Privacy Policy

1. Introduction

This Privacy Policy explains how Attesto Ltd. ("Attesto", "we", "our", "us") collects, uses, discloses and safeguards the Personal Data of the people who visit our website (attesto.app) or use our staff-attestation platform (the "Service"). It also describes the choices and rights available to you under the UK GDPR and EU GDPR.

Attesto Ltd. is the data controller for information processed through the Service. Our registered office is 128 City Road, London, EC1V 2NX, United Kingdom. If you have any questions, email [email protected].

2. Personal Data We Collect

2.1 Data You Give Us

• Account details — name, business email address, job title, company name, password or SSO identifier.
• Billing details — payment card tokens, invoicing address and VAT / tax numbers (handled by our PCI-DSS-compliant payment processor).
• Support & correspondence — information you send us in emails, chat messages or contact forms.
• Uploaded content — policies, declarations, training records and any metadata you add (e.g. group names, due dates, comments).
• Recipient data — staff names, work email addresses and role information you import or sync from HRIS/SAML.

2.2 Data We Collect Automatically

• Usage logs — timestamps of log-ins, policy views, attestations and downloads.
• Device & technical data — IP address, browser type, operating system, and cookie identifiers.
• Analytics data — aggregated feature-usage metrics (we use EU-hosted Matomo; IPs are anonymised at source).

2.3 Cookies & Similar Tech

We use essential cookies for authentication and security, and optional analytics cookies (disabled by default for EU visitors). See our separate Cookie Notice for full details.

3. How & Why We Use Your Data

We process Personal Data only when we have a lawful basis:

• Contract — to create your account, deliver the Service and provide support.
• Legal obligation — to maintain evidence-grade audit trails required by regulators.
• Legitimate interests — to monitor service performance, prevent fraud, and improve features (no high-impact profiling).
• Consent — for non-essential cookies or marketing emails (you can withdraw consent at any time).

4. When We Share Personal Data

We never sell your information. We share it only:

• With subprocessors who help us run the Service (e.g. AWS EU-West-1 hosting, Stripe payments, Postmark email). They act under written agreements and only on our instructions.
• Within your organisation — admins and managers you designate can view staff-level audit information.
• For legal reasons — to comply with law, enforce our Terms, or protect rights, property or safety.
• During a business transfer (merger or acquisition) with appropriate confidentiality protections.

A current list of subprocessors is available on request.

5. International Data Transfers

All primary data—including backups—resides in the European Economic Area (EEA). If we must transfer Personal Data outside the UK/EEA (e.g. for a support ticket), we use approved safeguards such as the UK Addendum to the EU Standard Contractual Clauses.

6. Data Retention

We keep:

• Account & billing data for the lifetime of the subscription plus 7 years (UK tax record requirement).
• Audit logs for 7 years by default, or a custom period you set in the admin console.
• Support correspondence for 24 months after closure.

When retention ends, data is securely deleted or anonymised.

7. Security Measures

• All traffic is encrypted in transit using TLS 1.3; files are encrypted at rest with AES-256.
• Role-based access controls, MFA for admins, and SSO/SAML support.
• Regular penetration testing and ISO 27001-aligned policies.
• 24/7 monitoring with automated anomaly detection and incident-response playbooks.

8. Your Data Protection Rights

Depending on where you reside, you may have the right to:

• Request access to the Personal Data we hold about you.
• Correct inaccurate or incomplete information.
• Delete or anonymise your data ("right to be forgotten").
• Restrict or object to certain processing activities.
• Receive a portable copy of your data.
• Lodge a complaint with the UK Information Commissioner's Office or your local supervisory authority.

To exercise any of these rights, email [email protected]. We respond within 30 days.

9. Children's Privacy

Attesto is a business-to-business service and is not directed to individuals under 16. We do not knowingly collect Personal Data from children.

10. Changes to This Privacy Policy

We may update this Policy to reflect operational, legal or regulatory changes. If we make material changes, we will notify administrators by email and post a banner in the Service at least 14 days before the new terms take effect.

Last updated: 1 June 2025