How we handle data.

Last updated April 24, 2026

Attentra Labs provides protocol-side security monitoring for Solana DeFi. This page describes what information we collect, why we collect it, and what we do with it. We try to say it in plain language rather than legalese; if any of it is unclear, email us at hello@attentra.xyz and we'll explain.

Data we collect from customers

When you sign up for Attentra as a protocol customer, we collect:

Account identification: your name, email address, and protocol slug.
Protocol configuration: the on-chain accounts you ask us to monitor, the invariants you declare, and the destinations (Slack workspace, PagerDuty key, webhook URL, etc.) you configure for alerts.
Operational data: timestamps of detections, acknowledgments, and configuration changes. This is used to show you your own history in the dashboard and to improve detection quality.
Billing information: handled by our payment processor (SolanaPay). We do not store card numbers on our infrastructure.

Data we do not collect

We never ask for or store your protocol's private keys, upgrade authority signing keys, or any key material capable of moving funds or changing protocol state. Attentra is read-only.
We do not install software on your infrastructure. Monitoring runs entirely on our infrastructure against public Solana state.
We do not track users of our dashboard across the web. No third-party analytics, no advertising pixels.

Data we observe from the public chain

The core of our product is observing Solana mainnet state. That state is public by definition — any RPC provider can read it. We subscribe to it, run detection rules against it, and publish attestation records to it. We do not treat public chain data as personal data.

Data we publish on-chain

For every customer, we write an attestation account (PDA) to the Solana chain. This account records the current state of your declared security invariants — whether each check is passing or failing, the slot it was last verified, and a short observed-value hash for each check. This is deliberately public: the point of the attestation is that anyone can verify your posture without trusting our dashboard.

The attestation does not include secrets, keys, or any data you haven't explicitly declared as a monitoring invariant. It is a reflection of public chain state, not a disclosure of your internals.

Who we share data with

We share customer data with the minimum set of service providers required to run our service:

Cloud infrastructure (Google Cloud Platform, europe-west4) for hosting.
SolanaPay for payment processing.
Solana RPC providers for chain ingest. We send public chain queries only, not customer configuration.
Email delivery providers for transactional email and alerts you configure.

We do not sell or rent customer data. We do not use customer data to train machine learning models. We do not combine data across customers except where we run aggregate threat intelligence (which is published only in anonymized form).

How we use your data

To operate the monitoring service you are paying for.
To send you alerts at the destinations you configured.
To publish your on-chain attestation per your declared invariants.
To send you product updates, incident notifications, and billing emails. You can opt out of non-essential emails.
To improve detection quality across the service. When a detection fires, we may use the pattern (stripped of customer identity) to tune our rules for all customers.

Security

Customer configuration data is stored in Postgres with encryption at rest and TLS in transit. Destination credentials (webhook URLs, PagerDuty integration keys) are stored encrypted with per-customer keys. Access to production infrastructure is limited to a small number of named operators and audited.

Attentra has not yet completed a SOC 2 audit; work is underway for Type I completion in Q4 2026. Enterprise customers can request our current control documentation.

Your rights

You can request the data we hold about your account, correct it, or delete it by emailing hello@attentra.xyz. On account deletion, we remove your configuration and all identifiers within 30 days. Historical attestation records on the Solana chain are public and cannot be deleted — this is a property of the blockchain, not a choice we make.

Cookies

Our dashboard uses a single cookie (attentra_session) to maintain your login session. That's it. No advertising cookies, no third-party tracking cookies.

Children

Attentra is a B2B product sold to protocols. It is not intended for and not knowingly used by anyone under 18.

Changes to this policy

If we change this policy in a material way, we'll email active customers. For non-material changes (wording, clarification, adding examples) we update this page and update the date above.

Contact

Questions, concerns, or data requests: hello@attentra.xyz. We aim to respond within 2 business days.