Compliance Posture
Last updated: June 2026
1. Overview
BasePro operates a risk-based compliance posture aligned to the regulatory frameworks applicable to real estate operations in Mexico and LATAM. We prioritise transparency: this page describes our current posture honestly, distinguishing between capabilities that are live, controls that are rolling out, and areas where we are working toward alignment. We continuously trial new capabilities in beta; only generally-available capabilities are enabled by default, and customers can opt out of experimental or beta features at any time. We update these descriptions as our posture evolves.
2. CFDI (Mexico E-Invoicing)
BasePro is CFDI-capable: the platform is built to issue SAT-valid CFDI 4.0 electronic invoices through a certified PAC (Proveedor Autorizado de Certificación) integration. This capability is rolling out as part of the financial layer — when available, the platform handles the SAT specification so operators manage their transactions, not the technical standard. CFDI Path B (CSV export for accountants and reporting) is live today.
3. ARCO Rights (LFPDPPP)
Under Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), data subjects have ARCO rights: Access, Rectification, Cancellation, and Opposition. BasePro maintains documented procedures to respond to ARCO requests within the statutory timeframe of 20 business days. Privacy contact: privacy@basepro.io.
4. GDPR Alignment
For customers and data subjects located in the European Union, BasePro applies GDPR-aligned data handling practices: data minimisation, documented lawful basis for processing, fulfilment of data subject rights, and a Data Processing Agreement available at /legal/dpa. BasePro is not EU-certified — no Mexican regulatory body certifies GDPR equivalence, and we have not completed a formal GDPR audit. We follow the principles and update our practices as our operations grow into EU markets.
5. Data Residency
Customers may select their data residency region at signup: EU, US, or APAC. Sensitive personal data is stored with per-organisation envelope encryption, meaning your data is logically isolated at the cryptographic layer. Regional selection is persistent for the life of the account. As with all capabilities in active development, residency configuration is subject to beta-programme status in some deployment contexts; contact us to confirm availability for your region. For full detail on data storage locations and sub-processors, see our Privacy Policy at /legal/privacy and our Sub-processors page at /legal/sub-processors.