Security Overview
This page is a public, high-level summary of how Completix protects customer data. It's intended to give your security or procurement team a starting point without requiring an NDA. If you need architecture diagrams, audit reports, a completed security questionnaire, or other detailed documentation, request it directly, see the bottom of this page.
| Applies To | The Completix project and portfolio management platform |
|---|---|
| Access Level | Public, no NDA required for this overview |
| Hosting | Microsoft Azure, with regional deployment options for enterprise customers |
| Related Document | Data Processing Agreement, Annex III |
Jump to a section
Encryption
Data is encrypted in transit using TLS 1.2 or higher across all connections between clients, our services, and our sub-processors. Data at rest is encrypted using Azure-managed encryption across our storage layers, including the database, file storage, and secrets management.
Access Control
Access to the Completix Platform follows role-based access control with least-privilege assignment. Administrative access to our own infrastructure requires multi-factor authentication and conditional access policies. End-user authentication uses a passwordless model, magic link and one-time codes, rather than stored passwords.
Hosting and Tenant Isolation
The platform runs on Microsoft Azure. By default, customer data is hosted in Azure's US East region; enterprise customers can request an alternate regional deployment for data residency requirements. Customer data is logically separated at the data tier, so one customer's data is never accessible to another.
Monitoring and Logging
Activity across our infrastructure is centrally logged and monitored, with logs retained for a minimum of 90 days and reviewed for anomalies. This gives us visibility into unusual access patterns and supports investigation if an incident occurs.
Vulnerability and Change Management
Application and infrastructure dependencies are patched on a regular cadence, and our deployment pipeline includes automated security scanning. Production changes go through a formal review and approval process, and our development and production environments are kept separate.
Incident Response
We maintain a documented incident response process with defined roles and escalation paths. Where a security incident affects customer data, our Data Processing Agreement commits to notifying affected customers within 72 hours of becoming aware of it.
Business Continuity
We maintain documented business continuity and disaster recovery procedures, reviewed periodically to reflect changes in our infrastructure and operations.
Personnel and Vendor Oversight
Everyone with access to customer data is bound by confidentiality obligations, and access is reviewed periodically. Sub-processors are assessed before they're engaged and reviewed on an ongoing basis. Our current sub-processors, and the purpose each one serves, are listed in our Privacy Policy.
Compliance Alignment
Our data handling practices are designed to align with PIPEDA and the GDPR, as described in our Privacy Policy and Data Processing Agreement. Where a customer needs audit reports, certifications, or other compliance documentation for a specific engagement, we provide what's available on request.
Need more than this overview?
This page is intentionally high-level. If you're running a vendor security review, here's what we can typically provide on request:
- Completed security questionnaires (SIG, CAIQ, or your own format)
- Architecture and data-flow diagrams
- Audit reports or certifications, where applicable
Email [email protected] to request documentation. Some materials may require a mutual NDA before they're shared, this overview page does not.