AttestLayerAttestLayer

Security & Data Handling

Only claims we can prove. No vague statements. Every control listed here is implemented.

Cryptographic Controls

  • Encryption at rest: AES-256 (Google Cloud Platform-managed encryption). CMEK is available for Enterprise Reserved Capacity lanes only.
  • Signing: Ed25519 — every receipt is signed with a versioned key. Keys are published at registry.attestlayer.com/v1/jwks/issuer.jwks.json.
  • Hashing: SHA-256 — every artifact and manifest is hashed. Root hash is included in the signed receipt.
  • Key rotation: signing keys are rotated periodically. Old keys are NEVER deleted — revoked keys remain in JWKS for historical verification.

Verification Key Separation

AttestLayer uses two separate Ed25519 key pairs:

  • Issuer key (issuer.jwks.json) — signs receipts inside every PASS verification kit. Verifiers check this key when validating a kit.
  • Registry key (registry.jwks.json) — signs checkpoints in the append-only transparency log. Auditors check this key when verifying log integrity.

Both key sets are published at the registry. Revoked keys are never deleted — they remain for historical verification.

Immutability

Artifacts are immutable after issuance. We never modify a receipt, manifest, or artifact post-signing. Any re-issuance generates a new receipt with a new receipt_id and new signature. Immutability is enforced by cryptographic commitments (signed receipts and Merkle inclusion proofs), not by hardware controls. See our Registry Transparency Policy for details.

Infrastructure

  • Cloud: Google Cloud Platform, region: northamerica-northeast1 (Montréal).
  • Transport: All connections to all endpoints use HTTPS with TLS 1.2+.
  • Access: least-privilege IAM; production access restricted to deployment pipelines.
  • Compute: Cloud Run (serverless); no persistent VMs. Services scale to zero when idle.
  • Database: Cloud SQL (PostgreSQL) with automated backups and encryption.
  • Payments: handled by Stripe. We do not store full card numbers.

Data Retention

  • Uploads: Up to 24 hours (automatic deletion).
  • Hosted deliverable links: 30 days (links expire; automatic deletion).
  • Downloaded copies: kept by you / your customer, outside our control.
  • Payment/invoice records: retained as required for accounting/tax (7 years (standard accounting/tax retention)).

Operational Model

  • 100% automated: no human review required for PASS/FAIL. Intake, classification, hashing, signing, and delivery are fully automated.
  • Deterministic: the same input always produces the same PASS/FAIL outcome. No discretion, no exceptions.
  • Logging: operational logs for delivery tracking and abuse prevention. No secrets in logs. No PII in registry entries.

Never-Invent Policy

We do not fabricate answers, generate synthetic evidence, or fill gaps. If artifacts do not support a claim, it is marked UNSUPPORTED or returned as FAIL with a machine-readable checklist.

Disclosure: What We Do NOT Claim

  • We are not SOC 2 certified (we do not claim to be).
  • We do not perform penetration testing on your infrastructure.
  • We do not have a dedicated physical security team — we are a cloud-native service.
  • Local development uses ephemeral keys; production uses GCP KMS-managed keys.

Contact

Security issues: security@attestlayer.com
Vulnerability disclosure: /vulnerability-disclosure (ack SLA: 3 business days)

Do not upload secrets (private keys, root passwords, credentials). Upload only what you are willing to include in a client evidence packet.