ıVigíaLegal
S.00Security

Built to withstand an audit.

Two things matter here: that the platform is secure, and that your file holds up as evidence before STPS. Vigía was built to pass enterprise-grade security reviews — this is how we protect your data and your vendors'.

01Platform security

The basics, done right — and verifiable.

You're trusting us with your vendors' tax IDs, payroll data and worker PII. Here's exactly how that's protected — every control below exists in the product today; none of it is roadmap.

AES-256-GCM

Encryption at rest

Sensitive personal data (CURP, RFC, NSS) is encrypted field-by-field. Even with database access, the PII isn't readable without the key.

TLS 1.3 + HSTS

Encryption in transit

Every connection over HTTPS, with a two-year, preload-ready HSTS policy. Your data never travels in the clear.

TOTP + recovery codes

2FA for privileged roles

Two-factor authentication enforced for privileged roles, with recovery codes issued at enrollment. A leaked password isn't enough to get in.

Every action, with actor and time

Complete audit trail

Upload, validate, approve, reject, download — each is recorded with who did it and when. The application only ever appends to the trail; there is no edit or delete path.

Permission per resource

Granular roles

Each user sees only what their role allows. The guard at the gate sees a green/red verdict — never your contracts or amounts.

Data-use commitment

Your data isn't training data

Vendor documents are never used to train AI models — ours or anyone else's. AI validation is an add-on that extracts data from the document, nothing more.

Scoping + row-level security

Per-vendor data isolation

Each vendor on the portal sees only its own data: application-level scoping is the first layer, database row-level security the second — defense in depth.

Subprocessors

Declared infrastructure

Vigía runs on Vercel, with Neon (Postgres) and Vercel Blob for documents, Resend for transactional email and OpenAI for the AI add-on. Full subprocessor list available on request.

02Evidentiary value

From "we have the PDF" to "we can prove it".

Holding a document and being able to prove it in front of STPS are not the same thing. The vendor file is built to stand as evidence — dated, traceable and exportable.

Live

Full traceability

Every action on a document is recorded with actor and timestamp, in a trail the application can only append to. Who uploaded, who validated, who approved — it's all there.

Live

Exportable evidence

The vendor's living file is available online, and compliance, CFDI and analytics reports export to CSV — ready to hand to an auditor with the history attached.

Live

Period-by-period record

Compliance is evaluated per period, so you can see the status a vendor had in the period of each payment — not just today.

03Compliance & assurance

The regulations and frameworks behind the control.

We comply with Mexico's data-protection law and design our controls on top of recognized security frameworks. Each item below states exactly what it is.

Published

LFPDPPP

Full privacy notice published, with a documented ARCO procedure for exercising data rights.

Design reference

ISO 27001 principles

We organize and design our security controls following ISO 27001 principles.

Design reference

SOC 2 principles

Internal controls structured on the SOC 2 trust services criteria.

Internal · Jun 2026

Penetration testing

Internal security assessments against OWASP Top 10 and ASVS, with a written report and findings tracked to closure. Report available under NDA.

04Out of scope

What Vigía Legal does not do (and why).

As important as knowing what's included is knowing what's left out. Vigía Legal is a REPSE compliance platform — not a law firm, not a tax advisor, not a payroll system. The explicit boundaries:

No formal legal opinions

We don't issue case-by-case legal opinions nor represent before authorities. That's a law firm's job. Vigía organizes the evidence your lawyer will use.

No tax determination

We don't replace your accountant's analysis. We cross-check and flag inconsistencies; the final tax decision is signed by a professional.

No payroll or full EHS

We don't run vendor payroll or a complete EHS file beyond REPSE. We stay within subcontracting regulatory control.

No automated critical decisions

The system suggests (approve / hold / reject) but a person signs the final call. Regulatory compliance needs human accountability.

Let's talk

Security review, on demand.

If your security team wants to go deeper — architecture, encryption details, audit-trail structure, the pentest report — we coordinate a working session at contacto@vigialegal.mx. Technical documentation shared under NDA once scope is defined.