AttestLayerAttestLayer

Trust Center

How AttestLayer protects submissions, signs proof, and maintains verification integrity. This page documents what AttestLayer is, what it is not, and what reviewers can verify independently.

What AttestLayer is

  • A record-only evidence issuance service
  • Deterministic PASS/FAIL evaluation of submitted artifacts
  • Signed, forwardable verification kits with offline verification support
  • No system access, no installs, no agent footprint

What AttestLayer is not

  • Not an audit firm and does not issue audit opinions
  • Not a compliance certification body
  • Not a legal advisor
  • Not a controls testing or penetration testing service

Security posture

  • Ed25519 signing — every PASS kit includes a cryptographic receipt signed with Ed25519 keys
  • SHA-256 manifests — artifact integrity is bound to a hash manifest at submission time
  • Offline verification — proof kits include a self-contained verifier; no live session required
  • Record-only model — no system access, no installs, no agent footprint
  • Published security model — security documentation and verification procedures are published and reviewable

Data handling

  • Data residency — all processing and storage in GCP northamerica-northeast1 (Montréal, Canada)
  • Encryption at rest — AES-256 via Google-managed encryption keys
  • Encryption in transit — TLS 1.3 for all connections
  • No customer names in registry — registry receipts contain only hashes and timestamps
  • Artifact retention — submissions retained per plan terms; deletion available on request

Current registry trust model

The registry is currently self-witnessed by AttestLayer. All checkpoints are signed by the issuer key and published at registry.attestlayer.com. External witness cosignatures are structurally supported but not yet active. When independent witnesses are onboarded, this section will be updated.

What reviewers can verify independently

  • Receipt signature — verify the Ed25519 signature against the published JWKS
  • Manifest integrity — recalculate SHA-256 hashes and compare to the manifest root
  • Checkpoint inclusion — confirm the receipt hash appears in a signed registry checkpoint
  • Key history — audit the full key rotation history at the registry JWKS endpoint
  • Offline verification — use the bundled verifier or registry verify-kit.zip without any live session

Verification infrastructure

  • Public key registry — signing keys are published at registry.attestlayer.com
  • Key rotation — keys rotate on a defined schedule with full history preserved
  • Verify portalverify.attestlayer.com provides client-side proof verification
  • Deterministic evaluation — same input always produces the same PASS/FAIL result

Policies

Security

Security model and controls

Privacy

Privacy policy

Terms

Terms of Service

Subprocessors

Third-party subprocessors