Mexico Data Privacy


The Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) was published in July 2010 and regulates the processing of personal data (defined as any information concerning an identified or identifiable natural person) carried out by individuals or legal entities of the private sector. Subsequently, the Congress of the Union approved various regulations that regulate data privacy, among which are the General Law on Protection of Personal Data Held by Obligated Parties (LGPDPPSO), which regulate the processing of personal data by the public sector. The National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) is the autonomous constitutional body of Mexico in charge of ensuring compliance with both Laws and their regulations.

In the case of the private sector, article 52 of the LFPDPPP Regulation states that personal data controllers may use services, applications and infrastructure in the cloud as long as the cloud provider complies with certain requirements related to, among other things, the protection of privacy for personal data. For the public sector, this same authorization is found in article 63 of the LGPDPPSO.

AWS cares about your privacy and the security of your data. At AWS, security starts with our core infrastructure. Designed specifically for the cloud and to meet the world’s most stringent security requirements, our infrastructure is monitored 24/7 to ensure the confidentiality, integrity and availability of our customers’ data. The same world-renowned security experts who oversee this infrastructure also create and maintain our wide selection of innovative security services, which can help you meet your own security and regulatory demands. As an AWS customer, regardless of your size or location, you have all the benefits of our expertise, which is measured against the most stringent third-party security programs.

AWS implements and maintains technical and organizational security measures applicable to AWS Cloud Infrastructure services under globally recognized security certifications and regulatory frameworks, including but not limited to ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1 and SOC 1, 2 and 3. These technical and organizational security measures are validated by independent third-party assessors and are designed to prevent unauthorized access or disclosure of customer content.

For example, ISO 27018 is the first international code of practice that focuses on the protection of personal data in the cloud. It is based on the ISO 27002 information security standard and provides application guidelines on ISO 27002 controls applicable to Personally Identifiable Information (PII) processed by public cloud service providers. This demonstrates to customers that AWS has a system of controls specifically geared toward protecting the privacy of their content.

AWS’s technical and organizational measures are consistent with the requirements of the LFPDPPP and the LGPDPPSO to protect personal data. Customers using AWS services maintain control over their content and are responsible for implementing additional security measures based on their specific needs, including content classification, encryption, access management and security credentials.

Since AWS does not have visibility into the type of content customers choose to store on AWS, including whether or not that content is considered subject to the LFPDPPP and the LGPDPPSO, customers are ultimately responsible for their own compliance. The content on this page supplements existing data privacy resources to help you align your requirements with the AWS Shared Responsibility Model when processing personal data in international data centers. 


  • Yes. All AWS services can be used in accordance with the LFPDPPP and the LGPDPPSO to store Mexican personal data, including issues related to the deletion of data. This means that, in addition to benefiting from all the measures that AWS already takes to maintain the security of services, customers can implement AWS services as a key component of their plans in accordance with the LFPDPPP and the LGPDPPSO. 

  • Under the AWS Shared Responsibility Model, AWS customers remain in control of the security measures they choose to implement to protect their content, platform, applications, systems, and networks, just as they would for applications located on a data center in its own facilities (on-premises data center). Customers can rely on the technical and organizational safeguards and controls provided by AWS to manage their own compliance requirements. Customers can use common security measures to protect their data, such as encryption and multi-factor authentication, in addition to AWS security features such as AWS Identity and Access Management.

    When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:

    • Security measures that AWS implements and operates – "AWS cloud security", and
    • Security measures implemented and operated by customers related to the security of customer content and applications using AWS services – "customer cloud security"
  • Customers maintain ownership and control of their content and select which AWS services process, store, and receive their content. AWS does not have visibility into customer content and does not use or access content except to provide the AWS services that the customer has selected or as necessary to comply with the law or a binding legal order.

    Customers using AWS services maintain control of their content within the AWS environment. Customers can:

    1. Determine where the content will be stored, such as the type of storage environment and the geographic location of the storage.
    2. Control the format of the content, such as plain text, masked, anonymized or encrypted, using AWS-provided encryption or a third-party encryption mechanism of the customer's choosing.
    3. Manage access controls, such as identity and access management and security credentials.
    4. Control whether TLS, virtual private cloud and other network security measures are used to prevent unauthorized access.

    This enables AWS customers to control the entire life cycle of their content on AWS and manage it according to their specific needs, including content classification, access control, retention and deletion. 

  • AWS global infrastructure gives you the flexibility to choose how you want to run workloads and where. When you do, you use the same AWS network, control plane, APIs, and services. If you want to run your applications around the world, you can choose from any of the AWS Regions and availability zones. As a customer, you can choose the AWS Regions in which your content will be stored, allowing you to implement AWS services in a location of your choice based on specific geographic requirements. For example, if an AWS customer in Australia wants to store their data only in that country, they can choose to implement their AWS services exclusively in the AWS Asia-Pacific (Sydney) Region. If you want to read about other flexible storage options, see the AWS Regions webpage.

    You can replicate and back up your customers’ content in more than one AWS Region. We will not transfer or replicate your content outside of the chosen AWS Regions without your consent, except as necessary to comply with the law or a binding order from a government agency. However, please note that not all AWS services may be available in all AWS Regions. For more information about the services that are available in the different AWS regions, see the AWS regional services webpage.

    AWS data centers are located in groups in various countries around the world. Each of our data center groups is referred to as a "region".

    AWS customers choose the AWS Region(s) in which their content will be stored. In this way, customers with specific geographical requirements can establish environments in the location(s) of their choice.
    Customers may replicate and back up content in more than one region, but AWS does not move customer content outside of the region(s) selected by the customer except to provide services requested by customers or to comply with the law. 

  • AWS' approach to data center security is based on scalable security controls and multiple levels of protection to help protect customers information. For example, AWS carefully manages potential risks from floods and earthquakes. We use physical barriers, security guards, threat detection technology and a thorough review process to limit access to data centers. We back up our systems, frequently test equipment and processes, and continually train AWS employees to be prepared for the unexpected.

    To validate the security of our data centers, external auditors carry out tests on more than 2,600 standards and requirements throughout the year. With this independent review, we ensure that safety standards are consistently met, or even exceeded. As a result, the world’s most regulated organizations trust AWS to protect their data.

    Learn more about how we secure AWS data centers from the design by taking a virtual tour » 
  • Customers can choose to use any region, all regions, or a combination of regions, including the Brazil and United States of America regions. Visit the AWS Global Infrastructure page for a complete list of AWS Regions. 

Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »