), for storage and dissemination outside of .
- PDF exports (via the UI and API). Users can at any point generate a PDF copy of their guideline for storage and dissemination outside of .
- Word export (via the UI and API). Users can at any point generate a Word copy of their guideline, PICO questions or recommendations, for storage and dissemination outside of .
- All users must agree to the Terms of Service prior to accessing the system.
- users can configure a custom copyright statement and disclaimer for their content.
- retains no personal data, beyond email addresses.
- passwords are encrypted with , and MAGIC is unable to decrypt them.
- The database is encrypted at rest.
- A full audit history is created and retained for all content edits.
- requires TLS 1.2 (encrypted) connection.
- Cross-site request forgery (CSRF) protection is enabled to prevent “clickjacking” attacks.
- All database queries are protected from SQL injection attacks.
- API prevents any cross-site scripting (XSS) data from being saved, using allow lists to control requests.
- All servers are behind at least 1 firewall. Servers with data are not accessible from the public internet.
- All application logs are maintained on a separate logging server.
- The UI uses strong content security policy (CSP) rules.
- All servers are patched weekly.
- All application secrets are vaulted.
- Multi-factor authentication (MFA) is required to access anything development or deployment related by MAGIC staff.
- has passed a World Health Organization two weeklong penetration test.