Built to withstand an audit.
Two things matter here: that the platform is secure, and that your file holds up as evidence before STPS. Vigía was built to pass enterprise-grade security reviews — this is how we protect your data and your vendors'.
The basics, done right — and verifiable.
You're trusting us with your vendors' tax IDs, payroll data and worker PII. Here's exactly how that's protected — every control below exists in the product today; none of it is roadmap.
Encryption at rest
Sensitive personal data (CURP, RFC, NSS) is encrypted field-by-field. Even with database access, the PII isn't readable without the key.
Encryption in transit
Every connection over HTTPS, with a two-year, preload-ready HSTS policy. Your data never travels in the clear.
2FA for privileged roles
Two-factor authentication enforced for privileged roles, with recovery codes issued at enrollment. A leaked password isn't enough to get in.
Complete audit trail
Upload, validate, approve, reject, download — each is recorded with who did it and when. The application only ever appends to the trail; there is no edit or delete path.
Granular roles
Each user sees only what their role allows. The guard at the gate sees a green/red verdict — never your contracts or amounts.
Your data isn't training data
Vendor documents are never used to train AI models — ours or anyone else's. AI validation is an add-on that extracts data from the document, nothing more.
Per-vendor data isolation
Each vendor on the portal sees only its own data: application-level scoping is the first layer, database row-level security the second — defense in depth.
Declared infrastructure
Vigía runs on Vercel, with Neon (Postgres) and Vercel Blob for documents, Resend for transactional email and OpenAI for the AI add-on. Full subprocessor list available on request.
From "we have the PDF" to "we can prove it".
Holding a document and being able to prove it in front of STPS are not the same thing. The vendor file is built to stand as evidence — dated, traceable and exportable.
Full traceability
Every action on a document is recorded with actor and timestamp, in a trail the application can only append to. Who uploaded, who validated, who approved — it's all there.
Exportable evidence
The vendor's living file is available online, and compliance, CFDI and analytics reports export to CSV — ready to hand to an auditor with the history attached.
Period-by-period record
Compliance is evaluated per period, so you can see the status a vendor had in the period of each payment — not just today.
The regulations and frameworks behind the control.
We comply with Mexico's data-protection law and design our controls on top of recognized security frameworks. Each item below states exactly what it is.
LFPDPPP
Full privacy notice published, with a documented ARCO procedure for exercising data rights.
ISO 27001 principles
We organize and design our security controls following ISO 27001 principles.
SOC 2 principles
Internal controls structured on the SOC 2 trust services criteria.
Penetration testing
Internal security assessments against OWASP Top 10 and ASVS, with a written report and findings tracked to closure. Report available under NDA.
What Vigía Legal does not do (and why).
As important as knowing what's included is knowing what's left out. Vigía Legal is a REPSE compliance platform — not a law firm, not a tax advisor, not a payroll system. The explicit boundaries:
No formal legal opinions
We don't issue case-by-case legal opinions nor represent before authorities. That's a law firm's job. Vigía organizes the evidence your lawyer will use.
No tax determination
We don't replace your accountant's analysis. We cross-check and flag inconsistencies; the final tax decision is signed by a professional.
No payroll or full EHS
We don't run vendor payroll or a complete EHS file beyond REPSE. We stay within subcontracting regulatory control.
No automated critical decisions
The system suggests (approve / hold / reject) but a person signs the final call. Regulatory compliance needs human accountability.
Security review, on demand.
If your security team wants to go deeper — architecture, encryption details, audit-trail structure, the pentest report — we coordinate a working session at contacto@vigialegal.mx. Technical documentation shared under NDA once scope is defined.