AttestLayerAttestLayer
Request qualification

Privacy Policy

Privacy and data handling for partners.attestlayer.com only.

This policy applies only to partners.attestlayer.com, including partner program pages, reserved-capacity or partner order flows, partner-managed delivery workflows, and partner support or billing requests originating from this domain. It does not govern the direct-buyer, verifier, registry, pay, console, or root corporate domains except where a written agreement or a more specific domain notice says otherwise.

1. Data categories processed on this site

  • Partner representative data such as work email addresses, company names, job titles, billing contacts, and support correspondence.
  • Partner account and transaction data such as order details, invoicing references, subscription state, capacity selections, and access-link events.
  • Workflow data such as job identifiers, uploaded artifacts, manifests, receipts, delivery events, and partner-configured packaging instructions.
  • Website and abuse-prevention data such as security logs, browser metadata, referrer information, rate-limit events, and operational telemetry.

2. How data is used

  • Operate partner programs, reserved-capacity lanes, partner billing, and partner support workflows.
  • Process partner-submitted workflows and deliver the requested output package.
  • Support approved white-label or co-branded delivery options where offered.
  • Protect the service, prevent abuse, and comply with legal obligations.

3. AttestLayer role and downstream data

For partner account, billing, and security data, AttestLayer acts as the service operator for the partners surface. For workflow material a partner submits on behalf of its customer, the partner remains responsible for ensuring it has the right to submit that material and for giving any downstream notices the partner owes to its own customer or end user.

4. Sharing and subprocessors

We share data only with providers needed to operate the partner program, billing, infrastructure, email, analytics, and approved payment-routing functions tied to this site. The current list for partners.attestlayer.com is maintained on the Subprocessors page.

We do not sell personal data collected through this domain.

5. Retention

  • Uploads: Up to 24 hours (automatic deletion)
  • Hosted deliverables links: 30 days (links expire; automatic deletion)
  • Partner/customer downloaded copies: kept by you/customer
  • Payment/invoice records: retained as required (duration: 7 years (standard accounting/tax retention))
  • Operational and security logs: retained only as reasonably necessary for security, abuse prevention, delivery support, and legal compliance.

6. Requests and rights

To request access, correction, or deletion of partner personal data, email contact@attestlayer.com.

  • Include your company name and the email address used with AttestLayer.
  • If your request relates to an intake job, include the job ID/slug (if available).
  • We may ask for minimal verification to prevent unauthorized deletion requests.

7. Cross-domain boundaries

This policy is partner-surface specific. Direct-buyer terms belong to buy.attestlayer.com, the public verifier belongs to verify.attestlayer.com, and registry publication terms belong to registry.attestlayer.com.

8. Additional disclosures

Automated decision-making. AttestLayer does not use personal data processed through partners.attestlayer.com to make decisions that produce legal effects on individuals, or similarly significant effects on individuals, without meaningful human involvement. Limited automated processing is used for abuse prevention, security signal detection, rate limiting, deterministic PASS or FAIL ruleset execution against supplied records, and routing of inbound inquiries. Ruleset execution evaluates supplied records against published criteria and is not an audit opinion, certification, legal conclusion, or approval decision about any individual.

Cross-border processing. AttestLayer is based in Montreal, Quebec, Canada, and the primary processing region for the partner surface is Canada. Where AttestLayer relies on subprocessors located outside Canada, AttestLayer uses contractual, organizational, and technical safeguards consistent with applicable law for the categories of data involved, including, where applicable, Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent transfer mechanisms. The current subprocessor list is published on the Subprocessors page.

Security incidents. If AttestLayer becomes aware of a confirmed security incident that compromises the confidentiality, integrity, or availability of personal data processed through partners.attestlayer.com and that meets the notification threshold of applicable law or any written agreement, AttestLayer will provide notice to affected counterparties and, where required, regulators, within the timeframes required by that law or agreement. Suspected vulnerabilities can be reported to security@attestlayer.com; the public coordinated-disclosure process is published on the Vulnerability Disclosure page.