Built to withstand an audit.
The difference between having documents and having valid evidence is in how every file is sealed, custodied and transmitted. Vigía Legal uses NOM-151 with a timestamp from an authorized PSC, SAT e.firma and immutable chain of custody so every document in the file holds up before STPS, a labor court or a conciliation board.
Not "store PDFs". It's signed evidence.
NOM-151
Every document sealed with a timestamp issued by a Certification Service Provider authorized by SE. Guarantees integrity and exact moment.
SAT e.firma
Signed with the vendor's legal representative e.firma. Equivalent legal validity to a handwritten signature under the Commerce Code.
Chain of custody
Every action (upload, validation, seal, signing, download) is logged with user, IP, timestamp and SHA-256 hash. Exportable as evidence.
Data in Mexico, end-to-end encryption, no model training.
What we comply with and what's in progress.
We're honest: we list what's in force and what's under audit. If a certification is in progress, we say so. No marketing logos without a document behind them.
LFPDPPP
Full privacy notice, designated DPO, ARCO registry.
NOM-151 SE
Timestamping via PSC authorized by the Ministry of Economy.
ISO 27001
Initial audit Q3 2026. Controls already implemented.
SOC 2 Type I
Report expected Q4 2026 with external auditor.
Approvers aren't requesters. Ever.
Vigía Legal applies segregation of duties hardcoded in the state machine. Exceptions (authorizing payment to a red vendor due to operational contingency) require at minimum three distinct roles: requester, approver, signer. Every action is recorded in an immutable audit log with SHA-256.
Eight profiles
admin · repse_owner · procurement · compliance · legal · contract_owner · hse · viewer. Specific permissions per resource and action.
TOTP + recovery
For admin · repse_owner · legal roles. Recovery codes generated on creation. Enterprise SSO with delegated MFA (Azure AD · Okta · Google Workspace).
Immutable · SHA-256
Every action: upload, validate, reject, approve, reveal_pii, download. With actor, IP, timestamp, payload and hash chained to the previous event.
What Vigía Legal does not do (and why).
As important as knowing what's included is knowing what's left out. Vigía Legal is a REPSE compliance platform — not a law firm, not a tax advisor, not a payroll system. These are the explicit boundaries:
No formal legal opinions
We don't issue legal opinions on a case-by-case basis nor represent before authorities. That's the work of a law firm. Vigía organizes the evidence your lawyer will use.
No tax determination
We don't replace your accountant or tax advisor's analysis. We cross-check information and flag inconsistencies; the final tax decision is signed by a professional.
No payroll or full EHS
We don't manage vendor payroll or a complete EHS file outside REPSE. We stay within subcontracting regulatory control.
No automated critical decisions
The system suggests ("approve" / "reject" / "hold") but the final decision is signed by a person. Regulatory compliance requires human accountability.
We'll send you our security whitepaper.
Threat model, incident response policy, ISO 27001 controls already implemented, data retention policy and no-training contractual clause. Request the PDF at contacto@vigialegal.mx.