Data Retention and Deletion Policy
Last updated: June 23, 2026
Request-fit files
Buyer request files submitted to the free request-fit check are deleted within 24 hours after the fit result.
Source uploads
Source uploads submitted for a Buyer Review Pack are deleted within 24 hours after the Platform reaches a terminal processing result for the run.
Generated output
Generated packages, requirement matrices, response statements, gap reports, manifests, signed receipts, and Buyer Console order access remain available for 30 calendar days after purchase.
The same-request re-run window lasts 30 calendar days from the original purchase. Re-runs require the customer to upload any revised or additional source records again because original source uploads are not retained for re-use.
Billing records
Payment, invoice, refund, tax, and accounting records are retained for seven years or longer where required by law.
Security logs
Security and abuse-prevention logs are retained for up to 90 days unless a longer period is required to investigate an incident, resolve a dispute, prevent fraud, or comply with law.
Registry commitments
Where an issued package is recorded in the AttestLayer Registry, the public registry may retain a cryptographic commitment indefinitely. Registry commitments do not contain customer names, company names, email addresses, source records, or recoverable source content.
Deletion requests
For personal-information requests, email contact@attestlayer.com. AttestLayer may retain limited information where required for law, accounting, security, fraud prevention, or dispute resolution.
