AttestLayer

Partner FAQ

Common partner questions.

Plain-language answers about how the partner program works, what AttestLayer is, what it is not, and how packets are delivered to clients and reviewers.

AttestLayer provides record-only evidence issuance and verification support. It does not certify compliance, replace audit work, provide legal advice, or guarantee the underlying security/compliance state of the customer.

Is AttestLayer an auditor?

No. AttestLayer is record-only. It does not audit, certify, or legally approve client compliance, security, or controls.

Do partners get credentials, scanners, or system access?

No. AttestLayer never asks for client system access. Clients submit supplied records through the partner workspace. There is no install or scanner.

Who owns the client relationship?

The partner. AttestLayer does not sell around the partner from inside the workspace.

What does a packet contain?

Binder PDF, manifest JSON, signed receipt, hash trail, and a verification path. Reviewers can verify integrity and issuance offline.

What is a PASS credit?

A PASS credit is consumed when an evidence packet is issued for a client. PASS means the submitted records were complete enough to issue. FAIL burns zero credits.

What if a client is missing data?

The workspace produces a blocker report. The partner reviews the blockers with the client, the client submits the missing records, and the packet can be re-attempted. Failed attempts do not consume credits.

How long does qualification take?

Qualification depends on the tier and the partner’s context. Most qualifications complete within one to three working sessions.

Can partners white-label AttestLayer?

No. AttestLayer keeps its name on the issued packet so reviewers can independently verify it. Partners can mark up, bundle, or include AttestLayer-backed packet delivery inside their own service offering, but the packet itself is AttestLayer-issued.

Does AttestLayer work with regulated industries?

AttestLayer can support partner workflows in fintech, healthcare-adjacent, public-sector, and platform/API workflows, but it does not provide regulated-industry advice and does not replace regulator, lawyer, insurer, or auditor review.

Where do platform/API and institutional partners go?

Platform/API and institutional partners use program.attestlayer.com.

How are packets verified?

Through verify.attestlayer.com, the offline verifier, and JWKS public-key discovery on registry.attestlayer.com.

What does AttestLayer not promise?

It does not promise compliance, security guarantees, buyer acceptance, regulator acceptance, insurer acceptance, or audit equivalence.

The AttestLayer trust model

AttestLayer’s trust model is intentionally narrow. It records what was submitted, what was accepted into scope, what was issued, and how the issued kit can be checked.

The model uses

  • SHA-256 artifact hashing
  • manifest-based evidence inventory
  • canonical receipt hashing
  • Ed25519 receipt signatures
  • JWKS public-key discovery
  • offline verification
  • fail-closed verification behavior

What it proves

  • files match the manifest
  • manifest matches the receipt
  • receipt key ID matches a public key
  • receipt signature verifies
  • the kit has not been modified since issuance

What it does not prove

  • company compliance status
  • company security status
  • controls are operating effectively
  • a buyer, auditor, insurer, bank, regulator, or PSP has accepted the packet
  • the evidence content is legally sufficient

Integrity and issuance evidence only. Not audit, certification, or compliance guarantee.