AttestLayer
Partners Direct buyers

AttestLayer Policy

Privacy Policy

This privacy policy applies only to the attestlayer.com corporate, trust, and informational site unless a page on this root domain explicitly states otherwise.

View subprocessors Contact AttestLayer
Updated 18 April 2026 Canonical root-domain policy

Scope and AttestLayer's role

This policy covers the attestlayer.com root site only: company pages, trust pages, policy pages, public informational material, and corporate contact routes served on that root domain.

AttestLayer acts as the controller for website usage data, contact data, trust or procurement inquiry data, and limited operational data collected through those root-domain pages.

This policy does not govern buy.attestlayer.com, partners.attestlayer.com, verify.attestlayer.com, registry.attestlayer.com, pay.attestlayer.com, or console.attestlayer.com. Each of those domains keeps its own policy set.

What AttestLayer collects

AttestLayer collects only the categories of data needed to operate the root corporate and informational site.

  • Website usage data such as page requests, browser or device metadata, referrer data, IP-based security logs, and limited analytics events.
  • Contact and inquiry data such as names, work email addresses, company names, and support, trust, procurement, or partnership correspondence.
  • Corporate routing data such as which surface or workflow a visitor asks to be directed toward.
  • Security and abuse-prevention data such as authentication events, rate-limit events, and fraud or misuse signals.

AttestLayer does not sell personal data collected through the root site.

How AttestLayer uses data

AttestLayer uses collected data to operate, secure, and improve the root site and to answer inbound corporate, trust, procurement, or partnership requests.

  • Provide public site content, trust references, and documentation.
  • Route visitors to the appropriate AttestLayer surface for their requested workflow.
  • Respond to support, trust, procurement, legal, or security inquiries.
  • Detect abuse, protect service reliability, and satisfy legal obligations.

Where law requires a legal basis, AttestLayer relies on contract performance, legitimate interests in operating and securing the service, compliance obligations, and consent where consent is the correct basis.

Sharing and subprocessors

AttestLayer shares data only with service providers needed to operate first-party surfaces, process payments, deliver communications, or support the applicable service workflow.

  • Hosting, storage, and operational infrastructure providers.
  • Payment processors and billing support providers.
  • Transactional email providers.
  • Limited analytics providers used on first-party web surfaces.

The current provider list is maintained on the Subprocessors page. AttestLayer may also disclose data where required by law, to protect the service, or as part of a corporate transaction involving the business.

Retention, security, and your choices

Retention depends on the category of data and the surface being used. Uploaded artifacts are kept only as long as needed to process the requested service. Hosted deliverable access follows the retention rules of the applicable plan or agreement. Billing and accounting records are retained longer where law requires it.

AttestLayer uses technical and organizational measures appropriate to a cloud-native, record-only service, including access controls, encrypted infrastructure layers, cryptographic signing, and short retention for raw uploads. More detail is available on the Security page.

You can request access, correction, or deletion by contacting contact@attestlayer.com. Some records may need to be retained to complete a transaction, preserve security, or meet legal obligations.

Additional disclosures

Automated decision-making. AttestLayer does not use the personal data collected through the attestlayer.com root site to make decisions that produce legal effects on you or similarly significant effects on you without meaningful human involvement. Limited automated processing is used for abuse prevention, security signal detection, rate limiting, and routing of inbound inquiries to the correct AttestLayer team. AttestLayer does not use this site to provide audit opinions, certification, legal advice, or other regulated decisions about visitors.

Cross-border processing. AttestLayer is based in Montreal, Quebec, Canada, and the primary processing region for the attestlayer.com root site is Canada. Where AttestLayer relies on subprocessors located outside Canada, AttestLayer uses contractual, organizational, and technical safeguards consistent with applicable law for the categories of data involved, including, where applicable, Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent transfer mechanisms. The current subprocessor list is published on the Subprocessors page.

Security incidents. If AttestLayer becomes aware of a confirmed security incident that compromises the confidentiality, integrity, or availability of personal data processed through the attestlayer.com root site and that meets the notification threshold of applicable law or any written agreement, AttestLayer will provide notice to affected counterparties and, where required, regulators, within the timeframes required by that law or agreement. Suspected vulnerabilities can be reported to security@attestlayer.com; the public coordinated-disclosure process is published on the Vulnerability Disclosure page.