Completix

Security Overview

SECURITY

Security Overview

This page is a public, high-level summary of how Completix protects customer data. It's intended to give your security or procurement team a starting point without requiring an NDA. If you need architecture diagrams, audit reports, a completed security questionnaire, or other detailed documentation, request it directly, see the bottom of this page.

Applies ToThe Completix project and portfolio management platform
Access LevelPublic, no NDA required for this overview
HostingMicrosoft Azure, with regional deployment options for enterprise customers
Related DocumentData Processing Agreement, Annex III
Jump to a section

Encryption

Data is encrypted in transit using TLS 1.2 or higher across all connections between clients, our services, and our sub-processors. Data at rest is encrypted using Azure-managed encryption across our storage layers, including the database, file storage, and secrets management.

Access Control

Access to the Completix Platform follows role-based access control with least-privilege assignment. Administrative access to our own infrastructure requires multi-factor authentication and conditional access policies. End-user authentication uses a passwordless model, magic link and one-time codes, rather than stored passwords.

Hosting and Tenant Isolation

The platform runs on Microsoft Azure. By default, customer data is hosted in Azure's US East region; enterprise customers can request an alternate regional deployment for data residency requirements. Customer data is logically separated at the data tier, so one customer's data is never accessible to another.

Monitoring and Logging

Activity across our infrastructure is centrally logged and monitored, with logs retained for a minimum of 90 days and reviewed for anomalies. This gives us visibility into unusual access patterns and supports investigation if an incident occurs.

Vulnerability and Change Management

Application and infrastructure dependencies are patched on a regular cadence, and our deployment pipeline includes automated security scanning. Production changes go through a formal review and approval process, and our development and production environments are kept separate.

Incident Response

We maintain a documented incident response process with defined roles and escalation paths. Where a security incident affects customer data, our Data Processing Agreement commits to notifying affected customers within 72 hours of becoming aware of it.

Business Continuity

We maintain documented business continuity and disaster recovery procedures, reviewed periodically to reflect changes in our infrastructure and operations.

Personnel and Vendor Oversight

Everyone with access to customer data is bound by confidentiality obligations, and access is reviewed periodically. Sub-processors are assessed before they're engaged and reviewed on an ongoing basis. Our current sub-processors, and the purpose each one serves, are listed in our Privacy Policy.

Compliance Alignment

Our data handling practices are designed to align with PIPEDA and the GDPR, as described in our Privacy Policy and Data Processing Agreement. Where a customer needs audit reports, certifications, or other compliance documentation for a specific engagement, we provide what's available on request.

Need more than this overview?

This page is intentionally high-level. If you're running a vendor security review, here's what we can typically provide on request:

  • Completed security questionnaires (SIG, CAIQ, or your own format)
  • Architecture and data-flow diagrams
  • Audit reports or certifications, where applicable

Email [email protected] to request documentation. Some materials may require a mutual NDA before they're shared, this overview page does not.