Tensorial

DPA

Data Processing Agreement (DPA)

Data Processing Agreement between Tensorial as processor and the customer as data controller for the provision of the Tensorial service under Mexican data protection law and, where applicable, GDPR.

Create accountSign in

Tenants

Multi

Branches

Scoped

Security

RLS

Operational view

Billing, messaging and access aligned

Live
WhatsApp providerMeta Cloud
Platform subscriptionActive

Branches

12

Jobs

148

Alerts

03

Agreement date: March 26, 2026

1. Object and Term

  • 1.1 Object: This agreement regulates the processing of personal data carried out by the Processor on behalf of the Controller through Tensorial, in accordance with LFPDPPP and, where applicable, GDPR.
  • 1.2 Term: This Agreement takes effect upon Controller acceptance and remains effective until service termination; after that, until the personal data is fully deleted or returned to the Controller.
  • Controller: Customer user of Tensorial.
  • Controller data: Name, RFC, address, email.
  • Processor: Ambitius Growth Leaders Allience S.A. de C.V..
  • Processor address: José María Morelos y Pavón 353-1, Metepec, Estado de México, C.P. 52140.

2. Nature of Processing

The Processor will process personal data only for the service purposes listed below:

  • Storage
  • Organization
  • Processing
  • Consultation
  • Necessary transmission for service delivery.
  • Data subject to processing includes client, contact, fiscal, and operational data uploaded by the Controller.
  • The Processor acts only on documented instructions from the Controller and does not determine the purposes of processing.

3. Processor Obligations

Instructions
Process data only according to documented instructions of the Controller.
Purpose limitation
Not process data for Processor's own business purposes.
Security
Implement appropriate technical and organizational measures; see clause 6 for security measures.
Confidentiality
Ensure authorized personnel are subject to confidentiality duties.
Data breach notification
Notify security incidents without undue delay and no later than 48 hours.
Duty to alert
Inform the Controller immediately if an instruction breaches applicable law.

4. Subprocessors

  • General authorization for subprocessors. Current subprocessors are: Vercel (infrastructure/hosting, United States), Stripe (payment processing, United States).
  • The Processor ensures that subprocessors apply equivalent protection standards, contractual confidentiality and security obligations, and do not use data for their own purposes.
  • Subprocessor changes: notification to the Controller at least 30 calendar days in advance.
  • The Controller may object for justified reasons within 15 calendar days.

5. Data Subject Rights

  • The Processor will support the Controller, where reasonably possible, to address ARCO rights, data portability, processing limitation, and erasure requests.
  • Any request received directly by the Processor will be forwarded to the Controller within 48 hours.

6. Information Security

Encryption
TLS/SSL encryption in transit.
Access controls
Role-based authentication and access controls.
Backups
Periodic encrypted backups.
Monitoring
Access logging and anomaly detection.

7. Auditing

  • The Controller may request compliance audits up to once per year, with 30 days’ prior notice.
  • Audits must not disrupt System operation.
  • Audit costs, when applicable, are borne by the Controller.
  • The Processor may provide alternative evidence such as security reports.

8. International Transfers

  • The Controller recognizes and authorizes transfers to countries such as the United States derived from subprocessors.
  • The Processor will implement reasonable measures to ensure an adequate level of protection in such transfers.

9. Service Termination

  • Upon termination of the contractual relationship, the Controller has 30 calendar days to export its data.
  • After that period, the Processor will delete personal data, except where legal retention obligations apply.
  • Legal and fiscal retention requirements remain applicable.

10. Liability

  • The Processor is not liable for illegally uploaded data by the Controller.
  • The Processor is not liable for misuse by the Controller.
  • The Processor is not liable for instructions that violate the law.
Controller
Guarantees the lawfulness of data provided to the Processor and that required consents have been obtained.
Processor
Is responsible for processing data in accordance with this Agreement.

11. Limitation of Liability

The Processor’s total liability is limited as provided in the Tensorial Terms and Conditions.

This does not limit liabilities that cannot be waived by law.

12. Governing Law and Jurisdiction

This Agreement is governed by the laws of Mexico.

Both parties submit to the courts of Santiago de Querétaro, Querétaro.

For EU data subjects, GDPR provisions will be respected to the extent applicable.

13. Acceptance

Controller: electronic acceptance when registering in Tensorial.

Processor: Ambitius Growth Leaders Allience S.A. de C.V..