Completix

DPA

LEGAL

Data Processing Agreement

This Data Processing Agreement governs the processing of personal data by Completix on behalf of a customer in connection with the Completix project and portfolio management platform. It is entered into pursuant to Article 28 of the GDPR and forms part of the terms governing the provision of the Completix services. Where this DPA conflicts with the principal agreement, this DPA prevails on data protection matters.

This is the standard version of the DPA offered to Completix customers. To execute a signed copy referencing your organisation and effective date, contact [email protected].

ControllerThe client organisation identified in the applicable order form or principal agreement ("Client" or "Controller")
ProcessorCompletix Inc., a corporation incorporated in Ontario, Canada ("Completix" or "Processor")
Version2.0, July 2026
Governing LawProvince of Ontario, Canada
Jump to a section within this document

1. Definitions

In this Agreement, the following terms have the meanings set out below.

"Applicable Data Protection Laws" means the GDPR, the UK GDPR (as retained in UK law), PIPEDA, the Ontario Electronic Commerce Act, and any other applicable data protection or privacy legislation as amended from time to time.

"Controller" means the entity that determines the purposes and means of the processing of personal data. In this Agreement, the Controller is the Client.

"Data Subject" means an identified or identifiable natural person whose personal data is processed under this Agreement.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

"Processor" means the entity that processes personal data on behalf of the Controller. In this Agreement, the Processor is Completix Inc.

"Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, or deletion.

"Special Categories of Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a natural person's sex life or sexual orientation, as defined in Article 9 GDPR.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Decision of 4 June 2021 (2021/914/EU).

"Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

"Technical and Organisational Measures" or "TOMs" means the security and organisational measures described in Annex III of this Agreement.

2. Subject Matter and Duration

2.1 This Agreement governs the processing of personal data by Completix on behalf of the Client solely for the purpose of providing the Services, as further described in Annex I.

2.2 This Agreement commences on the Effective Date and continues for the duration of the Services or until terminated in accordance with the principal agreement or this DPA. Upon termination, the obligations in Section 13 (Data Return and Deletion) survive.

3. Nature and Purpose of Processing

3.1 The Client acts as data controller and determines the purposes and means of processing personal data within the Services. The Client is responsible for ensuring it has a lawful basis under Applicable Data Protection Laws for the processing it instructs Completix to perform.

3.2 Completix acts as data processor and shall process personal data solely on documented instructions from the Client, which may be given: (a) through the Client's use and configuration of the Services; (b) through the principal agreement or this DPA; or (c) through written communications from authorised Client representatives.

3.3 If Completix considers that an instruction infringes Applicable Data Protection Laws, Completix shall inform the Client without delay. Completix shall not be obliged to follow such an instruction until the Client has confirmed or modified it.

3.4 If Completix is required by Union or Member State law to process personal data other than on the Client's instructions, Completix shall inform the Client of that legal requirement before processing, unless prohibited by law.

4. Categories of Data and Data Subjects

4.1 The categories of personal data processed under this Agreement are set out in Annex I. These may include:

  • Business contact details (name, corporate email address, optional business phone number)
  • User account and profile information
  • Authentication and access control data
  • Project-related content, files, tasks, time entries, metadata, and audit logs created by or for the Client within the Services

4.2 The categories of data subjects include the Client's employees, contractors, consultants, and other authorised users of the Services, as identified in Annex I.

4.3 The Services are not intended for the processing of Special Categories of Personal Data under Article 9 GDPR or criminal conviction and offence data under Article 10 GDPR. The Client shall not submit such data to the Services unless expressly agreed in a separate written addendum to this Agreement.

5. Processor Obligations

In accordance with Article 28(3) GDPR, Completix shall:

5.1 Process only on instructions

Process personal data only on documented instructions from the Client as described in Section 3.2, and not for Completix's own purposes, unless required by Union or Member State law.

5.2 Confidentiality

Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations, whether by contract, professional duty, or statutory obligation, and that access is limited to those who need to process personal data to perform the Services.

5.3 Security

Implement and maintain the Technical and Organisational Measures set out in Annex III to ensure a level of security appropriate to the risk of the processing, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of data subjects.

5.4 Sub-processing

Not engage sub-processors without prior specific or general written authorisation from the Client. The parties agree that, as at the Effective Date, the Client provides general authorisation for the sub-processors listed in Annex II. Completix shall inform the Client of any intended changes to sub-processors in accordance with Section 6.

5.5 Assist with Data Subject Rights

Taking into account the nature of the processing and to the extent technically feasible, provide reasonable assistance to the Client in responding to requests from data subjects exercising their rights under Applicable Data Protection Laws (including Articles 15 to 22 GDPR: access, rectification, erasure, restriction, portability, and objection). Such assistance shall be limited to personal data processed under this Agreement.

5.6 Assist with Security, Breach Notification, DPIA, and Prior Consultation

Assist the Client in ensuring compliance with the obligations under Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to Completix, including:

  • Security of processing (Art. 32)
  • Notification of personal data breaches to supervisory authorities (Art. 33)
  • Communication of personal data breaches to data subjects (Art. 34)
  • Data protection impact assessments (Art. 35)
  • Prior consultation with supervisory authorities (Art. 36)

5.7 Deletion or Return

At the choice of the Client, delete or return all personal data to the Client after the end of the provision of the Services, and delete existing copies, unless Union or Member State law requires storage of the personal data. See Section 13.

5.8 Demonstrate Compliance

Make available to the Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits and inspections conducted by the Client or its mandated auditor in accordance with Section 12.

5.9 Data Minimisation

Process only the minimum amount of personal data necessary for the purpose of providing the Services, and design and operate the Services in accordance with the principles of data protection by design and by default (Article 25 GDPR).

6. Sub-processing

6.1 The Client grants general authorisation to Completix to engage the sub-processors listed in Annex II to this Agreement as at the Effective Date. The current sub-processor list is also maintained and published at completix.com/legal/privacy-policy.

6.2 Completix shall:

  • Maintain an up-to-date list of authorised sub-processors
  • Impose on each sub-processor data protection obligations equivalent to those imposed on Completix under this Agreement, by written contract
  • Notify the Client of any intended addition, replacement, or removal of sub-processors with at least fifteen (15) days' prior written notice
  • Remain fully liable to the Client for the performance of each sub-processor's data protection obligations

6.3 The Client may object to a proposed change to the sub-processor list within fifteen (15) days of notification by providing written notice to Completix. The parties shall use reasonable efforts to resolve the objection. If the parties cannot agree within a further fifteen (15) days, either party may terminate the Services upon written notice, and Completix shall provide a pro-rata refund of pre-paid fees for the period following termination.

7. Data Residency and Architecture

7.1 By default, personal data is hosted in Microsoft Azure US East (Virginia, United States), including the frontend application, backend services, and database (CosmosDB). Azure Monitor and Application Insights for logging operate in the same region.

7.2 A shared identity and access-control backend operates exclusively in Azure US East and contains only the minimal authentication and authorisation data required to operate the Services, logically segregated from client-specific project data.

7.3 Under an Enterprise Agreement, Completix may provision a region-specific deployment in a non-US Azure region at the Client's written request, subject to commercial agreement and technical feasibility. The identity backend will continue to operate in US East in all configurations unless otherwise agreed in writing.

8. International Data Transfers

8.1 Canada. Completix is incorporated and operates in Ontario, Canada. Canada has received an adequacy decision from the European Commission for organisations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Transfers of personal data from the EU/EEA to Completix in Canada are therefore lawful under Article 45 GDPR without additional transfer safeguards.

8.2 Onward transfers to US sub-processors. Personal data may be transferred from Completix to sub-processors located in the United States (as listed in Annex II). Such transfers are subject to the 2021 EU Commission Standard Contractual Clauses (Decision 2021/914/EU), incorporated into Completix's agreements with each US sub-processor. Module 2 (Controller to Processor) applies where the sub-processor acts as Completix's processor. Module 1 (Controller to Controller) applies where a sub-processor, such as Stripe for fraud prevention, acts as an independent controller. Completix maintains evidence of SCC acceptance in its Sub-processor SCC Confirmation Record.

8.3 The Client warrants that it has identified an appropriate legal basis and transfer mechanism for any personal data it transfers from the EU/EEA to Completix for processing under this Agreement, and that such transfer is lawful.

9. Security (Article 32 GDPR)

9.1 Completix shall implement and maintain Technical and Organisational Measures as described in Annex III to ensure a level of security appropriate to the risk, including, as appropriate:

  • Pseudonymisation and encryption of personal data
  • Ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures

9.2 When assessing the appropriate level of security, Completix shall take account of the risks presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

10. Personal Data Breach Notification

10.1 Completix shall notify the Client without undue delay and no later than seventy-two (72) hours after becoming aware of a personal data breach affecting personal data processed under this Agreement.

10.2 Notification shall include, to the extent known at the time:

  • A description of the nature of the personal data breach, including the categories and approximate number of data subjects and personal data records affected
  • The name and contact details of the data protection contact at Completix
  • A description of the likely consequences of the personal data breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

10.3 Where complete information is not available at the time of initial notification, Completix shall provide further information as it becomes available, without undue delay.

10.4 Completix shall cooperate with the Client and provide reasonable assistance in relation to any breach notification obligations the Client may have to supervisory authorities and data subjects.

11. Records of Processing Activities

11.1 Completix shall maintain records of all categories of processing activities carried out on behalf of the Client as required by Article 30(2) GDPR, and shall make such records available to the Client or to any supervisory authority on request.

11.2 Completix maintains a Record of Processing Activities (RoPA) covering its processor activities, which is updated when processing activities change materially.

12. Audit Rights (Article 28(3)(h) GDPR)

12.1 Completix shall make available to the Client all information necessary to demonstrate compliance with Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Client or a mandated third-party auditor, subject to the conditions in this Section.

12.2 Audits shall:

  • Be conducted no more than once per calendar year unless legally required otherwise or following a confirmed personal data breach
  • Require at least thirty (30) calendar days' prior written notice to Completix
  • Be limited to documentation reviews, written questionnaires, or remote assessments unless otherwise required by a supervisory authority
  • Exclude access to source code, proprietary systems, other customers' data, or underlying cloud infrastructure beyond published compliance documentation
  • Be subject to confidentiality obligations at least equivalent to those set out in the principal agreement

12.3 Completix may satisfy audit obligations in relation to sub-processors, including Microsoft Azure, through the provision of current third-party certifications, audit reports, SOC 2 reports, ISO 27001 certificates, and compliance documentation.

12.4 Unless otherwise required by applicable law or a supervisory authority, audits shall be conducted at the Client's expense.

13. Data Return and Deletion

13.1 Upon termination or expiry of the Services, or at the Client's written request at any time, Completix shall, at the Client's choice:

  • Return all personal data to the Client in a machine-readable format, or
  • Securely delete or destroy all personal data

13.2 Completix shall complete the return or deletion within thirty (30) calendar days of the Client's request or the termination date, whichever is earlier, and shall provide written confirmation to the Client upon completion, unless Union or Member State law requires continued storage.

13.3 Personal data contained in system backups shall be overwritten in accordance with Completix's standard backup retention schedules, maximum ninety (90) days for operational backups. Backup copies shall not be used for operational processing and shall be deleted in due course as the backup rotation cycle progresses.

13.4 Completix shall ensure that sub-processors are subject to equivalent deletion or return obligations in their contracts with Completix.

14. Liability

14.1 Each party's liability to the other under or in connection with this Agreement, whether arising in contract, tort, breach of statutory duty, or otherwise, shall be subject to the liability limitations set out in the principal agreement.

14.2 Each party shall be responsible for damages caused by a breach of its own obligations under this Agreement. Where both parties are responsible for the same damage, each party shall be liable only for the portion of damage attributable to it.

14.3 Completix shall not be liable for processing carried out on the Client's instructions where those instructions are later found to be unlawful, provided Completix notified the Client of its concern in accordance with Section 3.3.

15. Governing Law and Dispute Resolution

15.1 This Agreement shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein.

15.2 Any dispute arising under or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Ontario, Canada, save where a supervisory authority or court of competent jurisdiction in the EU/EEA is entitled to exercise jurisdiction.

16. General

16.1 This Agreement, together with the Annexes, constitutes the entire agreement between the parties with respect to the processing of personal data and supersedes all prior agreements and understandings relating to data protection.

16.2 Any amendment to this Agreement must be made in writing and signed by authorised representatives of both parties.

16.3 If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

16.4 Neither party may assign its rights or obligations under this Agreement without the prior written consent of the other party, except that Completix may assign this Agreement to a successor entity in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided the successor entity is bound by this Agreement.

Annex I: Description of Processing

GDPR Article 28(3), subject matter, nature, purpose, and duration.

Subject MatterProcessing of personal data in connection with the provision of Completix's B2B project and portfolio management platform and related services (the "Services").
Nature of ProcessingStorage, retrieval, organisation, analysis, and deletion of personal data as part of the operation and delivery of the Services. Processing is performed on documented instructions from the Controller (Client).
PurposeTo enable the Client and its authorised users to create, manage, and collaborate on projects, tasks, files, and related work items within the Completix platform; to authenticate authorised users; to deliver transactional system notifications; and to provide customer support.
DurationFor the duration of the Services as defined in the principal agreement, plus such additional period as required for secure deletion in accordance with Section 13 of this Agreement.
Data Residency (default)Microsoft Azure US East (Virginia, United States). Enterprise customers may request alternative regional deployments.

Categories of Personal Data

  • Business contact details: name, corporate email address, optional business telephone number
  • User account and profile data: username, role, preferences, timezone
  • Authentication data: authentication tokens and session identifiers, managed by Stytch
  • Project content: tasks, files, time entries, comments, metadata, audit logs, as created by or for the Client within the Services
  • Support ticket content: name, email, and contents of support communications submitted via BoldDesk
  • Billing contact data: billing name, address, and email, processed by Stripe and Quaderno for invoicing and payment purposes

Categories of Data Subjects

  • The Client's employees, contractors, and consultants authorised to use the Services
  • External stakeholders or collaborators invited by the Client to the Services
  • The Client's billing contacts

Special Categories

None. The Services are not designed or intended to process Special Categories of Personal Data. The Client must not submit such data without a separate written addendum to this Agreement.

Annex II: Sub-processor List

This Annex is maintained as a separate, living document. The current list of Completix Inc. sub-processors is maintained in a separate document.

DocumentCompletix Sub-processor Disclosure
How to ObtainAvailable on request, contact [email protected]
Online Referencecompletix.com/legal/privacy-policy
Update FrequencyUpdated whenever a sub-processor is added, removed, or materially changed. The Controller is notified of changes in accordance with Section 6 of this Agreement.

By entering into this Agreement, the Controller acknowledges and accepts the sub-processors listed in the Completix Sub-processor Disclosure as at the Effective Date. The Completix Sub-processor Disclosure is incorporated into this Agreement by reference.

Completix will notify the Controller of any intended changes to the sub-processor list with at least fifteen (15) days prior written notice, in accordance with Section 6.2 of this Agreement. The Controller may object to such changes in accordance with Section 6.3.

Annex III: Technical and Organisational Measures

GDPR Article 32, security of processing. The following Technical and Organisational Measures are implemented by Completix Inc. to protect personal data processed under this Agreement.

Control AreaMeasure Implemented
Access ControlRole-Based Access Control (RBAC) with least-privilege assignment. Azure AD / Entra ID with Conditional Access and MFA for administrative access. Passwordless authentication (Stytch magic link / OTP) for platform users.
Encryption in TransitTLS 1.2 or higher enforced for all data in transit between clients, services, and sub-processors.
Encryption at RestAzure-managed encryption at rest for all storage services (CosmosDB, Azure File Storage, Azure Key Vault).
Secrets ManagementCredentials and secrets stored exclusively in Azure Key Vault. No plaintext credentials in source code or configuration files.
Network SecurityAzure-managed network isolation. Firewall rules and network security groups applied to all infrastructure components. HTTPS-only endpoints enforced.
Tenant IsolationLogical multi-tenant isolation: each customer's data is segregated at the data tier. No cross-tenant data access is architecturally possible.
Audit LoggingCentralised audit logging via Azure Monitor and Application Insights. Logs are retained for a minimum of 90 days and monitored for anomalies.
Vulnerability ManagementRegular dependency patching and security updates applied to application code and infrastructure. CI/CD pipeline includes automated security scanning.
Change ManagementAll production changes are subject to a formal change approval process (CI/CD Change Approval Record). Environment separation between production and development via separate Azure Resource Groups.
Incident ResponseDocumented Incident Response Procedure with defined roles, escalation paths, and breach notification timelines. Incidents logged in the Incident Register.
Business ContinuityDocumented Business Continuity and Disaster Recovery procedures. Recovery objectives tested and reviewed annually.
Personnel SecurityAll personnel with access to personal data are subject to confidentiality obligations. Security awareness training conducted annually. Access reviewed quarterly (RBAC Access Review).
Sub-processor OversightSub-processors are assessed prior to engagement and reviewed annually. Sub-processor SOC 2 and DPA documentation maintained in the Sub-processor Evidence file.
BYOD ControlsAll personnel accessing systems via personal devices are subject to the Completix BYOD Security Policy, including endpoint security requirements and device registration.

These measures are reviewed at least annually and updated to reflect changes in technology, organisational structure, or risk profile. The current version of Completix's Information Security Policy is available to Clients on written request.

Need a signed copy referencing your organisation, or have questions about this DPA? Contact [email protected].