// Trust & Security Report

    HeyAutofill, Inc. (dba Magical) logo

    HeyAutofill, Inc. (dba Magical)

    Two distinct product lines under one brand: (1) the original Magical browser extension for text expansion / autofill for individuals and teams, and (2) 'Magical Agentic AI' - a newer enterprise platform of specialized AI agents for healthcare operations (prior authorization, benefits verification, referrals, payment posting, revenue integrity, records requests) targeted at healthcare providers and payers.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    HeyAutofill (dba Magical) announced today that it has achieved SOC 2 Type II compliance in accordance with American Institute of Certified Public Accountants (AICPA) standards for SOC for Service Organizations also known as SSAE 18... audited by Prescient Assurance.

    Verify on trust.getmagical.com
    GDPR (contractual posture)
    HELD

    The DPA covers compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) and UK GDPR... Module Two (Controller to Processor) of the EU SCCs apply when Customer is a controller and Company is processing Personal Data for Customer as a processor. Company will attempt redirecting government data requests to the customer.

    Verify on getmagical.com
    > Show 7 unconfirmed / not-held certifications
    ISO/IEC 27001
    NOT CONFIRMED

    No public evidence. Neither trust.getmagical.com nor getmagical.com/trust list ISO 27001. Note: search results for 'Magic achieves SOC 2, ISO 27001, and HIPAA' refer to a DIFFERENT company, Magic Labs (magic.link, a Wallet-as-a-Service provider) - not Magical/getmagical.com. This is a name-collision risk; the ISO 27001 cert belongs to Magic Labs, not to this vendor.

    source: getmagical.com
    HIPAA
    NOT CONFIRMED

    CONTRADICTION FOUND: Marketing/trust page claims 'HIPAA compliant. Your patients' PHI stays protected' (getmagical.com/trust), and the current homepage is built entirely around healthcare-provider PHI workflows (prior authorization, benefits verification, claims, revenue cycle). However the vendor's own legal Data Processing Addendum states: 'Company's Terms forbid Customer from processing any data containing passwords, credit card information, Patient Health Information, personal identification numbers or other similar types of sensitive personal information.' No Business Associate Agreement (BAA) offering could be found on the vendor's site. Given the DPA explicitly prohibits PHI processing, HIPAA is graded not-held pending vendor clarification/BAA evidence.

    source: getmagical.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. The vendor's own DPA/ToS explicitly forbid customers from processing credit card information through the service, indicating cardholder data is out of scope by design rather than PCI-certified.

    source: getmagical.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of a CSA STAR listing or self-assessment on the vendor's trust center or site.

    source: trust.getmagical.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization; not mentioned anywhere on trust center or marketing pages.

    source: trust.getmagical.com
    ISO/IEC 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence of these certifications on the vendor's own domain.

    source: getmagical.com
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence of an AI-governance certification (ISO 42001 or equivalent) on the vendor's own domain.

    source: getmagical.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    United States (AWS-hosted); Privacy Policy states data is 'stored on servers in various locations, including the United States' and may be accessed by U.S. government authorities under applicable law. OpenAI is listed as a subprocessor with data location San Francisco, CA.

    Contradiction between legal and marketing pages. The Privacy Policy reserves the right to 'develop new applications or other products or services, including to develop, train, optimize and improve artificial intelligence or machine learning algorithms' using collected data, with an opt-out only for a narrow 'Variable Content' feature (email help@getmagical.com). The Trust page instead states 'Our use of large language models prevents any training based on prior runs.' These two vendor-domain statements are not clearly reconciled; treat AI-training posture as unresolved/flagged rather than a clean no-training guarantee.

    // Security controls

    Encryption in transit

    HTTPS/TLS 1.2 for data transferred to Magical's platform.

    getmagical.com

    Encryption at rest

    AES-256; saved templates get an additional layer of encryption.

    getmagical.com

    SSO / MFA

    Supports single sign-on via SAML 2.0 and requires multi-factor authentication; every action captured in immutable audit logs.

    getmagical.com

    Penetration testing

    Annual third-party penetration tests conducted as part of SOC 2 Type II program.

    getmagical.com

    Local processing (legacy browser extension)

    For the original text-expansion/autofill product, keystrokes and template insertion are described as occurring locally in the browser and not leaving the user's computer.

    getmagical.com

    Backups

    Agentic AI product: full database backups daily, retained 31 days, point-in-time restore within 14 days. Text Expansion product: general/regional backups daily, retained 7 days.

    getmagical.com

    // Products & data scope

    Magical (browser extension - text expansion / autofill)Individual/team productivity automation

    data: Form data and text snippets typed/inserted in the browser; vendor states keystrokes and template insertion occur locally on the user's device.

    Original product; positioned as a lightweight Chrome-extension automation tool for individuals and small teams.

    Magical Agentic AI (Healthcare AI Agents)Enterprise AI agents for healthcare revenue-cycle and operations automation

    data: Operates across browser and desktop applications and a 'data graph' connecting healthcare data points across many backend systems (EHR, payer portals, etc.) for workflows such as prior authorization, benefits verification, referrals, payment posting, and revenue integrity.

    Current primary go-to-market focus (per homepage). Marketed with 'HIPAA compliant' language even though the vendor's own DPA prohibits processing Patient Health Information - see HIPAA flag.

    // What to watch

    • IDENTITY-CONFLATION RISK: Public search results for 'Magic + SOC 2 + ISO 27001 + HIPAA' actually describe Magic Labs (magic.link, a Wallet-as-a-Service provider), a completely different company from Magical/getmagical.com/HeyAutofill. Do not credit Magical with Magic Labs' ISO 27001 or A-LIGN attestation.
    • OVER-CLAIM / CONTRADICTION: getmagical.com/trust markets the product as 'HIPAA compliant' and the entire current homepage is built around healthcare-provider PHI workflows (prior auth, claims, revenue cycle), yet the vendor's own Data Processing Addendum (getmagical.com/legal/data-processing) explicitly states the Terms 'forbid Customer from processing any data containing ... Patient Health Information.' No BAA offering was found. This is a material, unresolved contradiction between legal terms and marketing/trust claims.
    • AI-TRAINING CONTRADICTION: Privacy Policy reserves rights to use data to 'train, optimize and improve' AI/ML models; the Trust page separately claims LLM usage 'prevents any training based on prior runs.' The two vendor statements are not reconciled.
    • Trust center page (trust.getmagical.com) SOC 2 announcement text contains boilerplate language describing the company as a 'cloud-based community management and virtual event platform,' which does not match Magical's actual product; this appears to be an uncorrected template artifact from the compliance-automation vendor (Drata/Prescient Assurance) rather than a substantive misstatement, but it does mean the SOC 2 report text itself is not company-specific and should be read with that caveat.
    • Subprocessor list is only partially captured (OpenAI confirmed); full list should be requested from the vendor before enterprise/healthcare procurement.
    • No ISO 27001, CSA STAR, FedRAMP, or AI-governance (ISO 42001) certifications found; positioning as an enterprise healthcare vendor exceeds its current formal certification footprint.

    // At a glance

    Pricing model

    Not fully disclosed; consumer/team text-expansion product historically offered free/paid tiers, enterprise Healthcare AI Agents product is sold via 'Book a demo' / custom contract.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on HeyAutofill, Inc. (dba Magical)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.getmagical.com

    > Browse all vendor trust reports