The Onboarding Interview

Before Attestly scans your code, you must complete the Legal Profile interview. This is not just a setup step — it is a critical part of generating legally sound and regulator-ready documents.

Why this interview exists

The scanner is powerful, but it cannot see facts that don't live in source code. While we can detect that you use Stripe or OpenAI, we cannot know what your legal company name is, where you are incorporated, or what your specific data retention promises to customers are.

Every field in the interview feeds directly into the AI generators. If you don't provide this context, the LLM is forced to leave placeholders like [Customer-defined], which reduces the credibility of your published documents.

Questions asked and why

The interview is grouped into five logical areas:

1. Core Identity

• Full Legal Name & Jurisdiction: Required for the header of every Privacy Policy and DPA to legally bind the correct entity.
• Registered Address: Required in the preamble of your legal documents to positively identify the controller.
• Company Registration & VAT IDs: Essential for identifying your corporate entity in B2B agreements, especially in the EU and UK.
• Industry Sector & Markets Served: Helps the AI tailor the context of processing and data transfers to your specific business model.
• Customer Types: Distinguishes between B2B, B2C, developers, or government customers, which triggers different data-subject rights in your policies.

2. Contact Information

• Privacy Contact Email: The required address where users can send general privacy questions or exercise their data rights.
• Security Contact Email: Included in your Trust Center for incident reporting and vulnerability disclosure.

3. DPO and Representatives

• Data Protection Officer (DPO): If you process sensitive data or monitor individuals at scale, GDPR requires a DPO. Naming them builds trust with enterprise buyers.
• EU/UK Article 27 Representatives: Required by GDPR/UK-GDPR if you serve those markets but do not have a physical establishment there.

4. Operational Policies

• Data Hosting Summary: A brief description of where you physically store customer data (e.g., "AWS us-east-1"). This is crucial for customers with strict data residency requirements.
• International Transfers: How you handle cross-border data (e.g., relying on SCCs). This generates the necessary transfer-impact language in your DPA.
• Subprocessor Notice Process: Your commitment to how you will notify customers when you add a new vendor (e.g., "30 days prior notice via email").
• Retention Policy: Explains how long you keep customer data and your process for hard-deletion upon termination.
• Breach Notification SLA: A critical contractual commitment in your DPA (e.g., "within 48 hours of confirmation").

5. Certifications & Misc

• Security Certifications: Declaring SOC 2, ISO 27001, or other audits establishes immediate credibility on your public Trust Center.
• Statutory Frameworks: If you comply with specific regimes like HIPAA or PCI-DSS, the AI can inject the relevant compliance language into your documents.

Finishing the interview

Once completed, your profile is frozen for your first scan. You can always update these details later under Settings → Legal Profile, which will trigger a regeneration of your draft documents to reflect the changes.