Security at Attestly

Last updated June 21, 2026

Attestly helps teams answer security questionnaires, so we hold ourselves to the standards our customers ask about. Here’s how we protect your data — described honestly, without overclaiming.

Encryption

All data is encrypted in transit using TLS (HTTPS everywhere). Data at rest — including your library and questionnaires — is encrypted by our database provider using strong, industry-standard encryption (AES-256).

Infrastructure

Attestly runs on reputable, independently audited providers rather than servers we manage by hand:

  • Database: Neon managed PostgreSQL, hosted in the EU (Frankfurt), with automated backups and point-in-time recovery.
  • Application hosting: Vercel, which operates a SOC 2-compliant platform.
  • Payments: Stripe, a PCI-DSS Level 1 certified payment provider. Attestly never stores your card details.

To be clear and honest: Attestly itself does not yet hold a SOC 2 or ISO 27001 certification. We build on infrastructure that does, and we’re transparent about exactly which providers handle your data on our Privacy Policy.

Authentication

Passwords are hashed with bcrypt — we can never see them. Sessions use signed, HttpOnly cookies that aren’t accessible to JavaScript and are sent only over HTTPS in production. Password-reset links are single-use and expire after one hour.

Data isolation

Every organization’s data is logically separated. Your library, questionnaires, and answers are scoped to your organization and are never shared with or visible to other customers.

How we handle AI

Your content is only sent to an AI provider (Anthropic or OpenAI) when you choose to enable one, and only the questions plus the relevant snippets from your own library are sent — purely to draft an answer for you. Under those providers’ API terms, your content is not used to train their models. With no AI provider configured, Attestly answers using deterministic matching and nothing leaves our infrastructure for AI processing.

Access control

Access to production systems follows the principle of least privilege and is limited to what’s required to operate and support the service.

Your part

Security is shared. Please use a strong, unique password, keep any AI provider API keys you add confidential, and limit who in your organization can access your account.

Reporting a vulnerability

If you believe you’ve found a security issue, we want to hear from you. Please email hello@attestly.cloud with the details and steps to reproduce. We’ll acknowledge your report, investigate promptly, and keep you updated. Please give us a reasonable chance to fix the issue before disclosing it publicly.

Questions

Doing vendor due diligence on Attestly? Email hello@attestly.cloud and we’ll gladly walk you through our setup.