Associated persons · 5 min
Use zero-login attestation links
How associated-person attestation links work without accounts, including reminders, expiry, revocation, lockout, and review handoff.
Help baseline: 2026-06-15
zero-loginattestation linksattestation.reminder_queuedRetry-Afterneeds_review
Keep the external path scoped
Associated-person attestation pages do not require a DefenceFile account or password. Each secure link is scoped to one attestation request and should not be forwarded.
- Raw attestation tokens are hashed for lookup and should not be copied into public notes or support tickets.
- Expired links show an expired state and revoked links show a revoked state before the respondent can submit.
- Unknown, expired, or revoked token failures count toward the public-token limiter.
Turn responses into reviewable evidence
A submitted attestation marks the link completed, appends an attestation.submitted audit event, and creates third_party_attestation evidence with status needs_review.
- The created evidence still needs the normal named human review before board-pack reliance.
- Reminder emails require attestation:remind permission and are queued only for due attestation alerts.
- Reminder audit events use attestation.reminder_queued and include the associated-person priority metadata.
- The default public-token lockout is 5 failed attempts and 15 minutes; 429 responses include Retry-After.
Boundary
DefenceFile help explains workflow operation. It does not provide legal advice, create privilege, certify scope, certify reasonable procedures, or guarantee that a statutory defence will succeed.
Request pilot review