AttestLayerAttestLayer

Trust Center

What AttestLayer is, what it is not, how data is handled, and how reviewers can verify issued output.

What AttestLayer is

  • A record-only evidence issuance service
  • Deterministic PASS/FAIL evaluation of submitted artifacts
  • Signed, forwardable verification kits with offline verification support
  • No system access, no installs, no agent footprint

What AttestLayer is not

  • Not an audit firm and does not issue audit opinions
  • Not a compliance certification body
  • Not a legal advisor
  • Not a controls testing or penetration testing service

Security posture

  • Ed25519 signing — every PASS kit includes a cryptographic receipt signed with Ed25519 keys
  • SHA-256 manifests — artifact integrity is bound to a hash manifest at submission time
  • Offline verification — proof kits include a self-contained verifier; no live session required
  • Record-only model — no system access, no installs, no agent footprint
  • Published security model — security documentation and verification procedures are published and reviewable

Data handling

  • Data residency — all processing and storage in GCP northamerica-northeast1 (Montréal, Canada)
  • Encryption at rest — AES-256 via Google-managed encryption keys
  • Encryption in transit — TLS 1.2+ for all connections
  • No customer names in registry — registry receipts contain only hashes and timestamps
  • Artifact retention — Uploads: up to 24 hours (automatic deletion). Hosted deliverable links: 30 days for Activation (links expire; automatic deletion); Monthly Coverage subscribers retain access during active subscription. Payment/invoice records: 7 years (standard accounting/tax retention). Downloaded copies are kept by you, outside our control.

Current registry trust model

The registry is currently self-witnessed by AttestLayer. Checkpoints are signed by the registry key and published at registry.attestlayer.com. Receipts inside verification kits are signed by a separate issuer key. External witness cosignatures are structurally supported but not yet active. When independent witnesses are onboarded, this section will be updated.

How signatures are verified

AttestLayer uses two separate Ed25519 key pairs for different purposes:

  • Issuer key (issuer.jwks.json) — signs receipts inside every PASS verification kit. This is the key verifiers check when validating a kit. Current kid is published in the JWKS.
  • Registry key (registry.jwks.json) — signs checkpoints in the append-only transparency log. This is the key auditors check when verifying log integrity. Current kid is published in the JWKS.

Both key sets are published at the registry and never deleted on rotation — revoked keys remain for historical verification. The two key pairs are completely separate: the issuer key never signs checkpoints and the registry key never signs receipts.

What reviewers can verify independently

  • Receipt signature — verify the Ed25519 signature against issuer.jwks.json
  • Manifest integrity — recalculate SHA-256 hashes and compare to the manifest root
  • Checkpoint inclusion — confirm the receipt hash appears in a signed registry checkpoint (signed with registry.jwks.json)
  • Key history — audit the full key rotation history at both JWKS endpoints
  • Offline verification — use the bundled browser verifier included in the kit, without a live session

Verification infrastructure

  • Public key registry — signing keys are published at registry.attestlayer.com
  • Key rotation — keys rotate on a defined schedule with full history preserved
  • Verify portalverify.attestlayer.com provides client-side proof verification
  • Deterministic evaluation — same input always produces the same PASS/FAIL result

Policies

Security

Security model and controls

Privacy

Privacy policy

Terms

Terms of Service

Subprocessors

Third-party subprocessors

Refund

Refund policy