Data Processing Addendum
Last updated: June 23, 2026
1. Scope
This Data Processing Addendum forms part of the Terms of Service for a business customer using the direct-buyer Buyer Review Pack on buy.attestlayer.com.
2. Roles
For Customer Personal Data processed through the Service, the customer is the controller or business, and AttestLayer is the processor or service provider, as those terms are used under applicable privacy law.
3. Processing instructions
AttestLayer processes Customer Personal Data only to provide, secure, maintain, support, and improve the direct-buyer Service; to prevent fraud and abuse; to comply with law; and in accordance with the customer's documented instructions expressed through use of the Service.
4. Nature and purpose of processing
AttestLayer processes buyer-request information, source records, business contact details, order information, and generated service output to determine request fit, create the Buyer Review Pack, deliver output, verify package integrity, manage access, and meet legal and security obligations.
5. Categories of data subjects
Data subjects may include the customer's personnel, buyers, prospective buyers, business contacts, and other individuals whose limited business information appears in submitted records.
6. Categories of personal data
Personal data may include business contact details, work email addresses, job titles, information contained in submitted buyer requests, and limited personal information included in customer records. The customer must not submit credentials, private keys, passwords, payment-card data, government identification numbers, health information, source code, or other prohibited information.
7. Confidentiality
AttestLayer ensures that persons authorized to process Customer Personal Data are bound by confidentiality obligations or are subject to an appropriate statutory duty of confidentiality.
8. Security measures
AttestLayer maintains reasonable technical and organizational measures for the direct-buyer Service, including encrypted transport, encryption at rest in supported cloud storage, access controls, production access restrictions, security logging, and automated deletion of source uploads under the Data Retention and Deletion Policy.
9. Subprocessors
The customer authorizes AttestLayer to use the subprocessors listed on the Subprocessors page. AttestLayer remains responsible for its subprocessors' processing obligations to the extent required by applicable law.
10. Assistance
Taking into account the nature of processing, AttestLayer provides reasonable assistance through the Service and support channels for privacy requests, security incidents, and required information relating to the direct-buyer Service.
11. Security incidents
If AttestLayer confirms unauthorized access to Customer Personal Data in the direct-buyer Service and applicable law requires notice, AttestLayer will notify the affected customer without undue delay and provide available information reasonably necessary for the customer to meet its notification obligations.
12. Deletion and return
Source uploads, generated output, and order-access data are deleted according to the Data Retention and Deletion Policy. The customer is responsible for downloading any output it wishes to keep before the applicable access period ends. Payment, invoice, security, and legal-compliance records may be retained as stated in that policy.
13. Audit information
AttestLayer makes the Security page, Subprocessors page, Data Retention and Deletion Policy, and other published direct-buyer documentation available to customers. The direct-buyer Service does not include an on-site audit right or custom security assessment.
14. Conflict
If this Data Processing Addendum conflicts with the Terms of Service on processing of Customer Personal Data, this Data Processing Addendum controls to the extent of the conflict.
