Last updated · May 2026
Security
Attested handles sensitive identity signals on behalf of hiring teams and candidates. Security is not an afterthought — it is a core requirement of what we do. This page summarises our current posture and how to contact us if you find a problem.
Compliance
- SOC 2 Type II — in progress. We are working toward certification and will publish the report when it is complete.
- GDPR and CCPA — see our Privacy Policy for details on data handling and your rights.
- Data minimisation — we collect only what is necessary to perform a verification. Résumé files and raw credential data are never stored.
Infrastructure
- Hosted on SOC 2 Type II certified cloud infrastructure
- All data encrypted at rest (AES-256) and in transit (TLS 1.2+)
- Production and staging environments are strictly isolated
- Access to production systems is limited to authorised personnel and requires MFA
- Automated dependency scanning and secret detection on every commit
Authentication and access
- All third-party OAuth tokens (LinkedIn, GitHub) are short-lived and never logged
- Magic links for email verification are single-use and expire after 15 minutes
- Verification results are accessible only to the hiring team that initiated the check
- API keys are hashed before storage; plaintext is shown only at creation
Incident response
We maintain an incident response plan with defined severity levels, escalation paths, and communication timelines. In the event of a breach affecting your data, we will notify you within 72 hours of becoming aware, consistent with GDPR Article 33 obligations.
Responsible disclosure
If you believe you have found a security vulnerability in Attested, please report it to us before disclosing it publicly. We commit to:
- Acknowledging your report within 2 business days
- Keeping you informed as we investigate and remediate
- Not pursuing legal action against researchers acting in good faith
Please send reports to security@attested.work. Use our PGP key if you need to share sensitive details — available on request at that address.
Please do not access or modify other users’ data, run automated scanners against production, or perform denial-of-service testing.
Subprocessors
We use a small number of vetted subprocessors for cloud infrastructure, transactional email, and payment processing. A current list is available on request at security@attested.work.
Questions
For general security questions or to request our security documentation, contact security@attested.work.