AttestLayer

Program lane

VENDOR — Vendor diligence evidence

VENDOR packets record vendor diligence evidence in a consistent reviewer-facing format. The lane is for procurement, security, and operational teams that need to standardize vendor evidence intake without giving AttestLayer system access to vendors.

Evidence profileRecord-onlyVerifier-friendlyNot a certification

A program lane is a packet structure and an evidence-expectation profile. It is not a certification, audit opinion, or legal/regulatory approval.

Where VENDOR fits

Procurement

Procurement teams collecting vendor evidence across many vendors and review cycles.

Security review

Security teams reviewing third-party vendor evidence for repeat workflows.

Operational risk

Risk teams collecting standardized vendor packets across portfolios.

Insurer / banker review

Counterparties evaluating vendor exposure with a consistent packet format.

What the VENDOR packet records

Vendor identity

Vendor reference and engagement scope.

Submitted evidence

What evidence the vendor supplied, packaged through the partner workspace.

Issuance metadata

Manifest, signed receipt, hash trail, and verification path.

Review handoff

Reviewer-friendly packet that can be shared without giving system access.

What VENDOR does not do

  • does not certify the underlying compliance, security, or legal state
  • does not promise buyer, regulator, insurer, PSP, or auditor acceptance
  • does not opine on the truthfulness of submitted records
  • does not replace audit, regulatory, legal, or insurance review

Request Program review See illustrative case examples

The AttestLayer trust model

AttestLayer’s trust model is intentionally narrow. It records what was submitted, what was accepted into scope, what was issued, and how the issued kit can be checked.

The model uses

  • SHA-256 artifact hashing
  • manifest-based evidence inventory
  • canonical receipt hashing
  • Ed25519 receipt signatures
  • JWKS public-key discovery
  • offline verification
  • fail-closed verification behavior

What it proves

  • files match the manifest
  • manifest matches the receipt
  • receipt key ID matches a public key
  • receipt signature verifies
  • the kit has not been modified since issuance

What it does not prove

  • company compliance status
  • company security status
  • controls are operating effectively
  • a buyer, auditor, insurer, bank, regulator, or PSP has accepted the packet
  • the evidence content is legally sufficient

Integrity and issuance evidence only. Not audit, certification, or compliance guarantee.