Login Log in to MagicBlocks
MagicBlocks

Data Processing Addendum

Last updated: Nov 17, 2025

We are MagicBlocks, Inc. (MagicBlocks, we, us, our).

We operate the website https://magicblocks.ai along with any associated software applications and websites that link to our Terms and Conditions (Services).

This Data Processing Addendum forms part of the Terms and Conditions (Terms and Conditions) which govern your access and use of the Services.  

Its purpose is to set forth the parties’ obligations when we processes personal data on your behalf, ensuring such processing complies with applicable data protection laws.

This Data Processing Addendum covers only the processing of personal data about your prospective customers (including leads and similar sales prospects) that you provide to us or that we collect or generate on your behalf through the Services.

It does not apply to personal data that we processes as a controller which is covered by our Privacy Policy.

In case of conflict between this Data Processing Addendum and our Terms and Conditions, this Data Processing Addendum prevails with regard to data protection matters.

This Data Processing Addendum is legally binding on you at the same time as the Terms and Conditions.

WHEREAS

  1. You (Customer or you) act as a Controller.
  2. You wish MagicBlocks to provide certain Services, which imply the processing of personal data by MagicBlocks (Processor).
  3. We seek to implement a data processing addendum that complies with Applicable Data Protection Laws.

IT IS AGREED AS FOLLOWS:

    • 1. DEFINITIONS

      Capitalised terms and expressions defined in the Terms and Conditions shall have the same meaning when used in this Data Processing Addendum unless expressly defined in this Data Processing Addendum (in which case the meaning in this Data Processing Addendum prevails) and the following capitalised terms and expressions used in this Data Processing Addendum shall have the following meaning:

      Addendum means this Data Processing Addendum and all Annexes.

      Applicable Data Protection Laws means all applicable privacy and data protection laws and regulations and in each case, as amended, superseded or replaced from time to time, including, without limitation, the EU General Data Protection Regulation (EU) 2016/679 (GDPR), the United Kingdom Data Protection Act 2018 (UK GDPR), the California Consumer Privacy Act of 2018 (CCPA), the Canadian Personal Information Protection and Electronic Documents Act (PPIEDA) and the Australian Privacy Principles and the Australian Privacy Act 1988.

      California Personal Information means Customer Personal Data that is subject to the protection of the CCPA.

      Contact Data means the Personal Data that MagicBlocks Processes as a controller, such as account information and payment information.

      Controller mean the entity which determines the purposes and means of the processing of Personal Data, including similar terms such as “Business” used in the CCPA.   For the purposes of this Addendum, Controller is the Customer on whose behalf prospective customer data is processed.

      Customer Personal Data means the Personal Data that MagicBlocks Processes on your behalf.

      Data Subject means the identified or identifiable natural person who is the subject of Personal Data or the meaning as set forth in Applicable Data Protection Laws, including similar terms, such as "Consumer" as used in the CCPA.

      Personal Data  means "personal data", "personal information", "personally identifiable information" or similar information defined in and governed by Applicable Data Protection Laws.

      Processing means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and including all "processing" as defined in any Applicable Data Protection Laws.

      Processor means the entity which processes Personal Data on behalf of the Controller, including similar terms such as “Service Provider” as used in the CCPA.  For the purposes of this Addendum, MagicBlocks in the Processor.

      Security Incident means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data Processed by MagicBlocks and/or its Subprocessors in connection with the provision of Services. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.

      Service-Generated Data means usage data and metadata that is generated through the use of the Services. This Addendum applies to Service-Generated Data to the extent Service-Generated Data constitutes Personal Data.

      Standard Contractual Clauses or SCCs means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs");  and (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) ("UK SCCs") (in each case, as updated, amended or superseded from time to time).

      Subprocessor means any third party authorized by or on behalf of MagicBlocks to Process Customer Data in order to fulfil its obligations with respect to providing Services under the Terms and Conditions or this Addendum.

      UK Addendum means the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner's Office under s.119A(1) of the UK GDPR, as such Addendum may be revised under Section 18 therein.

    • 2. RELATIONSHIP OF PARTIES

      You and MagicBlocks acknowledge and agree that in relation to the Processing of Customer Personal Data, you act as Controller and MagicBlocks is a Processor.  MagicBlocks will process Customer Personal Data under and in accordance with your instructions as set for in the Terms and Conditions and this Addendum (including as outlined in Annex I (Details of Processing and Transfer)) and as otherwise necessary to provide the Services and Additional Support Services or to comply with applicable law including Applicable Data Protection Laws.

      You must ensure that your instructions comply with Applicable Data Protection Laws and ensure MagicBlocks’ Processing of Customer Personal Data, when done in accordance with your instructions, will not cause MagicBlocks to violate any applicable law, including Applicable Data Protection Laws.

      In relation to Contact Data and any Service-Generated Data which is considered Personal Data, MagicBlocks is the controller with respect to such data and will Process such data in accordance with the Privacy Policy.

    • 3. COMPLIANCE WITH LAW

      • 3.1 You and MagicBlocks agree to comply with obligations under Applicable Data Protection Laws with respect to Processing of Customer Personal Data.

      • 3.2 In particular but without prejudice to the generality of the foregoing, you acknowledge and agree that you will be solely responsible for: (i) the accuracy, quality, and legality of Customer Personal Data and the means by which such data is acquired; (ii) complying with all necessary transparency and lawfulness requirements under Applicable Data Protection Laws for the collection and use of Customer Personal Data, including providing adequate notices, obtaining any necessary consents and authorizations, and honouring opt-out preferences; (iii) ensuring you have the right to transfer, or provide access to, the Customer Personal Data to us for Processing in accordance with the Terms and Conditions (including this Addendum); and (iv) ensuring all instructions regarding the Processing of Customer Personal Data comply with Applicable Data Protection Laws. You will inform us without undue delay if you are not able to comply with your responsibilities under this section or Applicable Data Protection Laws.

      • 3.3 You are responsible for ensuring that your instructions to us regarding the Processing of Customer Personal Data comply with applicable laws, including Applicable Data Protection Laws. The parties agree that the Terms and Conditions (including this Addendum) constitute your complete instructions to us in relation to MagicBlocks' Processing of Customer Personal Data.

      • 3.4 We will ensure that any personnel whom we authorize to Process Customer Personal Data on our behalf are informed of the confidential nature of the Customer Personal Data and are subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Customer Personal Data.

    • 4. SUBPROCESSING

      • 4.1 The Controller generally authorises the Processor to engage Subprocessors to Process Customer Personal Data as required (or desired) in order to deliver the Services and Additional Support Services.  A list of MagicBlocks' Subprocessors (including their functions and location) is available at List of Subprocessors (List of Subprocessors) and may be updated by MagicBlocks from time to time in accordance with this Addendum.

      • 4.2 You may subscribe at trust.magicblocks.ai to receive notification of new Subprocessors that will be engaged.  MagicBlocks may update the List of Subprocessors from time to time and, if you have subscribed (and not subsequently withdrawn consent) to receive such notices or if otherwise required by Applicable Data Protections Laws, you will be notified by email.  

      • 4.3 If within five (5) calendar days of such notice youEns provide written notice to MagicBlocks that you object to the appointment of new Subprocessor based on reasonable data protection concerns, the parties will discuss the objection and concerns in good faith and ascertain whether they can be resolved.  If the parties are not able to mutually agree on a resolution of such concerns, you (as your sole and exclusive remedy) may terminate the Services and/or Additional Support Services and Terms and Conditions for convenience with no refunds.

      • 4.4 You acknowledge that many of the Subprocessors listed on the List of Subprocessors are large, independent, reputable companies that offer their services to numerous customers on the same or similar contractual terms.  MagicBlocks will generally rely on each Subprocessor's standard data protection terms (such as each sub-processor's own data processing addendum or privacy commitments) to ensure that Customer Personal Data is protected in accordance with Applicable Data Protection Laws.  On your written request, MagicBlocks will provide more information about the data protection practices of any Subprocessor and copies of relevant privacy terms (subject to confidentiality) so that you can reasonably assess the Subprocessor's suitability.

    • 5. SECURITY

      • 5.1 MagicBlocks will implement and maintain technical and organizational security measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data, in accordance with MagicBlocks' security standards referenced in Annex II (Security Measures).

      • 5.2 You are responsible for reviewing the information made available by MagicBlocks relating to data security and making an independent determination as to whether these meet your requirements and legal obligations under Applicable Data Protection Laws.  You acknowledge that the Security Measures provide a level of security appropriate to the risk in respect of the Customer Personal Data (taking into account the state of the art, costs of implementation, the nature and purpose of processing, and the volume and sensitivity of the Customer Personal Data) and that they may be updated from time to time upon reasonable notice to you to reflect process improvements or changing practices (but the modifications will not materially decrease MagicBlock's obligations).

      • 5.3 You agree that, without limitation of MagicBlocks' obligations under this clause 5, you are solely responsible for your use of the Services and Additional Support Services, including: (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices you and your employees use to access the Services; (c) securing the systems and devices that you use with the Services; and (d) maintaining your own backup of Customer Personal Data.

      • 5.4 Upon becoming aware of a confirmed Security Incident, MagicBlocks will notify you without undue delay unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of MagicBlocks' legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Such notice to you will describe, to the extent possible: (a) the details of the Security Incident as known or as reasonable requested by you; and (b) the steps taken, deemed necessary and reasonable by MagicBlocks, to mitigate the potential risks, to the extent that the remediation is within MagicBlocks' reasonable control. Without prejudice to MagicBlocks' obligations under clause 5.4, you are solely responsible for complying with Security Incident notification laws applicable to you and fulfilling any third-party notification obligations related to any Security Incidents. MagicBlocks' notification of or response to a Security Incident under this clause 5.4 will not be construed as an acknowledgment by MagicBlocks of any fault or liability with respect to the Security Incident. These obligations will not apply to Security Incidents to the extent they are caused by you.

    • 6. AUDIT AND REVIEWS OF COMPLIANCE

      • 6.1 MagicBlocks acknowledges that you must be able to assess MagicBlocks' compliance with its obligations under Applicable Data Protection Laws and this Addendum.

      • 6.2 Subject to reasonable confidentiality controls, MagicBlocks may satisfy this obligation by providing audit reports by independent third parties (eg SOC 2, ISP 27001 certifications or similar) or summaries or extracts of such reports and you agree that any audit rights granted by Applicable Data Protection Laws will be satisfied by such information.

    • 7. IMPACT ASSESSMENT AND CONSULTATIONS

      • 7.1 To the extent you do not have access to the relevant information and such information is available to MagicBlocks, MagicBlocks will provide reasonable assistance and cooperation in complying with your obligations in relation to any data protection impact assessments and consultations required under Article 35 or 36 of the GDPR (or equivalent provisions under any other Applicable Data Protection Laws) in each case solely in relation to the Processing of Customer Personal Data, and taking into account the nature of the Processing and information available to, MagicBlocks.

    • 8. DATA SUBJECT REQUESTS

      • 8.1 MagicBlocks will at your request and expense provide such assistance as may be reasonably necessary to comply with your obligations under Applicable Data Protection Laws to respond to request from Data Subjects to exercise their rights under Applicable Data Protection Laws (such as rights of data access, rectification, deletion/erasure, data portability and objection) where you cannot reasonably fulfil such requests independently through the use of the Services.

      • 8.2 Where MagicBlocks receives a request from a Data Subject in relation to the Processing of their Customer Personal Data, MagicBlocks will advise the Data Subject to submit their request to you and you will be responsible for responding to any such request.

    • 9. RETURN OR DELETION OF CUSTOMER DATA

      • 9.1 You may delete or export Customer Personal Data at any time while using the Services in a manner consistent with the functionality of the Services.

      • 9.2 Termination or expiry of the Terms and Conditions serves as an instruction for MagicBlocks to delete all Customer Personal Data within a commercially reasonable timeframe.

      • 9.3 Notwithstanding the foregoing, MagicBlocks may retain Customer Personal Data if required by law and such data will remain subject to the requirements of this Addendum.

    • 10. INTERNATIONAL PROVISIONS

      • 10.1 You acknowledge that MagicBlocks' primary processing facilities are in the United States, Europe and Australia.  Notwithstanding the foregoing, you acknowledge that MagicBlocks may in connection with the provision of the Services, need to transfer and process Customer Personal Data to and in the United States, Europe or Australia (based on your election as to where your data is stored) and anywhere else in the world where MagicBlocks and its Subprocessors maintain data processing operations. MagicBlocks will ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this Addendum.

      • 10.2 To the extent that your use of the Services requires an onward transfer mechanism to lawfully transfer Customer Personal Data from a jurisdiction to MagicBlocks or a subprocessor located outside of that jurisdiction (a Transfer Mechanism), the terms and conditions of Annex III (Cross Border Transfer Mechanism) will apply.

      • 10.3 The following provisions apply only in respect of California Personal Information.  When processing California Personal Information in accordance with your instructions, the parties acknowledge and agree that you are a Business and we are a Service Provider for the purposes of the CCPA.  We certify that we will Process California Personal Information as a Service Provider strictly for the purpose of performing the Services and Additional Support Services under the Agreement (the "Business Purpose") or as otherwise permitted by the CCPA. Further, we certify that we will not (i) sell or share California Personal Information (as the terms "sell" or "share" are defined in the CCPA); (ii) Process California Personal Information outside the direct business relationship between the parties, unless required by applicable law; or (iii) combine California Personal Information included in Customer Personal Data with personal information that we collect or receive from another source (other than information we receive from another source in connection with our obligations as a Service Provider under the Terms and Conditions).  We will (i) comply with the obligations applicable to us as a Service Provider under the CCPA; (ii) provide the same level of protection for California Personal Information as is required by the CCPA; and (iii) notify you if we make a determination that we can no longer meet our obligations as a Service Provider under the CCPA.   You will have the right to take reasonable and appropriate steps to help ensure that we use California Personal Information in a manner consistent with your obligations under the CCPA. Upon notice, you will have the right to take reasonable and appropriate steps in accordance with the Terms and Conditions to stop and remediate unauthorized use of California Personal Information.  The parties acknowledge and agree that the disclosure of California Personal Information by the Customer to MagicBlocks does not form part of any monetary or other valuable consideration exchanged between the parties.

    • 11. MISCELLANEOUS

      Any liabilities arising under this Addendum are subject to the limitations of liability in the Terms and Conditions (which limitation shall include in aggregate claims arising under the Terms and Conditions and claims arising under this Addendum).  Neither party has provided any additional indemnity or agreed to any liability with respect to the subject of this Addendum beyond that contained in the Terms and Conditions. This Addendum will be governed by and construed in accordance with governing law of the Terms and Conditions, unless required otherwise by Applicable Data Protection Laws.  This Addendum will remain in effect until, and automatically terminate upon, deletion of Customer Data as described in this Addendum or termination or expiration of the Terms and Conditions.

ANNEX I

DETAILS OF PROCESSING AND TRANSFER

Controller (Data Exporter): The Customer entity that is a party to the Terms and Conditions and that determines the purposes and means of processing Customer Personal Data.

Processor (Data Importer): MagicBlocks, as the provider of the Services, and any applicable affiliates of MagicBlocks to the extent they are engaged in processing Customer Personal Data.

    1. Nature and Purpose of Processing: Processor will process Customer Personal Data as needed to provide the Services, which include an AI-driven sales agent interacting with prospective customers on behalf of Controller. The nature of processing includes automated conversation processing (e.g., analyzing inquiries and generating responses), lead data management (storing and organizing prospect contact information and interaction history), and integration with Controller's systems (such as CRM or marketing platforms) as instructed. The purpose of the processing is to facilitate Controller's sales and marketing activities by engaging and managing communications with potential customers, answering their questions, and capturing relevant data from those interactions. Processing also includes associated activities such as data hosting, backup. Processor only processes the data for the above purposes and as otherwise instructed by Controller, and not for its own unrelated purposes (such as building general profiles or selling data)​.

    2. Duration of Processing: Processor will process Customer Personal Data for the duration of the Terms and Conditions. All Customer Personal Data will be deleted or returned to Controller as set forth in this Addendum (see clause 9) upon termination or expiry of the Services, save for any data which must be retained as required by law (and in such case, the Addendum will continue to apply to that data).

    3. Data Subjects: The personal data processed under this Addendum relates to the following categories of data subjects: Prospective or potential customers of Controller, including leads, website visitors who engage with the AI sales chat agent, individuals who are contacted or who contact Controller through the Services, or other target individuals in Controller's sales and marketing prospect lists. These data subjects may be private consumers or employees/representatives of business entities (in B2B contexts) whose personal information is processed for the purpose of business development and marketing on behalf of Controller.

    4. Categories of Personal Data: The types of Personal Data that may be processed include (but are not limited to):

      Contact Information: e.g. full name, email address, telephone number, company name, job title, and other contact details collected about a prospect.

      Communication Data: content of chat conversations between the prospect and the AI agent via Processor’s platform and any files or media shared by the prospect during those communications.

      Interaction Metadata: timestamps of interactions, chat durations, message logs, IP address or general location of the prospect (if captured for routing or context), browser/device information (for web chat), and other technical metadata related to the communications.

      Lead Qualification Data: information inferred or collected about the prospect during conversations, such as their product interest, budget, timeframe, or other qualifying information, which may be recorded as part of the chat transcript.

      Support/CRM References: if the Services integrate with Controller’s systems (e.g., CRM or support databases) as part of the conversation, there might be temporary processing of reference IDs, ticket numbers, or similar data to retrieve or record information relevant to the prospect.

      Processor does not knowingly collect any sensitive or special categories of personal data (such as race, ethnic origin, health, biometric data, etc.) or any government-issued identification numbers, financial account numbers, or payment card data about the prospects for the performance of the Services. Controller should avoid transmitting such sensitive data to the Processor. If any sensitive personal data is provided by data subjects in an unsolicited manner (e.g., a prospect types health information into a chat), Processor will treat it as Personal Data in accordance with this Addendum but assumes no liability for processing that was not required for the Services.

    5. Processing Operations: The processing activities to be performed by Processor on Customer Personal Data include, inter alia:

      Collection/Recording: Receiving personal data from Controller (e.g., via CRM sync or upload of a lead list) and capturing data directly from data subjects through the AI chat or communications interface (e.g., when a prospect provides their name and email in a chat).

      Storage and Organization: Hosting the personal data on Processor’s systems or cloud infrastructure, structuring it (e.g., in conversation logs or lead records), and associating related data (like linking a chat conversation to a prospect’s contact record).

      Use/Analysis: Using the data to run AI models and algorithms to generate responses or categorize the conversation, analyzing conversation content for intent or sentiment as needed for the service, and otherwise processing the data to fulfill the functional purposes of the Services to Controller (for example, determining appropriate answers or scheduling follow-ups based on the prospect’s input).

      Disclosure/Sharing: Communicating the prospect’s data back to Controller (e.g., through dashboard interfaces, reports, or integration to Controller’s CRM), and disclosing personal data to authorized sub-processors for the purpose of carrying out parts of the Service (such as using a cloud host to store data) as listed the List of Subprocessors. Also, possibly transferring chat transcripts or lead info to Controller’s team or systems as part of the service.

      Erasure/Deletion: Deleting or anonymizing personal data upon Controller’s instruction or as required by the Addendum.

      Other Operations: Any other operation on Personal Data that is necessary for the provision of the Services, such as retrieval (pulling up a past conversation upon request), combining data (e.g., referencing Controller-provided context like a product catalog to answer prospect questions), or blocking data (suppressing a contact who opts out from further communication).

      All such processing is conducted by Processor strictly on behalf of Controller and under Controller's instructions, as described in the Terms and Conditions and this Addendum.

    6. Intended International Transfers: Customer Personal Data may be transferred to or accessed by Processor and its sub-processors in countries outside of the data subject's country. In particular, data from the EEA/UK/Switzerland may be transferred to the United States and other jurisdictions where Processor's sub-processors operate (see the List of Subprocessors for details). Such transfers are governed by the safeguards described in Annex IV to ensure an adequate level of protection for the personal data.

    7. Contact Details:

      Processor Contact for data protection inquiries: https://magicblocks.ai/contact-us .

      Controller is responsible for informing data subjects, via privacy notices or other means, that their personal data will be processed by Processor (as a processor on Controller's behalf) as part of the Services, and for obtaining any necessary consents or authority for the processing and international transfers. Processor will reasonably assist Controller in providing details about the processing (as set out in this Annex) for transparency to data subjects upon request.

ANNEX II

SECURITY MEASURES

MagicBlocks will implement the following categories of technical and organizational security measures (as updated or enhanced over time, but without material decrease in protection) to safeguard Customer Personal Data:

Product security

Production System User Review

MagicBlocks' information security officer reviews and approves the list of people with access to production console annually.

Situational Awareness For Incidents

MagicBlocks maintains a record of information security incidents, its investigation, and the response plan that was executed in accordance with the policy and procedure defined to report and manage incidents.

Data security

Identity Validation

MagicBlocks ensures that logical access provisioning to critical systems requires approval from authorized personnel on an individual need or for a predefined role.

Termination of Employment

MagicBlocks ensures logical access that is no longer required in the event of termination is made inaccessible in a timely manner.

Production Databases Access Restriction

MagicBlocks ensures that access to the production databases is restricted to only those individuals who require such access to perform their job functions.

Multi-factor Authentication

MagicBlocks requires that all staff members with access to any critical system be protected with a secure login mechanism such as Multifactor-authentication.

User Privileges Reviews

MagicBlocks' senior management or the information security officer periodically reviews and ensures that access to the critical systems is restricted to only those individuals who require such access to perform their job functions.

User Access Reviews

MagicBlocks' senior management or the information security officer periodically reviews and ensures that administrative access to the critical systems is restricted to only those individuals who require such access to perform their job functions.

Encrypting Data At Rest

MagicBlocks has set up cryptographic mechanisms to encrypt all production database(s) that store customer data at rest.

Data Backups

MagicBlocks backs up relevant user and system data regularly to meet recovery time and recovery point objectives and verifies the integrity of these backups.

Transfer of PII

MagicBlocks ensures appropriate procedures are in place to ensure compliance with regulatory requirements related to transfer of personal data outside of the region from which it is collected

Network security

External System Connections

Every production host is protected by a firewall with a deny-by-default rule. Deny by default rule set is a default on MagicBlocks' cloud provider.

Transmission Confidentiality

MagicBlocks has set up processes to utilize standard encryption methods, including HTTPS with the TLS algorithm, to keep transmitted data confidential.

App security

Conspicuous Link To Privacy Notice

MagicBlocks displays the most current information about its services on its website, which is accessible to its customers.

Unauthorized Activities

MagicBlocks uses Sprinto, a continuous monitoring system, to alert the security team to update the access levels of team members whose roles have changed.

Endpoint security

Malicious Code Protection (Anti-Malware)

Where applicable, MagicBlocks ensures that endpoints with access to critical servers or data must be protected by malware-protection software.

Full Device or Container-based Encryption

Where applicable, MagicBlocks ensures that endpoints with access to critical servers or data must be encrypted to protect from unauthorized access.

Endpoint Security Validation

MagicBlocks has set up measures to perform security and privacy compliance checks on the software versions and patches of remote devices prior to the establishment of the internal connection.

Session Lock

MagicBlocks ensures that endpoints with access to critical servers or data are configured to auto-screen-lock after 15 minutes of inactivity.

Endpoints Encryption

MagicBlocks requires that all critical endpoints are encrypted to protect them from unauthorized access.

Corporate security

Code of Business Conduct

MagicBlocks has a documented policy to define behavioral standards and acceptable business conduct.

Organizational Structure

MagicBlocks maintains an organizational structure to define authorities, facilitate information flow and establish responsibilities.

Roles & Responsibilities

MagicBlocks has established procedures to communicate with staff about their roles and responsibilities.

Competency Screening

MagicBlocks has procedures to ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set.

Personnel Screening

MagicBlocks has established procedures to perform security risk screening of individuals before authorizing access.

Security & Privacy Awareness

MagicBlocks provides information security and privacy training to staff that is relevant to their job function.

Performance Review

MagicBlocks requires that all employees in client serving, IT, Engineering, and Information Security roles are periodically evaluated regarding their job responsibilities.

Automated Reporting

MagicBlocks has provided information to employees, via various Information Security Policies/procedures, on how to report failures, incidents, concerns, or other complaints related to the services or systems provided by the entity in the event there are problems.

Incident Reporting Assistance

MagicBlocks has provided information to customers on how to report failures, incidents, concerns, or other complaints related to the services or systems provided by MagicBlocks in the event there are problems.

Risk Framing

MagicBlocks performs a formal risk assessment exercise annually, as per documented guidelines and procedures, to identify threats that could impair systems' security commitments and requirements.

Risk Assessment

Each risk is assessed and given a risk score in relation to the likelihood of it occurring and the potential impact on the security, availability, and confidentiality of the Company platform. Risks are mapped to mitigating factors that address some or all of the risk.

Fraud

MagicBlocks considers the potential for fraud when assessing risks. This is an entry in the risk matrix.

Third-Party Criticality Assessments

MagicBlocks performs a formal vendor risk assessment exercise annually to identify vendors that are critical to the systems' security commitments and requirements.

Assigned Cybersecurity & Privacy Responsibilities

MagicBlocks' Senior Management assigns the role of Information Security Officer who is delegated to centrally manage, coordinate, develop, implement, and maintain an enterprise-wide cybersecurity and privacy program.

Internal Audit using Sprinto

MagicBlocks uses Sprinto, a continuous monitoring system, to track and report the health of the information security program to the Information Security Officer and other stakeholders.

Management Review of Org Chart

MagicBlocks' senior management reviews and approves the organizational chart for all employees annually.

Management Review of Risks

MagicBlocks' senior management reviews and approves the "Risk Assessment Report" annually.

Management Review of Third-Party Risks

MagicBlocks' senior management reviews and approves the "Vendor Risk Assessment Report" annually.

Subservice organization evaluation

MagicBlocks reviews and evaluates all subservice organizations periodically, to ensure commitments to MagicBlocks' customers can be met.

Segregates Roles and Responsibilities

MagicBlocks' senior management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers.

Subpprocessor Requirements

MagicBlocks ensures that appropriate remediation measures are in place when personal data is shared with vendors as a part of its processing activities

Data Protection Impact Assessment (DPIA)

MagicBlocks conducts Data Protection Impact Assessments periodically in order to assess the regulatory risks associated with the processing of personal data

EU Representative

MagicBlocks appoints a EU Representative to serve as a point of contact between EU authorities, data subjects and the organization

Chief Privacy Officer (CPO)

MagicBlocks appoints a Privacy Officer to assess and facilitate MagicBlocks' compliance with relevant regulatory requirements.

Privacy Act Statements

MagicBlocks includes Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals.

Asset Ownership Assignment

MagicBlocks has set up mechanisms to assign and manage asset ownership responsibilities and establish a common understanding of asset protection requirements.

Updates During Installations / Removals

MagicBlocks periodically updates and reviews the inventory of systems as a part of installations, removals, and system updates.

Inventory of Endpoint Assets

MagicBlocks develops, documents, and maintains an inventory of organizational endpoint systems, including all necessary information to achieve accountability.

MagicBlocks may update or enhance these measures from time to time, provided that such changes do not materially reduce the protection of Customer Personal Data. Controller is responsible for reviewing the information made available by MagicBlocks and determining that the security measures are appropriate for Controller’s needs and risks. Controller remains responsible for its own secure use of the Services, including protecting its account credentials, configuring the Services in a secure manner, and using available features (like access controls or encryption options) in accordance with best practices.

ANNEX III

CROSS BORDER TRANSFER MECHANISMS

This Annex addresses cross-border transfers of Customer Personal Data and details the application of the Standard Contractual Clauses which are incorporated into this Addendum as described below:

European Transfers

The parties agree that for personal data transferred from the European Economic Area (EEA) to a Processor in a third country (as defined by GDPR), the Controller (Customer) is the “data exporter” and the Processor (MagicBlocks) is the “data importer” for the purposes of the EU SCCs.

In relation to transfers of Customer Personal Data to which GDPR applies, the EU SSCs shall apply completed as follows:

  • Module Two will apply;
  • Clause 7 (Docking Clause): will apply;
  • Clause 9 (Use of Sub-Processors): Option 2 (General Written Authorization) will apply and the time period for prior notice of sub-processors shall be as set out in clause 4 of the Addendum;
  • Clause 11 (Redress): The optional language will not apply;
  • Clause 17 (Governing law): The parties designate the laws of the Republic of Ireland to govern where the laws of the EU Member State in which the data exporter is established do not allow third-party beneficiary rights.
  • Clause 18 (Choice of forum): Disputes shall be resolved before the courts of the EU Member State whose laws govern these EU SCCs.

The content of Annex I and II of this Addendum shall be considered as Annex IB (Description of Transfer) and Annex II (Technical and Organizational Measures) of the EU SCCs, respectively.

In particular:

Annex I.A (List of Parties):

Data exporter: Customer

Name: The Customer, as defined in the Terms and Conditions

Address: The Customer's address, as set out in any order form

Contact person’s name, position, and contact details, including email: The Customer’s contact details, as set out in any order form and/or as set out in the Customer’s MagicBlocks account

Activities relevant to the data transferred under these Clauses: Processing of Customer Personal Data in connection with the Customer’s use of the Services under the Terms and Conditions

Role (controller/processor): Controller

Data importer: MagicBlocks, Inc.

Name: MagicBlocks, Inc.

Address: Suite 225. 188 Valley St. Providence, RI 02909, USA

Contact person’s name, position, and contact details: Davin McPherson, Data Protection Officer, MagicBlocks, Inc., Suite 225. 188 Valley St. Providence, RI 02909, USA

Activities relevant to the data transferred under these Clauses: Processing of Controller Personal Data in connection with the Customer’s use of the Services under the Terms and Conditions

Role (controller/processor): Processor

Annex I.B (Description of Transfer): See Annex I of this Addendum for the categories of data subjects, data categories, special data (none anticipated), processing purposes, and transfer frequency (continuous, as needed during the term). The processing by the data importer is to provide the Services as described for the duration of the Terms and Conditions (plus retention period until deletion as per this Addendum).

Annex I.C (Competent Supervisory Authority): For data exporters established in an EU Member State: the supervisory authority of the Member State in which the data exporter is established (or where the representative is located, if applicable) will act as the competent authority. For exporters not established in the EU, the authority is that of the Republic of Ireland.

Annex II (Technical and Organizational Measures): The measures are set forth in Annex II of this Addendum, which the data importer attests are in place and applicable to the transferred data.

Annex III (List of Sub-Processors): A list of MagicBlocks' Subprocessors (including their functions and location) is available at List of Subprocessors which is incorporated into this Addendum.

If there is any conflict between the EU SCCs and any other provision of this Addendum or the Terms and Conditions, the EU SCCs will prevail to the extent of any conflict in relation to the transfer of Customer Personal Data from the EU​.

In the event that MagicBlocks is required to adopt an alternative transfer mechanism under EU GDPR, in addition to or other than the mechanisms described above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this Addendum (but only to the extent such alternative transfer mechanism complies with EU GDPR), and you agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.

UK Transfers

In relation to transfer of Customer Personal Data that are subject to UK GDPR from the United Kingdom to a country not deemed to provide an adequate level of protection, the EU SCCs will apply completed as noted in “European Transfers” above modified and interpreted in accordance with the UK Addendum which is hereby incorporated as set out below:

The parties agree the UK Addendum is completed as follows:

Table 1: The parties and their details are as set out in Annex 1.A of “European Transfers” above.

Table 2: The EU SCCs version is the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (as updated, amended or superseded from time to time).

Table 3: Appendix Information – The list of parties is as per Table 1.  The description of transfer and technical and organizational measures are as set out in Annex I and Annex II of this Addendum (which correspond to Annex I.B and Annex II of the EU SCCs). The List of Subprocessors is the list of sub-processors.

Table 4: The Importer may end the Addendum as set out in Section 19.

In the event of conflict between the UK Addendum and any other provision of this Addendum, the UK Addendum shall prevail to the extent of any conflict in relation to the transfer of Customer Personal Date from the UK.

In the event of conflict between the EU SCCs and the UK Addendum, any conflict will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

Otherwise, the EU SCCs as modified by the Addendum will be the legal mechanism for UK-to-non-UK transfers.

In the event that MagicBlocks is required to adopt an alternative transfer mechanism under UK GDPR, in addition to or other than the mechanisms described above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this Addendum (but only to the extent such alternative transfer mechanism complies with UK GDPR), and you agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.

Canadian and Australian Transfers

For Canada and Australia, the combination of this Addendum’s protections and adherence to the applicable laws requirements (including obtaining consent for international transfers if required) will govern the transfers.