LFPDPPP · CFDI 4.0

Security & data of your practice.

Here's exactly what happens with your accounting practice's information once your account starts. No legalese. No compliance theater.

e.firma & CSD

Magda issues CFDI invoices using the Digital Stamp Certificate (CSD) your practice registers for each client — we never use your personal e.firma or your client's e.firma to stamp invoices. The CSD is encrypted at rest with AES-256 and only Magda can use it during the stamping process.

The PAC (Authorized Certification Provider) is confirmed at the close of onboarding with you, based on the one you already use in CONTPAQi (PAC SW, Diverza, Solución Factible, Edicom or another). If the PAC goes down, Magda halts the batch and notifies you via email and WhatsApp; CFDI resume as soon as the PAC is back, well within the 5 business-day window the SAT requires.

Hosting & data

Your data lives on Railway cloud infrastructure in the United States (us-east). This constitutes an international transfer that is necessary to fulfill our contractual relationship with you, authorized by article 37 section V of the LFPDPPP, with no additional consent required.

Backups

Encrypted daily backups, 30-day retention. Recovery time objective (RTO) of 4 hours, recovery point objective (RPO) of 24 hours for transactional data of the practice.

Encryption

TLS 1.2+ in transit, AES-256 at rest. Logical separation per organization: each practice has its own isolated tenant in the database.

Subprocessors

For the service to work we need to rely on these providers. Each one is contractually bound to process your data exclusively for the described purpose and to LFPDPPP standards.

Railway

Purpose
Application hosting + database + backups
Data shared
All operational data of the practice
Location
United States
Contract
Signed DPA · LFPDPPP art. 37-V

Stripe

Purpose
Subscription payment processing
Data shared
Subscription ID only. Stripe captures the card directly.
Location
United States
Contract
Signed DPA

Resend

Purpose
Transactional email (signup, receipts, reminders)
Data shared
Recipient email, email content
Location
United States
Contract
Signed DPA

YCloud / WhatsApp Business API

Purpose
WhatsApp Business messages to the end client
Data shared
Client phone number, message template
Location
United States
Contract
Signed DPA

OpenRouter

Purpose
Access to AI models for drafting and CFDI validation
Data shared
Only the minimum context for each operation. Models are not trained on your information.
Location
United States
Contract
Signed DPA

If we ever incorporate a new relevant provider, we add them here and to the Privacy Notice before transferring any data to them.

Access controls

2FA authentication

TOTP-based 2FA available for every account in the practice. Recommended for the lead accountant.

SSO / SAML

Enterprise SSO (Google Workspace, Microsoft Entra ID, Okta) available on the Enterprise plan.

Audit log

Every action Lupita or Magda perform on your behalf is recorded with timestamp, user, affected client, action type and result. Exportable to Excel whenever you ask.

Data processor agreement

We sign a data-processor agreement with you under article 89 of LFPDPPP before Lupita or Magda touch any of your end-client data. Request it at hola@cumplida.com and we'll send you a PDF to sign at the start of onboarding.

hola@cumplida.com

Status & incidents

We're preparing a public status page (status.cumplida.com) to report incidents in real time. In the meantime, write to soporte@cumplida.com and we respond in less than 4 business hours.

soporte@cumplida.com

Something doesn't add up?

Any technical question before buying: hola@cumplida.com · WhatsApp +52 33 1714 1785 · Reserved Technology, S.A. de C.V., Zapopan, Jalisco.

Something doesn't add up?