Security

Your Data, Protected

MagicReply is built with security at its foundation. From OAuth-only authentication to encrypted storage and GDPR-aware practices, we take the protection of your business data seriously.

OAuth 2.0 Only
Encrypted at Rest
TLS 1.2+ Everywhere
No Passwords Stored

Data Handling

MagicReply is designed with data protection at its core. We follow industry best practices to ensure your business data is handled securely at every step.

  • MagicReply connects to Google Business Profile via Google's official API using OAuth 2.0 -- we never see or store your Google password
  • Review data is stored in MongoDB with encryption at rest, ensuring your data is protected even at the storage layer
  • All traffic between your browser, our servers, and third-party APIs is encrypted via TLS 1.2+
  • No passwords are stored in our system -- authentication is handled entirely through Google OAuth
  • AI-powered reply generation sends review text to Anthropic's Claude API; review content is not retained by the AI provider after processing

Authentication & Access

We implement multiple layers of authentication and access control to protect your account and business data.

  • JWT Authentication:Token-based authentication with version tracking to allow instant session invalidation when needed
  • Refresh Token Rotation:Refresh tokens are rotated on every use, limiting the window of exposure if a token is compromised
  • Role-Based Access Control:Three distinct roles -- Owner, Manager, and Responder -- ensure team members only access what they need
  • Secure Team Invitations:Team invitation tokens expire automatically, preventing stale invitations from being used

Data Retention

We believe you should have full control over your data. Google remains the source of truth for your reviews, and you can remove your data from MagicReply at any time.

  • Reviews are synced from Google Business Profile -- Google is always the authoritative source
  • Users can delete their account and all associated data at any time from their account settings
  • When a business location is removed from MagicReply, all associated review data and AI-generated responses are deleted
  • We do not retain data beyond what is necessary to provide the service

Infrastructure

MagicReply runs on secure, dedicated infrastructure with multiple layers of protection.

  • Dedicated Servers:Hosted on dedicated server infrastructure, not shared hosting -- your data is isolated and protected
  • Cloudflare Protection:All traffic is routed through Cloudflare for CDN caching, DDoS mitigation, and Web Application Firewall (WAF) protection
  • Regular Backups:Automated backups ensure data can be recovered in the event of an incident
  • Rate Limiting:All API endpoints are rate-limited to prevent abuse and ensure fair access for all users

Compliance

MagicReply is built with regulatory awareness and platform compliance in mind.

  • GDPR-Aware:We support EU data subject rights including access, correction, deletion, and data portability requests
  • Google API Compliant:Our use of the Google Business Profile API is fully compliant with Google's Terms of Service and API usage policies
  • No Data Sales:We never sell your personal information or business data to third parties, period
  • Third-Party Processing:AI processing partners (Anthropic) are contractually bound to not retain or train on your data

Questions About Security?

We take the security of your data seriously. If you have questions about our security practices or need more information, we are happy to help.

Try MagicReply Free Contact Us