AttestLayerAttestLayer

Security & data handling

We design for minimal access and minimal data. This summarizes controls for partner evaluation.

Controls

  • Transport: HTTPS/TLS in transit
  • Storage: encryption at rest provided by hosting platform; CMEK status: REPLACE_CMEK_STATUS
  • Access: least privilege; production access restricted
  • Logging: operational logs for delivery and abuse prevention (no questionnaire secrets in logs)
  • Payments: handled by Stripe; we do not store full card numbers
  • Security contact: REPLACE_SECURITY_EMAIL

Retention truth table

  • Uploads: Up to 24 hours (automatic deletion)
  • Hosted deliverables links: 30 days (links expire; automatic deletion)
  • Partner/customer downloaded copies: kept by you/customer
  • Payment/invoice records: retained as required for accounting/tax (duration: REPLACE_ACCOUNTING_RETENTION)

Never-invent policy

We do not fabricate answers. Unknowns are explicitly marked.