AttestLayerAttestLayer
ContactStart qualification

Data Processing Addendum

Public baseline controller-processor terms for partners.attestlayer.com partner workflows.

This page describes the standard data-processing posture for partners.attestlayer.com, including partner program activity, approved partner-console access, and the workflow material a partner submits for processing. It is a public baseline and does not replace a signed order form, enterprise agreement, or negotiated privacy exhibit.

1. Roles

For partner-submitted workflow material and related delivery metadata, the partner is typically the controller or business and AttestLayer acts as a processor or service provider. AttestLayer remains an independent controller for its own account management, billing, security, fraud-prevention, analytics, and legal-compliance records.

2. Processing details

  • Subject matter: processing submitted workflow files and related metadata to generate PASS or FAIL results, manifests, receipts, delivery events, and support records.
  • Duration: for the period required to perform the requested workflow plus the retention periods stated on /privacy.
  • Data subjects: partner personnel, downstream customer contacts, and any individuals whose personal data is contained in submitted workflow material.
  • Data categories: uploaded files, manifests, receipts, job identifiers, delivery metadata, and partner contact or support data.

3. Core processor commitments

  • Process partner workflow data only on the documented instructions reflected in the partner workflow, the relevant order, or a signed agreement.
  • Limit access to personnel and subprocessors that need access to operate the service.
  • Bind personnel with access to confidentiality obligations.
  • Use technical and organizational measures appropriate to a cloud-native, record-only service, as described on /security.

4. Subprocessors and transfers

Current partner-surface subprocessors are listed at /subprocessors. Core partner workflow operations are centered in Montréal, while specific providers such as payment processing or analytics may operate from additional regions disclosed on that list.

5. Assistance, incidents, and deletion

  • AttestLayer will provide reasonable assistance for access, deletion, correction, or incident-coordination requests to the extent required by law or the governing agreement.
  • Security incidents affecting partner workflow data will be handled under AttestLayer's security process and escalated through the applicable customer contact path.
  • Deletion and return follow the retention commitments stated on /privacy, unless a signed agreement requires something more specific.

6. Requesting an executed copy

To request an executed DPA or negotiate partner-specific processor terms, email contact@attestlayer.com with your company name, the relevant AttestLayer order context, and any required security or privacy exhibit.