Logo

Data Security and PCI Compliance Statement

This statement explains how mag.online (“Platform”) safeguards the security of payment information and complies with relevant data security standards. The Platform is operated by Online Payment Solutions OÜ (registration number 17449916), a private limited company registered in Estonia, with registered address at Harju maakond, Tallinn, Kesklinna linнаоса, Vesivärava tn 50‑201, 10152, Estonia (“we”, “us”, “our”).

1. Payment data processing and PCI DSS

1.1. We do not store, process or transmit full payment card numbers or card verification codes on our servers. All payments on the Platform are processed by licensed third‑party payment service providers (our “Payment Processors”) such as Stripe, PayPal, Adyen, Checkout.com and Mollie. These providers are certified as PCI DSS Level 1 service providers, the highest level of compliance recognised by the payment card industry.

1.2. When you enter payment details on the Platform, your information is transmitted directly to the Payment Processor via secure, encrypted connections (Transport Layer Security/TLS). Our servers only receive a token or encrypted reference that allows us to identify your payment method and monitor transaction status without exposing your sensitive card data.

2. Data security controls

2.1. We implement a range of technical and organisational measures to protect personal data, including:

(a) Using HTTPS/TLS encryption on all web and mobile communications;   (b) Strict access controls and authentication for staff and contractors, including two‑factor authentication where practical;   (c) Segregation of environments (development, staging and production) and minimum‑privilege access policies;   (d) Regular security monitoring, vulnerability assessments and penetration tests;   (e) Employee training on data protection, confidentiality and phishing awareness;   (f) Incident response procedures to contain and remediate any suspected data breach.

2.2. We maintain logs of access to sensitive systems and review them periodically for suspicious activity.

3. Compliance with data protection laws

3.1. We comply with the General Data Protection Regulation (GDPR), the ePrivacy Directive and other applicable data protection laws. Our Privacy Policy sets out how we collect, use and share personal data.

3.2. We conduct data protection impact assessments (DPIAs) where appropriate, particularly when introducing new features that involve processing sensitive or payment data.

4. Third‑party providers

4.1. We select our Payment Processors and other service providers based on their security certifications and compliance with industry standards. We enter into data processing agreements requiring them to implement appropriate security measures and to process personal data only for the specified purposes.

4.2. We regularly review the performance and security posture of our providers.

5. Reporting security concerns

5.1. If you have discovered a vulnerability or security issue relating to the Platform, please contact us at support@mag.online with a detailed description. We will investigate and address any reported issues promptly.

6. Changes to this statement

6.1. We may update this Data Security and PCI Compliance Statement from time to time. We will notify you by updating the “Effective from” date or by posting a notice on the Platform. Continued use of the Platform constitutes acceptance of the updated statement.

Last updated: 6 March 2026