Data Processing Agreement

1. Subject and Parties

This Data Processing Agreement (the "Agreement") supplements the Terms of Service and forms an integral part of the contract between the User ("Data Controller") and Espres ("Data Processor"). This Agreement governs the processing of personal data of third parties (customers, employees, or other individuals) that the User enters into the service and which Espres processes on their behalf.

The data processor is the individual Alexis Ulises Barba Pérez, operating under the trade name "Espres" (RFC: BAPA950302880), with address at Calle Ures #450, Tepic, Nayarit, C.P. 63058, México. For inquiries related to this Agreement, contact privacidad@espres.app.

2. Processing Instructions

Espres will process personal data only according to the User's documented instructions, which are expressed through use of the service. Espres will not use the User's personal data for its own purposes beyond providing the service, unless required by applicable law.

If Espres believes that any User instruction violates the LFPDPPP or other applicable legal provisions, it will notify the User immediately.

3. Security Measures

Espres implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure, including: (a) encryption in transit via TLS 1.2 or higher; (b) encryption at rest for the database; (c) role-based access control; (d) multi-factor authentication available for administrator users; (e) security monitoring and audit logs; (f) backup and disaster recovery procedures.

Espres is subject to the security programs and certifications of its infrastructure subprocessors, which include SOC 2 Type II (Supabase, Vercel) and PCI DSS (Stripe).

4. Subprocessors

The User authorizes Espres to use the following subprocessors to process personal data on their behalf:

Supabase Inc. (United States, with Amazon Web Services infrastructure) — database storage and authentication. Data categories: all User data and end-customer data. Own DPA: available at supabase.com/legal/dpa.

Stripe, Inc. (United States) — payment processing. Data categories: billing and payment card data. Own DPA: available at stripe.com/legal/dpa.

Resend Inc. (United States) — sending transactional emails. Data categories: recipient name and email address, delivery metadata. Own DPA: available at resend.com/legal/dpa.

Vercel Inc. (United States) — web application hosting and edge functions. Data categories: session data, request logs. Own DPA: available at vercel.com/legal/dpa.

Google LLC (United States) — geocoding and maps services (Places API). Data categories: customer coordinates and address strings. Privacy policy: available at policies.google.com/privacy.

Facturapi S.A. de C.V. (Mexico) — CFDI issuance (Phase 2, only for users who request it). Data categories: customer tax data (RFC, legal name, tax regime). Privacy policy: available at facturapi.io/privacidad. The processor relationship with Facturapi is documented contractually in accordance with the LFPDPPP.

Cloudflare, Inc. (United States) — network, CDN, and DDoS protection services. Data categories: IP addresses, HTTP headers. Own DPA: available at cloudflare.com/cloudflare-customer-dpa/.

Subprocessors may in turn use infrastructure providers (sub-subprocessors), which are identified in each subprocessor's own data processing agreement.

5. International Transfers

The subprocessors listed in section 4 process data outside of Mexico (primarily in the United States). Under the LFPDPPP, these disclosures to processors are carried out under contractual obligations that guarantee a level of protection equivalent to that established in Mexico, including confidentiality duties that survive termination of the relationship.

Espres will update this Agreement when it engages new subprocessors, with at least ten (10) calendar days' prior notice to the User.

6. Data Subject Rights

Espres will assist the User, to the extent technically feasible, in fulfilling ARCO rights requests that data subjects (for example, the User's own customers) present to the User.

The User is solely responsible for responding to data subjects who are their own customers or employees. Espres will not directly handle ARCO rights requests from the User's data subjects unless required by a competent authority.

7. Security Incident Notification

Espres will notify the User of any security breach affecting their personal data without undue delay and, in any event, within the timelines established by applicable law. The notification will include: description of the incident, data affected, corrective measures taken, and a contact point at Espres.

The User is responsible for notifying affected data subjects and, where applicable, the competent personal-data protection authority (currently the Secretaría Anticorrupción y Buen Gobierno), in accordance with the LFPDPPP.

8. Data Return and Deletion

Following termination of the service, Espres will retain the User's data for thirty (30) calendar days, during which the User may request a complete export at soporte@espres.app. After that period, Espres will securely delete the data, unless applicable law imposes different retention obligations.

Upon the User's request, Espres may delete data earlier, with the exception of data that must be retained by legal obligation.