Data Processing

DATA PROCESSING OVERVIEW Last updated: 2026-04-19 1. DATA CONTROLLER AND PROCESSOR Data Controller (Responsable): The Customer, the company that registers for and uses the Nómaton platform to process payroll for its employees in Mexico. Data Processor (Encargado): WezOps LLC, operating commercially as "Nómaton," with registered address at 447 Broadway, 2nd Floor Suite #2566, New York, New York 10013, United States of America. 2. DATA PROCESSING PURPOSES WezOps processes Employee Data exclusively for the purposes specified in the Integral Privacy Notice (available at /privacy) and the Terms of Service (available at /terms): Primary purposes (necessary for the employment relationship): - Payroll calculation and processing (ordinary and extraordinary) - ISR tax withholding per Art. 96 LISR - IMSS/INFONAVIT contribution management - CFDI 4.0 digital tax receipt generation and timbrado - Bank disbursement file generation - Compliance with Mexican labor, tax, and social security law - Record retention per LFT Art. 804 and CFF Art. 30 Secondary purposes (optional, data subject may opt out): - Aggregated statistical analysis for platform improvement - Anonymized workforce analytics and industry benchmarking - Service update communications 3. CATEGORIES OF PERSONAL DATA PROCESSED - Identification data (name, DOB, CURP, RFC, photograph) - Contact data (address, phone, email) - Employment data (position, department, hire date, salary, seniority) - Tax data (RFC, fiscal regime, tax address) - Social security data (NSS, IMSS registration, affiliation movements) - Financial data (CLABE, bank account for payroll deposit) - Patrimonial data (SBC, perceptions, deductions, ISR, IMSS contributions) - Sensitive data (medical disability certificates from IMSS only) 4. SECURITY MEASURES WezOps implements the following technical and organizational measures per LFPDPPP Art. 19 and Reglamento Art. 57-58: - AES-256-GCM field-level encryption for sensitive data at rest - TLS 1.3 encryption for all data in transit - Role-based access control (7 tiers, 55 permissions) - Multi-factor authentication (TOTP) - Immutable audit logging with HMAC-SHA-256 hash-chain integrity - Automated data access monitoring and logging - CSRF protection and input sanitization - Rate limiting on all API endpoints - Key versioning for encryption key rotation - Tenant-level data isolation (all queries scoped by tenant_id) 5. DATA LOCATION AND INTERNATIONAL TRANSFERS Customer Data is stored in the United States: - Primary database: Neon (PostgreSQL), East US region - Application hosting: Vercel, global edge network - Legal basis for transfer: LFPDPPP Art. 37, Fracción VII 6. DATA RETENTION - Employment and payroll records: minimum 5 years (LFT Art. 804) - Tax records and CFDI: minimum 5 years (CFF Art. 30) - Social security records: per LSS regulations - Audit logs: retained indefinitely for compliance - Upon termination: 30-day data export window, then deletion (except legally required retention) 7. BREACH NOTIFICATION WezOps will notify Customer without undue delay, and within 72 hours where feasible, of any confirmed data breach affecting Employee Data. Notification will include: - Nature of the breach - Categories and approximate number of data subjects affected - Likely consequences - Measures taken or proposed to address the breach 8. ENTERPRISE DPA For enterprise clients requiring a standalone, signed Data Processing Agreement with custom terms, please contact: legal@nomaton.mx