AttestLayer

AttestLayer Policy

Data Processing Addendum

AttestLayer offers a data processing addendum for engagements where AttestLayer acts as processor for customer personal data. The signed agreement controls.

Updated 18 April 2026 Canonical root-domain policy

Scope

This page describes AttestLayer's public posture on data processing terms. It is not a signed contract. Where AttestLayer acts as processor for customer personal data, the parties enter a separate written addendum that controls the relationship.

The signed addendum is the authoritative document. This page is informational and may be updated as AttestLayer's posture evolves.

Roles

Where AttestLayer processes customer personal data under instruction, AttestLayer acts as processor and the customer acts as controller. Where AttestLayer processes data for its own purposes (operating the public site, billing, security), AttestLayer acts as controller.

Subprocessors and international transfers

AttestLayer's current subprocessors are listed on the Subprocessors page. Material updates are reflected there. International transfers, where they occur, rely on standard contractual mechanisms in the signed addendum.

Security and incident notification

Operational security posture is summarized on the Security page. The signed addendum sets the incident-notification timing for processor scenarios.

How to request

To request a DPA in the context of a procurement or signed engagement, email contact@attestlayer.com. AttestLayer does not provide a unilateral signed DPA outside a defined engagement.

Record-only boundary

AttestLayer operates a record-only evidence issuance service. It is not an audit opinion, compliance certification, control framework, regulatory approval, or legal advisor. Verified or not-verified outcomes describe the packaging and signing of submitted records, not the legality, accuracy, or business meaning of the underlying activity. Adoption, endorsement, mandate, approval, or sponsorship by any bank, insurer, PSP, government body, regulator, platform, or institution is not implied unless a signed public agreement says so.