Documentation
Built-in detectors
What Attestly recognizes out of the box.
Last updated May 6, 2026
Attestly ships with detectors covering the most common SaaS infrastructure. Below is the canonical list as of the current release.
AI providers
| Detector | Triggers | Risk default |
|---|---|---|
| OpenAI | openai, @azure/openai | Limited |
| Anthropic | @anthropic-ai/sdk | Limited |
| Google AI | @google/generative-ai, @google-cloud/aiplatform | Limited |
| AWS Bedrock | @aws-sdk/client-bedrock-runtime | Limited |
| Cohere | cohere-ai | Limited |
| Mistral | @mistralai/mistralai | Limited |
| Replicate | replicate | Limited |
| Hugging Face | @huggingface/inference | Limited |
| Pinecone | @pinecone-database/pinecone | Minimal (vector store) |
| Weaviate | weaviate-ts-client | Minimal |
Subprocessors
Authentication: Clerk, Auth0, WorkOS, Supabase Auth, Firebase Auth.
Payments: Stripe, Paddle, Lemon Squeezy.
Email: Resend, SendGrid, Postmark, Mailgun, AWS SES.
Analytics: PostHog, Mixpanel, Amplitude, Segment, Plausible.
Error tracking: Sentry, Datadog, Bugsnag.
Storage: AWS S3, Cloudflare R2, Supabase Storage, Vercel Blob.
Database: Neon, Supabase, PlanetScale, Turso, Upstash.
Communication: Twilio, Vonage, Slack API.
Personal-data heuristics
The scanner also flags likely personal-data fields based on naming conventions. The list is conservative — better to surface a false positive during review than miss a Special-Category-Article-9 leak.
Triggers include: email, phone, address, ssn, tax_id,
date_of_birth/dob, patient_*, health_*, diagnosis,
prescription, biometric_*, credit_card, iban,
passport_number, drivers_license.
When a match flows into a function call to an AI provider, we mark the AI system as High-risk (Annex III) by default. You can override this in the generated document.
Detector versioning
Detectors are versioned alongside the scanner. Each finding records the detector version that produced it, so old documents always render against the detector list that was active when they were generated.