Introduction

Attestly turns your codebase into a continuously-updated set of legal documents. You connect a repository, we scan it, and we produce a draft AI Trust Center, Privacy Policy, Data Processing Agreement, OSS attribution, and a SOC 2 readiness pack (Growth and above) — each one cited line-by-line back to the file that triggered it.

Why "code-aware"?

Traditional compliance tooling asks humans to fill in questionnaires. That's the wrong abstraction. The truth lives in your repo:

• The openai package is in your package.json — that's an AI subprocessor.
• A field called patient_id flows into the OpenAI client — that's special-category data under GDPR Article 9.
• A new dependency @anthropic-ai/sdk was added in last night's PR — your DPA needs to be re-issued.

Attestly answers these questions deterministically by reading code, not by trusting a checkbox.

Who is Attestly for?

• B2B SaaS startups that need to look enterprise-credible without hiring a compliance team.
• AI-first companies preparing for the EU AI Act (high-risk obligations apply on August 2, 2026).
• Engineering-led teams who want their docs to track main instead of going stale the day they're approved.

What you get on day one

1. A signed-off draft of every document type your plan includes (AI Trust Center, Privacy Policy, DPA, OSS attribution, and SOC 2 readiness when enabled).
2. A public trust center. Canonical URL on your app host: https://<app-host>/trust/<slug> (the dashboard copies this from NEXT_PUBLIC_APP_URL). Optional subdomain (hosted Attestly): when wildcard DNS is configured for NEXT_PUBLIC_TRUST_ROOT_DOMAIN, the same pages are also served at https://<slug>.<trust-root> — edge middleware rewrites that host to /trust/<slug>.
3. A drift-detection bot that opens a PR comment whenever a code change would invalidate a published document.

That's the whole product. The rest of these docs explain how each piece works.