Enterprise-Grade Security

Security & Compliance

Your data security is our top priority. Magia Menu is built with enterprise-grade security and compliance with international standards.

Scope & Responsibility

Magia Menu is responsible for specific security areas, while venues manage their own operations.

Magia Menu Responsibilities

  • Platform infrastructure and API security
  • User account protections and authentication
  • Payment processing integration (via PCI-compliant providers)
  • Application-level security controls
  • Incident monitoring and response

Venue Responsibilities

  • Their own admin account security
  • Staff access management
  • Local network security
  • Payment terminal security (if applicable)
  • Customer data handling compliance

Evidence & Artifacts

We can provide security documentation and compliance evidence upon request.

Certifications & Policies

Compliance Standards

Click to view detailed documentation for each standard

GDPR

Full compliance with EU General Data Protection Regulation

View Privacy Policy

Data Retention

Clear policies on how long we keep your data

View Policy

PCI DSS

Payment data handled by certified Level 1 processor (Iyzico)

Verified

TLS 1.3

All data encrypted in transit with latest protocols

Active
PCI DSS SAQ-A Model

Magia Menu uses the SAQ-A compliance model to fully outsource payment processing to PCI DSS certified third-party providers.

How It Works

  • 1
    Card data goes directly to the payment provider
  • 2
    Magia Menu servers never see or store card numbers
  • 3
    All payment transactions happen in the providers secure environment
  • 4
    Only transaction references (tokens) are in our system

Our Payment Providers

We work with Iyzico and other regional PCI DSS compliant providers.

GDPR Roles

Data Controller

Magia Menu acts as a data controller for platform services data processing. We determine how user data should be processed.

Data Processor

When processing order data for venues, we act as a data processor executing the venues instructions.

Data Processing Addendum

For business accounts, we provide comprehensive Data Processing Agreements that meet GDPR requirements.

Data Subject Rights

Under GDPR, you have comprehensive rights regarding your data.

Note: SLA times shown are our internal targets. The GDPR statutory maximum is 30 days for all DSAR requests, extendable to 90 days for complex cases.

Right of Access

30 days (statutory)

Request a copy of all data about you

Right to Rectification

7 days (target)

Request correction of incorrect data

Right to Erasure

30 days (statutory)

Request deletion of your data

Data Portability

30 days (statutory)

Receive your data in machine-readable format

How to Make a Request

You can submit requests through your profile settings in the app or by emailing magiamenu@gmail.com.

Security Practices

We implement security measures based on OWASP principles and industry best practices.

Note: We are stating that we adopt security practices based on industry-recognized methodologies, not claiming any official certification.

Authentication

  • JWT tokens in httpOnly cookies
  • OAuth 2.0 for social login
  • Secure session management

Data Protection

  • TLS 1.3 encryption in transit
  • AES-256 for data at rest
  • Field-level encryption for PII

API Security

  • Rate limiting on authentication
  • Input validation
  • CORS protection
Protection Measures

How We Protect Your Data

Encrypted Data Storage

All data is encrypted at rest using AES-256 encryption. Your information is protected even in storage.

TLS 1.3 Encryption

All data in transit is protected with the latest TLS 1.3 encryption protocol.

Access Controls

Role-based access control ensures only authorized personnel can access sensitive data.

Regular Backups

Automated daily backups with 30-day retention ensure your data is never lost.

24/7 Monitoring

Continuous security monitoring and instant alerts for any suspicious activity.

Incident Response

Dedicated security team with documented incident response procedures.

Access Control System

Magia Menu uses a flexible role-based access control (RBAC) system where venues can define custom roles tailored to their needs.

Platform Roles

Owner

Full access to venue management, staff, settings, reports, and billing

Guest

Can browse menus, place orders, and view own order history

Custom Venue Roles

Venue owners can create unlimited custom roles with granular permissions. Examples:

  • Manager - full venue access except billing
  • Waiter - orders and tables
  • Chef - kitchen orders only
  • Designer - branding settings only
  • Cashier - payments and receipts

All permission changes are logged for security audit.

Backup & Disaster Recovery

RPO (Recovery Point Objective)

24 hours

Maximum data loss equals daily backup interval

RTO (Recovery Time Objective)

4 hours

Target time to restore service after disaster

Backup Schedule

TypeScheduleRetentionEncrypted
Daily Backups03:00 UTC30 days
Weekly BackupsSundays 04:00 UTC12 weeks
Monthly Backups1st of month 05:00 UTC3 months

Recovery Testing

Backup integrity is verified during creation. Full restore testing is performed before major updates.

Vulnerability Disclosure Policy

Report security vulnerabilities responsibly

Payment Security

We never store your payment card details. All payment processing is handled by PCI DSS Level 1 certified provider:

Iyzico

Security Questions?

If you have any security concerns or want to report a vulnerability, our security team is here to help.

Contact Security Team