Cargando…
Cargando…
Compliance / Cumplimiento
simiriki runs on Microsoft Azure and Microsoft 365, with identity in Microsoft Entra ID and data in single-region Azure PostgreSQL (East US 2). This page states — without marketing — which regulatory frameworks we target, which controls exist today with evidence, and what is committed or planned.
We do not claim certifications we don't hold. Every statement carries an explicit status marker: in-evidence, committed-on-audit, or planned. Any vendor that says "we are SOC 2" without a Type II report is making an unverified claim; we don't.
We prioritize by market: P0 covers the Mexican private sector + LATAM enterprise + US headquarters; P1 extends to cloud-security baseline and European privacy demands; P2 are regulated verticals (healthcare, banking) triggered by contract.
| Framework | Priority | Status | Description |
|---|---|---|---|
| LFPDPPP (México) | P0 | In evidence | Mexico's federal personal-data protection law. Mandatory for all Mexican customer data. Privacy notice published; ARCO rights honored within ≤ 10 business days (Art. 32). |
| SOC 2 Type II | P0 | Committed on audit | AICPA trust-services-criteria attestation. ~12-month observation period; triggered by the first enterprise contract. We do not claim a report that does not yet exist. |
| ISO/IEC 27001:2022 | P0 | Committed on audit | International information-security management standard. Controls mapped via Microsoft Compliance Manager; external Stage 1/Stage 2 audit triggered by enterprise contract. |
| NMX-I-27001-NYCE (México) | P0 | Committed on audit | Mexican national standard equivalent to ISO/IEC 27001, issued by NYCE. Relevant for Mexican government and enterprise procurement that requires the national norm. Same controls as ISO 27001; local certification triggered by contract. |
| Microsoft Cloud Security Benchmark | P1 | In evidence | Microsoft's unified security baseline mapped to all major frameworks. Azure Policy initiative deployed at subscription scope; Defender for Cloud enables the regulatory-compliance dashboard. |
| CIS Microsoft Azure Foundations v2.0 | P1 | In evidence | Center for Internet Security Azure-specific baseline. Enforced via Azure Policy on rg-simiriki-prod-eastus2 and monitored in the Defender for Cloud Secure Score. |
| GDPR (UE) | P1 | Planned | EU General Data Protection Regulation. Relevant if we serve European data subjects. Article 28 (subprocessor) disclosures are already published; full scope is triggered by the first customer with EU data. |
| HIPAA (EE. UU.) | P2 | Planned | US Health Insurance Portability and Accountability Act. Healthcare vertical. We do not handle US PHI today; triggered only if we enter the US healthcare market. |
| Regulación CNBV (México) | P2 | Planned | Mexican National Banking and Securities Commission rules (CUB, record retention). Mexican banking/financial vertical. Triggered by the first CNBV-regulated customer. |
P0 = highest market priority · P1 = secondary · P2 = vertical / on-contract. Status: in-evidence (controls mapped, evidence collected) · committed-on-audit (will be attested on first enterprise contract) · planned (on roadmap, not yet implemented).
Compliance is shared between Microsoft Azure (cloud provider), simiriki (SaaS provider), and you (the customer). The boundary is explicit. "PLANNED" flags items not yet implemented.
| Control layer | Microsoft Azure provides | simiriki provides | Customer provides |
|---|---|---|---|
| Physical datacenter security | Yes (all) | None | None |
| OS patching of platform services | Yes (Container Apps, PG Flex, Redis, Front Door — managed) | None | None |
| Application code & dependencies | None | Build, ship, patch (CycloneDX SBOM on every PR) | None |
| Identity & authentication | Provides Entra ID platform | Configures customer auth (Entra External ID — PLANNED); MFA enforced on all admin | Manages their M365 admin credentials used during OAuth consent |
| Authorization & RBAC | None | Least-privilege RBAC on Azure; RLS on application data | Approves which M365 scopes simiriki requests during connector OAuth |
| Encryption at rest | Provides platform-managed keys (PMK) by default | Encrypts data at rest; PLANNED: Customer-Managed Keys (CMK) | None |
| Encryption in transit | Provides TLS endpoints | Enforces TLS 1.2 minimum end-to-end | Connects over HTTPS (customer-side browsers / API clients) |
| Backup & restore | Provides Azure PG PITR + GRS blob storage | Configures backups; runs restore drills (PLANNED first drill 2026-07-15) | Decides the retention window for their data exports |
| Logging & monitoring | Provides Log Analytics + Application Insights infrastructure | Configures collection; instruments events; runs hash-chained actor_audit_log | Reviews their own M365 tenant's audit trail |
| Incident response | Provides Azure Service Health alerts | Detects, responds, notifies customers within ≤ 24h (LFPDPPP Art. 20) | Notifies simiriki of incidents on customer-owned M365 surfaces |
| Data residency | Provides regional infrastructure | Single-region East US 2 today (PLANNED per-customer multi-region under R4) | Selects vendor based on their data-residency requirements |
| Data subject rights (LFPDPPP / GDPR) | Provides platform | Honors ARCO requests within ≤ 10 business days (LFPDPPP Art. 32) | Submits ARCO requests on behalf of their employees / users |
Every third party that processes customer data on behalf of simiriki, per LFPDPPP Article 28 / GDPR Article 28. Refreshed quarterly.
| Subprocessor | Jurisdiction | Data processed | DPA |
|---|---|---|---|
| Microsoft Azure Microsoft Corporation | US | Compute, storage, database, identity, email — all customer data (East US 2 region) | DPA → |
| Microsoft 365 / Graph Microsoft Corporation | US | Customer M365 OAuth (read-only) during scans + Graph SendMail for transactional email | DPA → |
| Stripe Stripe, Inc. | US | Payment processing. Customer email + payment-intent ID (no card data — Stripe Checkout hosts the flow). PCI DSS Level 1. | DPA → |
| Amazon Web Services (S3) Amazon Web Services, Inc. | US | Database backup destination (legacy). Daily PG logical dumps, encrypted at rest (us-east-2). Under migration to Azure GRS. | DPA → |
| Cloudflare Cloudflare, Inc. | US | Authoritative DNS resolution for simiriki.com — DNS records only, no customer data | DPA → |
Microsoft Compliance Manager (MCM) onboarding is active. MCM is the free evidence-tracking layer bundled with our M365 DEVELOPERPACK license; it maps Microsoft-inherited controls (typically 30–50% of the total) and tracks the remaining improvement actions against the target frameworks.
Formal SOC 2 Type II and ISO 27001:2022 audits are triggered by the first enterprise contract. We do not commit specific audit dates publicly because the assessor cost (~$40–60K USD/year) must be revenue-backed. Committed dates are available on request.
Today: single-region Azure East US 2. Per-customer multi-region deployment is under R4 design (post product-market fit). If your residency requirement demands a specific region (e.g. Mexico Central or the EU), let us discuss it before signing — we will not claim coverage we do not have.
simiriki maintains a documented incident-response process. Summary of the contractual commitments:
We welcome responsible disclosure of security vulnerabilities. We acknowledge reports within 72 hours and provide safe harbor for good-faith researchers.
We will not amend this section to claim certifications we do not hold.
This page is the public summary. The full compliance posture statement (with control-to-ISO 27001 / SOC 2 and LFPDPPP article mapping) is available on request for procurement teams.