Our commitment to transparency, security, and regulatory adherence.
MagicPassword.io is operated by a duly registered legal entity in the Netherlands. The following information is provided in accordance with Dutch commercial law and EU transparency requirements for digital service providers.
Sms Password Bv is registered with the Dutch Chamber of Commerce (Kamer van Koophandel, KvK) under company number 62832123. As a Netherlands-based Besloten Vennootschap, we operate under the authority of Dutch corporate law, the Dutch Civil Code (Burgerlijk Wetboek), and relevant EU directives applicable to digital service providers and data processors.
We are not currently required to hold a specific financial services license, banking license, or payment institution authorization under Dutch or EU law, as MagicPassword is a software-as-a-service (SaaS) platform focused on secret management, password generation, and access control rather than financial intermediation, payment processing, or investment services. Our services do not involve the holding of client funds, the issuance of electronic money, or the execution of payment transactions as defined under the Payment Services Directive 2 (PSD2).
We maintain ongoing legal review to assess whether changes in our product scope or regulatory environment trigger additional licensing requirements. Should our service offerings expand to include regulated activities, we will obtain the necessary authorizations prior to launch and update this page accordingly.
As a company established in the European Union and offering services to individuals within the EU and beyond, Sms Password Bv is subject to the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR). We take our obligations under the GDPR seriously and have implemented a comprehensive data protection program.
Our GDPR compliance measures include, but are not limited to: maintaining a Record of Processing Activities (ROPA); conducting Data Protection Impact Assessments (DPIAs) for high-risk processing; implementing Privacy by Design and Default principles in our engineering workflow; appointing a Data Protection Officer (DPO) function; establishing data subject rights request procedures; and maintaining processor agreements with all third-party vendors who may access personal data on our behalf.
We process personal data primarily for the purposes of account management, service delivery, security monitoring, and customer support. Where we rely on legitimate interests as our legal basis, we have documented our balancing tests and made them available upon request. Where consent is required, we obtain it through clear, affirmative actions and maintain records of consent in accordance with Article 7 GDPR.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on data subjects. Any profiling we conduct is limited to service optimization and fraud prevention, with appropriate safeguards in place.
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible, and will communicate to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
We are actively working toward SOC 2 Type II attestation. Our security program is built on the Trust Services Criteria defined by the AICPA: Security, Availability, Processing Integrity, Confidentiality, and Privacy. We have engaged an independent third-party auditor to assess our controls and expect to publish our SOC 2 report upon completion of the observation period.
Our internal security framework incorporates ISO/IEC 27001:2022 principles, including risk assessment and treatment, access control, cryptography, physical and environmental security, operations security, communications security, system acquisition and development, supplier relationships, incident management, business continuity, and compliance monitoring. While we are not yet formally certified under ISO 27001, we have mapped our controls to Annex A and are evaluating formal certification as a 2026 initiative.
All data in transit is protected using TLS 1.3 with modern cipher suites. Data at rest is encrypted using AES-256. Encryption key management follows the principle of least privilege, with keys stored in hardware security modules (HSMs) or equivalent cloud-native key management services that meet FIPS 140-2 Level 2 or higher standards.
We are committed to making our digital services accessible to all users, including those with disabilities. Our design system follows the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA standards. We conduct regular automated and manual accessibility audits and remediate identified issues according to a defined priority matrix.
We do not discriminate on the basis of race, color, religion, gender, sexual orientation, national origin, age, disability, or any other protected characteristic in the provision of our services or in our employment practices. Our equal opportunity policy applies to all aspects of our business.
All trademarks, service marks, logos, trade names, and other source identifiers used on this website are the property of Sms Password Bv or its licensors. Unauthorized use of any MagicPassword trademarks is strictly prohibited. Our software products are protected by copyright law and international treaties. We enforce our intellectual property rights through civil remedies and, where appropriate, referral to law enforcement authorities.
We respect the intellectual property rights of others. If you believe that your copyright or trademark has been infringed through our platform, please contact us at hi@magicpassword.io with a detailed notice including the specific material at issue, your contact information, and a good-faith statement regarding the accuracy of your claim.
Sms Password Bv is registered for Value Added Tax (VAT) in the Netherlands. Where we provide taxable digital services to consumers in the EU, we comply with the VAT Mini One Stop Shop (MOSS) regime or its successor, the One Stop Shop (OSS), for the declaration and payment of VAT. Business customers within the EU may be subject to reverse-charge VAT treatment where valid VAT identification numbers are provided.
For customers outside the EU, local tax obligations may apply depending on the jurisdiction. We recommend that customers consult with local tax advisors to determine their obligations.
We endeavor to resolve all disputes amicably and in good faith. In the event that a dispute cannot be resolved through direct negotiation, the parties agree to attempt mediation under the rules of the Netherlands Mediation Institute (NMI) before commencing litigation. Should litigation prove necessary, the competent courts shall be those of Amsterdam, the Netherlands, and the dispute shall be governed by the laws of the Netherlands.
Nothing in this section prevents either party from seeking urgent injunctive or interim relief from a court of competent jurisdiction where necessary to prevent irreparable harm.
We review and update our compliance disclosures regularly to reflect changes in our business, our regulatory environment, and our security posture. The date of the most recent update will be indicated at the bottom of this page. We encourage users to review this page periodically.
Last updated: May 28, 2026.