Safety & security at MagicSchool

Trust, Safety & Quality
>
Safety
Our commitment to safety and security

MagicSchool is committed to protecting the confidentiality, integrity, and availability of educator and student data through a comprehensive security program. Our security practices are designed to prevent unauthorized access, reduce risk, and support reliable service delivery for schools and districts. We implement layered administrative, technical, and physical safeguards—including access controls, encryption, monitoring, and vendor oversight—to help ensure data is protected throughout its lifecycle.

This section provides an overview of the security measures MagicSchool uses to maintain a safe and trusted platform for educational use.

Administrative safeguards

MagicSchool’s administrative safeguards consist of the policies, procedures, and organizational measures that govern how we manage, handle, and protect data across the organization.

These safeguards include:

Governance and accountability

  • We maintain documented security and privacy policies that define expectations for data protection.
  • Roles and responsibilities related to information security and privacy are clearly defined.
  • Leadership oversight ensures security and privacy considerations are incorporated into business and product decisions.

Risk management

  • Security and confidentiality risks are evaluated as part of product development, infrastructure selection, and vendor engagement.
  • Third-party service providers are reviewed for security and privacy practices prior to use.

Access management

  • Employee access to systems and data is limited based on job role and business need.
  • The principle of least privilege is enforced for administrative access.

Training and awareness

We provide ongoing training and awareness programs to ensure our employees understand their responsibilities in protecting educator and student data. Training reinforces privacy obligations, secure data handling practices, and incident awareness across the organization.

  • Employees receive regular training on data privacy laws, security best practices, and internal data protection policies.
  • Security awareness practices help employees recognize and report potential risks such as phishing, unauthorized access, or misuse of data.
  • Training is updated as needed to reflect evolving regulatory requirements and organizational standards.

Incident response

Our documented incident response procedures are designed to identify, respond to, and mitigate security incidents in a timely and coordinated manner. These procedures support rapid containment, investigation, and remediation to protect customer data and maintain service reliability.

  • Security events are evaluated promptly to determine scope, impact, and appropriate response actions.
  • Incidents are investigated and remediated through defined escalation and resolution processes.
  • Post-incident reviews help strengthen controls and reduce the likelihood of recurrence.
  • MagicSchool works with customers as appropriate to support transparency and contractual notification obligations.

Business continuity

Business continuity practices are designed to support platform availability and minimize disruption to educators and districts. These measures help ensure that critical services remain accessible during unexpected events, including infrastructure issues or operational disruptions.

  • Availability planning supports reliable service delivery for schools and districts.
  • Continuity processes are reviewed to reduce downtime and maintain operational resilience.

Disaster recovery

Our disaster recovery procedures support timely restoration of systems and data in the event of a major service disruption. These practices are designed to reduce the risk of data loss and ensure continuity of service.

  • Backup and recovery mechanisms support restoration of critical systems.
  • Disaster recovery processes are aligned with secure cloud infrastructure resiliency and redundancy measures.

Data governance

Our data governance practices are designed to reduce security risk by limiting unnecessary data exposure and ensuring data is handled responsibly throughout its lifecycle.

  • Data retention and deletion controls help minimize the amount of sensitive data stored over time.
  • Data is processed and maintained in accordance with documented customer instructions to support secure and authorized handling.

Technical safeguards

MagicSchool’s technical safeguards include system-level security controls and technologies to protect data and prevent unauthorized access. These measures help ensure the confidentiality, integrity, and availability of educator and student information across our platform.

Key technical safeguards include:

Encryption

  • Data is encrypted in transit and at rest using industry-standard encryption protocols.

Secure infrastructure

  • Data is hosted on reputable cloud infrastructure providers with built-in security controls.
  • Systems are designed to scale securely and reliably to support educator usage.

Authentication and authorization

  • Secure authentication mechanisms protect user and administrative accounts.
  • Role-based access controls restrict access to sensitive systems and data.

Monitoring and logging

  • Systems are monitored for availability, performance, and potential security events.
  • Logging and alerting mechanisms support the detection of anomalous or unauthorized activity.

Penetration testing

  • MagicSchool uses an automated monitoring service to perform continuous vulnerability scanning and engages an external firm to conduct annual penetration testing to identify any hidden vulnerabilities. 
  • The product engineering team promptly addresses any issues identified through a regular incident response and change management process.

System maintenance and change management

  • Software and infrastructure are maintained using secure configuration practices.
  • Updates and changes to production systems follow defined development and deployment processes to reduce risk.

Physical safeguards

MagicSchool is a cloud-based service, and physical safeguards are implemented through our trusted infrastructure partners. These safeguards help ensure that the facilities where data is stored and processed are protected against unauthorized physical access, environmental threats, and service disruption.

Key physical safeguards include:

Data center security

  • Data is stored in professionally managed, secure U.S.-based data centers with controlled physical access.
  • Facilities use layered security measures such as surveillance, access logging, and security monitoring.

Environmental protections

  • Climate controls, fire suppression systems, and power management safeguards protect infrastructure from physical hazards.

Availability and resilience

  • Redundant systems and geographic resiliency support high availability and reduce the risk of service interruption.

Backup and recovery

  • Backup and disaster recovery mechanisms help support data integrity and reduce the risk of data loss.

Security FAQs

Is MagicSchool SOC 2 certified?

MagicSchool’s security program is designed to align with SOC 2 Trust Services Criteria for Security. Our current SOC 2 Type II Report is available here.

Does MagicSchool conduct penetration testing?

Yes. Periodic security testing, which includes vulnerability assessments and third-party penetration testing, is conducted to evaluate system resilience and identify areas for improvement. Identified findings are remediated according to risk prioritization processes.

How are software vulnerabilities identified and addressed?

Vulnerabilities are identified through automated scanning, monitoring tools, internal reviews, and external testing. Issues are assessed based on severity and remediated according to defined timelines and risk management procedures.

Does MagicSchool support Single Sign-On (SSO)?

Where supported by district configuration, Single Sign-On (SSO) may be enabled to integrate with district identity providers. This helps districts maintain centralized identity and access management controls.

Does MagicSchool segregate customer data?

Logical controls are implemented to ensure appropriate segregation of customer environments and prevent unauthorized cross-access between accounts.

How does MagicSchool ensure secure development practices?

Secure development principles are incorporated into engineering workflows, including code review, testing, and change management controls designed to reduce the risk of introducing vulnerabilities.

TABLE OF CONTENTS
Safety FAQs

Can’t find what you’re looking for?

Our team is happy to help answer questions about privacy, security, or implementation.

Contact us
MagicSchool logo
THE AI OPERATING SYSTEM FOR SCHOOLS, TEACHERS ARE MAGIC and MAGICSCHOOL are trademarks of Magic School, Inc.
Book a demo
Free for teachers
AI Solutions
AI for Schools
For SuperintendentsFor Chief Academic OfficersFor Chief Technology OfficersFor Principals
AI for Teachers
Lesson Plan GeneratorRubric MakerPresentation GeneratorMultiple Choice Quiz MakerWorksheet Generator
AI for Students
Outcomes
Protect Privacy & SecurityDrive Student OutcomesBuild AI LiteracySave TimeIntegrate quicklyWrite AI Policy
Resources
SupportApp StatusProfessional DevelopmentCertification CoursesWebinarsBlogCase StudiesFAQs
Company
PricingAI PioneersCareersMagicSchool StoreMissionPress
Privacy PolicyTermsAccessibilitySustainability