1. Introduction

This Information Security Policy outlines the commitment of Automagical Apps ("the Company") to protect the confidentiality, integrity, and availability of all information assets related to our business operations, including the development and delivery of our Google Workspace add-ons. This policy applies to all employees, contractors, and third-party vendors who have access to Company information or systems.

2. Purpose

The purpose of this policy is to establish a framework for maintaining a strong security posture that:

• Protects the Company's intellectual property and business information.
• Ensures the security and reliability of our SaaS offerings.
• Maintains the trust of our users and partners.
• Complies with relevant legal and regulatory requirements.

3. Scope

This policy applies to all information assets owned, managed, or accessed by Automagical Apps, including but not limited to:

• Software code and development environments.
• Cloud infrastructure (Google Cloud, Firestore).
• Integrations with third-party services (Google, OpenAI).
• Aggregated usage data.
• Licensing information (hashed and salted email addresses).
• Company communications and internal documents.
• All hardware, software, and networks used in the course of business.

4. Definitions

• PII: Personally Identifiable Information.
• Least Privilege: Limiting access to the minimum necessary.
• MFA: Multi-Factor Authentication.
• Incident: Any unauthorized access, use, or disclosure of information.

5. Roles and Responsibilities

• Executive Management: Approves security strategy and ensures resourcing.
• Designated Security Officer (DSO): Maintains this policy, conducts assessments, leads incident response.
• Employees and Contractors: Follow policy and complete training.
• Third-Party Vendors: Comply with security expectations as outlined in agreements.

6. Information Security Objectives

• Confidentiality: Protecting sensitive information from unauthorized access and disclosure.
• Integrity: Maintaining the accuracy and completeness of information and systems.
• Availability: Ensuring timely and reliable access to information and systems.

7. Data Security and Handling

7.1 User PII

Automagical Apps does not collect, retain, or store user PII within its add-ons or backend systems.

7.2 Licensing Data

Email addresses used for licensing are hashed using SHA256 with unique salt and stored without retaining the original data.

7.3 Usage Data

Aggregated, anonymized usage data (e.g., button clicks by domain) is collected for analytics. No PII is included.

7.4 Data Storage

All data is stored on Google Cloud and Firestore, with encryption and security controls enforced by the platform.

8. Risk Management

Regular risk assessments will be conducted to:

• Identify emerging threats and vulnerabilities.
• Evaluate the impact and likelihood of security risks.
• Guide implementation of mitigations.

Results are reviewed annually or when systems undergo significant changes.

9. Third-Party Security

Automagical Apps partners with world-class cloud providers that meet internationally recognized standards:

Google Workspace

We leverage the full suite of built-in security features, including:

• Access Transparency
• Data Loss Prevention (DLP)
• Advanced Phishing and Malware Protection
• Context-Aware Access
• Endpoint Management
• Vault for eDiscovery and Retention
• Security Investigation Tool
• Client-side Encryption

Google Cloud Platform (GCP) and Firestore

Backend infrastructure benefits from:

• Identity and Access Management (IAM)
• Virtual Private Cloud (VPC) and Firewall Rules
• Encryption at Rest and in Transit
• Confidential Computing options
• Cloud Armor (DDoS protection)
• Security Command Center (threat detection and risk scoring)
• Shielded VMs
• Binary Authorization for container integrity

OpenAI

Interactions with OpenAI services occur via secure APIs, and no user-identifiable data is transmitted.

Stripe

Handles all payment processing for individual licenses purchased online. Payment information is collected and processed directly by Stripe; Automagical Apps does not store any payment card details. Stripe's security measures and compliance standards can be reviewed in their documentation.

Google Cloud and Google Workspace are SOC 2 Type II certified, along with ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 compliance. Vendor security is reassessed periodically.

We periodically assess the security practices of our third-party vendors to ensure they meet our security and compliance standards.

10. Access Control

10.1 Least Privilege

Access is restricted to what's needed by role.

10.2 Authentication

Password complexity enforced; MFA required where feasible.

10.3 Account Lifecycle

Prompt provisioning and deprovisioning as roles change.

10.4 Remote Access

Enforced via Google Identity, VPN, or secure endpoint; devices must use secure configurations.

11. Security Awareness and Training

Security training is mandatory upon onboarding and refreshed annually.

Topics include phishing, password hygiene, data handling, and incident reporting.

12. Incident Response

Automagical Apps is dedicated to promptly identifying, managing, and mitigating information security incidents to protect our assets, maintain business continuity, and comply with legal and regulatory requirements. All employees, contractors, and third-party vendors are required to report suspected security incidents immediately to the Designated Security Officer (DSO). The DSO will coordinate the response, which includes:

• Identification: Detecting and assessing the nature and scope of the incident.
• Containment: Implementing measures to limit the impact and prevent further damage.
• Eradication: Eliminating the root cause and removing malicious elements.
• Recovery: Restoring affected systems and resuming normal operations securely.
• Post-Incident Review: Analyzing the incident to improve future response and prevent recurrence.

This structured approach aligns with industry best practices, including those outlined in the NIST Cybersecurity Framework and ISO/IEC 27001. Detailed procedures are documented in our internal Incident Response Plan.

13. Business Continuity and Backups

• Critical configurations and data are backed up regularly via Google Cloud.
• Disaster recovery procedures are tested periodically.
• Backup access and restoration procedures are documented and role-restricted.

14. Physical Security

• Company-controlled physical locations are secured through locked access.
• Devices used for business are encrypted and password-protected.
• Google Workspace device management policies are enforced for endpoint security.

15. Security Monitoring and Logging

We utilize advanced monitoring via:

• Security Command Center (GCP): Threat detection, vulnerability management.
• Workspace Security Investigation Tool: For threat hunting and incident response.
• Workspace Endpoint Detection and Response (EDR): Endpoint threat intelligence.

Logs are:

• Encrypted in storage.
• Retained per legal and regulatory requirements.
• Reviewed regularly for anomalous activity.

16. Audit and Compliance

• Periodic internal audits and security reviews ensure policy enforcement.
• External audits may be conducted by third-party partners or customers.
• Exceptions require risk justification and DSO approval.

17. Enforcement

Violations of this policy may result in disciplinary actions, including termination, legal action, or vendor agreement termination.

18. Policy Review and Updates

This Information Security Policy is reviewed at least annually or upon significant operational changes to ensure its effectiveness and relevance. The Designated Security Officer is responsible for maintaining and updating this policy.

Updates to this policy are communicated company-wide and, when applicable, to our users and partners through our website and/or products, ensuring transparency and awareness of our security practices.

19. Contact Information

20. Approval

This policy is approved by executive management and effective as of June 14, 2024.

21. Data Subject Rights

At Automagical Apps, we are committed to protecting your privacy. In alignment with our policy, we do not collect, retain, or store any personally identifiable information (PII) through our add-ons or backend systems. As a result, no personal data is processed under normal operations.

However, if you believe that personal data has been inadvertently collected or processed in error, or if you have any questions regarding our data handling practices, please refer to our Privacy Policy or contact us at security@automagicalapps.com.