Cargando…
Cargando…
TRUST CENTER · CENTRO DE CONFIANZA
The security, privacy, and transparency posture behind simiriki — encryption, identity and access, retention, incident response, our sub-processor registry, and where our compliance program stands. Refreshed quarterly, with file-level evidence you can verify.
SQL injection, SSRF, open redirects, CSRF, OAuth state, webhook signatures, HMAC, encryption at rest, CSP — each one audited against the code that defends it. Public, reproducible, refreshed every quarter.
Our detection catalog spans 201 rules — 155 via Microsoft Graph (the free Auditoría) and 46 via Azure Resource Manager (added with admin consent and Reader access) — organized into 8 categories.
MFA enforcement, conditional access, admin roles, stale accounts
DMARC, SPF, DKIM, forwarding rules, anti-phishing
External sharing, DLP policies, sensitivity labels
Compliance policies, managed vs unmanaged devices
Logging, retention, regulatory alignment
OAuth permissions, risky apps, consent policies
License utilization, connector health
Process automation, approval workflows
Each rule is scored as CRITICAL, HIGH, MEDIUM, or LOW severity. Your maturity score (0–100) is calculated relative to your industry and company size — we don’t penalize manual processes that are industry-standard.
At least 25% of recommendations address non-digital dimensions (process improvement, compliance, training). Every report includes a methodology note explaining how your score was calculated.
Your data is processed by simiriki and the third-party services below. This registry is the LFPDPPP Article 28-equivalent disclosure surface — it stays in lockstep with the machine-readable schema embedded on this page.
| Service | Legal entity | Country | Purpose |
|---|---|---|---|
| Microsoft Azure | Microsoft Corporation | US | Primary infrastructure (Container Apps, Postgres, Storage, Key Vault, Front Door) — East US 2 region |
| Microsoft 365 + Azure / Graph + ARM | Microsoft Corporation | US | Customer Microsoft 365 + Azure OAuth (read-only: 155 rules via Microsoft Graph + 46 rules via Azure Resource Manager) during scans + Graph SendMail for transactional email |
| Stripe | Stripe Inc. | US | Payment processing (PCI DSS Level 1) |
| Cloudflare | Cloudflare, Inc. | US | Authoritative DNS resolution for simiriki.com |
| Anthropic | Anthropic, PBC | US | Claude models for diagnostics, audit reports, executive memos, and commercial workflows (executive memos run under explicit client consent: generating executive memos and quarterly analyses for clients). Data sent to Anthropic through its commercial API is not used to train its models (Anthropic Commercial Terms) and is retained only temporarily and in a limited way to operate the service and monitor misuse. |
| Amazon Web Services (S3) | Amazon Web Services, Inc. | US | Database backup destination (legacy): daily PostgreSQL logical dumps, encrypted at rest (us-east-2). Under migration to Azure-native backup. |
| Google LLC | Google LLC | US | Google Analytics (GA4): web analytics; anonymized navigation data, only with the user’s consent. |
Full contractual terms in our Data Processing Agreement.
These are TARGETS our compliance program is built toward — not active certifications. We disclose this honestly: simiriki does not hold these certifications today. Audit dates are revenue-triggered and available on request.
Mexico's federal personal-data protection law. Mandatory for all Mexican customer data. Privacy notice published; ARCO rights honored within ≤ 20 business days (Art. 32).
In evidenceAICPA trust-services-criteria attestation. ~12-month observation period; triggered by the first enterprise contract. We do not claim a report that does not yet exist.
Committed on auditInternational information-security management standard. Controls mapped via Microsoft Compliance Manager; external Stage 1/Stage 2 audit triggered by enterprise contract.
Committed on auditMexican national standard equivalent to ISO/IEC 27001, issued by NYCE. Relevant for Mexican government and enterprise procurement that requires the national norm. Same controls as ISO 27001; local certification triggered by contract.
Committed on auditMicrosoft's unified security baseline mapped to all major frameworks. Azure Policy initiative deployed at subscription scope; Defender for Cloud enables the regulatory-compliance dashboard.
In evidenceCenter for Internet Security Azure-specific baseline. Enforced via Azure Policy on rg-simiriki-prod-eastus2 and monitored in the Defender for Cloud Secure Score.
In evidenceEU General Data Protection Regulation. Relevant if we serve European data subjects. Article 28 (subprocessor) disclosures are already published; full scope is triggered by the first customer with EU data.
PlannedUS Health Insurance Portability and Accountability Act. Healthcare vertical. We do not handle US PHI today; triggered only if we enter the US healthcare market.
PlannedMexican National Banking and Securities Commission rules (CUB, record retention). Mexican banking/financial vertical. Triggered by the first CNBV-regulated customer.
PlannedThe free scan requests only least-privilege, read-only configuration scopes — never the content of your mail, calendar, files, or contacts. Each permission maps to the detection rules it powers.
In the event of a security incident:
Depending on your jurisdiction, you have the right to access, rectify, cancel/delete, or object tothe processing of your data — the ARCO rights under Mexico's LFPDPPP, with equivalent rights under the EU GDPR and applicable US state privacy laws. Contact us at jjdlr@simiriki.comwith subject “Data Rights” and we respond within 20 business days.
simiriki operates as a 100% cloud-native, paperless service. Our infrastructure choices prioritize energy efficiency:
Every process we automate for our clients eliminates repetitive manual tasks, reduces energy consumption from desktop workstations, and replaces paper-based compliance workflows with cloud-native alternatives.
We welcome responsible disclosure of security vulnerabilities. See our Responsible Disclosure Policy for details. We acknowledge reports within 72 hours and provide safe harbor for good-faith researchers.