Project Completely

+ GDPR Commitment

Privacy Policy

What is GDPR?

The EU General Data Protection Regulation (GDPR) came into effect on May 25, 2018.

Does GDPR affect you?

If you’re based in the EU or do business in the EU, then the answer is YES! GDPR has a long reach. If you have any EU personal data in your ProjectCompletely account, such as names, email addresses, ID numbers, or… anything personally identifiable, then GDPR applies. You are a Controller of personal data under GDPR, so you need to enter into GDPR-compliant data processing agreements with any online services and third party vendors you rely on, including ProjectCompletely. These agreements are commonly called a Data Processing Addendum, or DPA.

Our commitment to GDPR

ProjectCompletely, as an organization has always implemented and practiced processes which ensure that customer data is stored and processed in ways only necessary to serve our customers in the best possible way. Our privacy, security & data storage policies are also streamlined with the GDPR goals and objectives. More information can be found by reviewing our Privacy Policy.

ProjectCompletely is committed to employing a wide range of safeguards that protect private data, and all of our processes are designed to adhere to the requirements of GDPR. In addition, even though the GDPR no longer recognizes it, ProjectCompletely continues to actively participate in the EU-US and Swiss-US Privacy Shield Framework to safeguard the transfer of personal data to the US, which further demonstrates our commitment to compliance with data protection laws.

Data Processing Addendum

If you need to comply with GDPR and you’re using ProjectComplete, then legally you’ll need to enter into a Data Processing Addendum (DPA) with ProjectCompletely. Processing EU personal data must be governed by a GDPR-compliant contract. We provide a standard Data Processing Addendum (DPA) to extend GDPR privacy principles, rights, and obligations everywhere personal data is processed.

To ensure no inconsistent or additional terms are imposed on us beyond that reflected in our standard DPA and model clauses, we cannot agree to sign customers’ DPAs. We are not able to make individual changes to our DPA.

ProjectCompletely subprocessors

ProjectCompletely uses third party subprocessors, such as cloud computing providers and customer support software, to provide our services. We enter into GDPR-compliant data processing agreements with each subprocessor, extending GDPR safeguards everywhere personal data is processed.

Subprocessors located in the United States:

  • Amazon Web Services : Cloud services provider
  • Braintree : Payment processing services
  • Google Analytics : Web analytics service
  • Postmark : Email delivery services
  • HelpScout : Help desk software
  • FirstPromoter : Referral tracking software

Checklist for Data Controllers

GDPR regulations require the following of any company or organization that is outsourcing the personal data of its’ customers or clients to a 3rd party software supplier:

You should be able to answer and/or assess the following.

Do you have a Data Processing Agreement (DPA) with the software supplier?

You can enter into a DPA agreement with ProjectCompletely by clicking HERE

Does the data processor use data processors of their own? Do they have DPAs with these?

You can see a list of the subprocessors that ProjectCompletely uses above. Yes, we have DPAs in place with each one.

Did your company / organization do a risk assessment of the outsourcing?

You can see a list of the subprocessors that ProjectCompletely uses above. You can use this information to make your risk assessment.

Did your company / organization assess the data processor’s ability to comply with these requirements?

The information on this page is as transparent as we can possibly be. You can use this information to make your assessment.

How does your company / organization audit the data processor’s ability to comply with the DPA?

You’ll have to use the information we provided both on this page and in our DPA to make your audit.

Is personal information being transferred to another country? Does this transfer comply with the requirements ?

ProjectCompletely is a participating member in the EU/US and Swiss-US Privacy Shield Framework.

Does the data processor have a procedure for informing customers about privacy breaches?

ProjectCompletely is committed to the following actions within 72 hours of any security breach: Carrying out an investigation, informing both regulators and individuals of a breach, disclosing what personal data has been impacted and how, and how the issue will be addressed moving forward. If, for whatever reason, we are not able to complete these steps within 72 hours, we will provide reasonable justification for the delay. Historical data on security breaches as well as announcements of known breaches will be reported HERE

How can the data processor assist with your customer’s requests, complaints in terms of their rights within the GDPR?

You can contact us directly at [email protected] with your requests.

How can customers access their data stored in the software solution?

ProjectCompletely provides a self-actuated export functionality for all Contact data, including any associated personal information or created custom fields.

If we cancel our account and no longer use the software, will the data processor delete the data?

ProjectCompletely will hold your account for up to 3 months just in case you decide to return, but after that your data will be automatically deleted. If you request that your data is deleted in advance of this automated process, we will comply if we can establish that the requester has the proper authority to make such a request.

Who is doing the backup of customer data, how often and using what method?

All of ProjectCompletely’s customer’s data & files are backed up multiple times per day using the industry-standard snapshot method, and stored in a redundant fashion across the Amazon AWS data center network. These backups are encrypted at rest and are automatically deleted when they reach 14 days of age.