AttestLayerAttestLayer
1-866-739-0570Sign inStart free Pilot

Effective date: May 12, 2026 · Last updated: May 12, 2026
Applies to: buy.attestlayer.com direct-buyer purchase paths.

This page governs buy.attestlayer.com and the direct-buyer purchase paths reachable from it. Companywide AttestLayer policies may apply separately where expressly referenced, but this buy-site page controls for direct-buyer purchases made on buy.attestlayer.com.

Buy site DPA

Data Processing Addendum — buy.attestlayer.com

Summary of the Data Processing Addendum terms for direct-buyer purchases on buy.attestlayer.com. A counter-signed DPA is available on request.

1. What this page covers

This page summarizes the Data Processing Addendum (DPA) terms applicable to direct-buyer purchases on buy.attestlayer.com. Customers requiring a counter-signed DPA can request one via privacy@attestlayer.com. Companywide DPA terms are published on attestlayer.com/legal/dpa.

2. Roles

For supplied records uploaded into an AttestLayer workspace, the customer is the controller and AttestLayer is the processor. For billing and account data, AttestLayer is the controller for the limited purposes of operating buy.attestlayer.com.

3. Processing instructions

AttestLayer processes supplied records only to deliver the purchased offer: packaging records into evidence packets, applying selected packet rules, issuing PASS/FAIL determinations, and producing manifests, receipts, signatures, and verification paths. AttestLayer does not use supplied records to train models or to enrich third-party datasets.

4. Subprocessors

AttestLayer uses the subprocessors listed on the Subprocessors page. Customers with a written DPA receive notice of material additions as required by their agreement.

5. Security

Security measures applicable to buy.attestlayer.com are described on the Security page. Personnel are subject to confidentiality obligations.

6. International transfers

buy.attestlayer.com is operated from Google Cloud northamerica-northeast1 (Montreal, Canada). Where personal data originates from regions with cross-border transfer restrictions, AttestLayer relies on contractual transfer mechanisms specified in a written DPA.

7. Data subject requests

AttestLayer assists customers with data subject access, correction, and deletion requests received in respect of supplied records, as required by applicable law and the written agreement.

8. Retention and deletion

Supplied records and evidence packets are retained per the purchased offer or written agreement. See the Data retention page. On termination, supplied records are deleted within the period stated in the written agreement, subject to legal preservation obligations.

9. Counter-signed DPA

Customers needing a counter-signed DPA (for example, to satisfy their own procurement or vendor-management requirements) can request one via privacy@attestlayer.com. AttestLayer offers a standard form; material customer redlines are reviewed case-by-case.

10. Contact

Privacy / DPA: privacy@attestlayer.com