AttestLayer
Partners Direct buyers

AttestLayer Policy

Security Overview

This security overview explains how AttestLayer secures the attestlayer.com root site and related public informational material. It does not replace the security pages of the direct-buyer, partner, verifier, or registry domains.

Report a vulnerability Open registry
Updated 18 April 2026 Canonical root-domain policy

Security model in plain language

AttestLayer is designed around a record-only workflow. That operating model reduces exposure because the core proof flow does not depend on an agent inside a buyer's systems or persistent direct system access.

  • No install or agent footprint is required for the core workflow.
  • Teams submit exported artifacts they already control.
  • Deterministic PASS or FAIL handling reduces ambiguity in service behavior.
  • Verification can continue outside AttestLayer's infrastructure using published or bundled trust material.

Infrastructure and access controls

First-party AttestLayer web surfaces run on managed cloud infrastructure with access restricted to the service roles that need it. The primary operating region for the public surfaces described here is Montreal, Canada.

  • Access to production systems is limited and role-scoped.
  • Public surfaces are delivered over HTTPS.
  • Raw uploaded artifacts are not retained indefinitely.
  • Operational logging and abuse controls are used to protect availability and trace service events.

Cryptography and trust publication

AttestLayer proof material is built around deterministic hashing, signed receipts, and published verification material.

  • Artifacts are bound into SHA-256 manifests.
  • Receipts are signed with Ed25519.
  • Issuer and registry trust material is published on the registry surface for independent review.
  • Issued kits include bundled verification material so offline checks remain possible.
Registry Review issuer keys, registry keys, checkpoints, and verification support endpoints. Verifier Use the local browser verifier for issued kits without requiring a private account session.

Data handling and deletion posture

Security posture on the root domain is tied to short retention and clear operating boundaries. AttestLayer does not treat first-party web surfaces as long-term storage for raw uploads.

  • Uploads are kept only long enough to process the requested service.
  • Hosted deliverables follow the retention rules of the applicable plan or agreement.
  • Registry publication is limited to cryptographic commitments rather than customer identities or file contents.
  • The root site exists to publish company, trust, and policy information without forcing a user into a buyer flow.

Disclosure and what AttestLayer does not claim

AttestLayer operates a vulnerability disclosure channel at security@attestlayer.com and publishes coordinated disclosure expectations on the Vulnerability Disclosure page.

AttestLayer does not claim that this page is itself a certification. The service is not presented as an audit opinion, legal advisor, or compliance certification body.