Scope
This page describes AttestLayer's public posture on data processing terms. It is not a signed contract. Where AttestLayer acts as processor for customer personal data, the parties enter a separate written addendum that controls the relationship.
The signed addendum is the authoritative document. This page is informational and may be updated as AttestLayer's posture evolves.
Roles
Where AttestLayer processes customer personal data under instruction, AttestLayer acts as processor and the customer acts as controller. Where AttestLayer processes data for its own purposes (operating the public site, billing, security), AttestLayer acts as controller.
Subprocessors and international transfers
AttestLayer's current subprocessors are listed on the Subprocessors page. Material updates are reflected there. International transfers, where they occur, rely on standard contractual mechanisms in the signed addendum.
Security and incident notification
Operational security posture is summarized on the Security page. The signed addendum sets the incident-notification timing for processor scenarios.
Record-only boundary
AttestLayer operates a record-only evidence issuance service. It is not an audit opinion, compliance certification, control framework, regulatory approval, or legal advisor. Verified or not-verified outcomes describe the packaging and signing of submitted records, not the legality, accuracy, or business meaning of the underlying activity. Adoption, endorsement, mandate, approval, or sponsorship by any bank, insurer, PSP, government body, regulator, platform, or institution is not implied unless a signed public agreement says so.