Data Privacy

Privacy by design. Compliance by default.

Complexio is built to respect the privacy rights of every individual whose data touches our platform. We implement privacy controls at every layer — from ingestion filtering to output sanitisation — so that personal data is protected throughout its lifecycle.

Data minimisation as a first principle.

We don’t collect everything and filter later. We minimise at the point of entry. Our three-layer approach:

Preventing ingestion — source whitelisting, domain exclusions, and sensitivity labels stop unwanted data before it enters the system.
Preventing retention — keyphrase filters and content rules ensure that data matching sensitive patterns is excluded during processing.
Filtering what remains — an optionally deployed AI filtering layer identifies potentially business-irrelevant data that should not be ingested into the system.

Personal data treated with care at every step.

What We Filter

Source whitelisting, keyphrase filtering, and AI-based content analysis work together to exclude personal and non-business data.
Customers define keyphrase lists, source exclusions, and content filtering rules based on their specific regulatory and privacy requirements.

What We Retain

Only business-relevant, filtered data is retained in the standard-security context.
Raw data with PII is stored only in the high-security context, encrypted and access-restricted.
Retention periods are defined per customer agreement and enforced automatically.

Employee Data Protection

Complexio processes business communications to understand operational workflows. Analytics to surface process-level insights, and customer control.
Analytics are designed to operate at a process and team level. Access to individual-level data is restricted through role-based controls, logging, and customer-defined policies.
Customers can configure data access policies to further restrict which roles can see which data categories.

Built for European data protection standards.

Data Processing Agreements (DPAs) — we execute DPAs with all customers, clearly defining roles, purposes, and safeguards.
Data Subject Access Requests (DSARs) — we support customers in responding to DSARs with tools to locate, export, and delete personal data.
Right to erasure — personal data can be deleted on request, with documented verification of deletion.
Records of processing — we maintain comprehensive records of processing activities as required by GDPR Article 30.
Data lineage — full traceability of data from ingestion through processing to output, supporting accountability and audit requirements.
Cross-border transfers — all data is processed within the customer’s chosen region. No data is transferred outside the EEA without explicit agreement and appropriate safeguards.
On-premise processing — Core data processing is performed within the customer’s infrastructure. Where customer data is processed by external AI model providers, this is subject to our vendor security framework and documented in the applicable DPA.

You control what goes in.

Choose which mailboxes, folders, document libraries, and communication channels to access. Exclude specific sources, or content categories — all configured during onboarding and adjustable at any time.
Every ingestion setting is visible to your IT and compliance teams. Changes to data source configuration are logged and require authorisation.