Audit for Attio · by Dialed
Sign in

Last updated · May 13, 2026

Consent & data

What we read. And what we never touch.

Audit for Attio is a free, read-only diagnostic. This page is the plain-English version of what that means. The short answer: we request read-only access to your workspace, we hold your audit for seven days unless you opt in to save it, and your report is private unless you choose to share it.

01 / At a glance

  • Read-only OAuth. We never request write access to your Attio workspace. Attio enforces this at the token layer.
  • Private by default. Only the creator (and anyone they invite by email) can open the audit report.
  • Encrypted at rest. AES-256-GCM on every OAuth token and magic-link secret.
  • 7-day TTL. Unsaved reports and raw API snapshots are deleted automatically.
  • No benchmarks without consent. We ask once. Opting out doesn’t change anything about your audit.

02 / What we read from Attio

When you authorize Audit for Attio, the OAuth consent screen lists exactly these read scopes. We can not request anything else without sending you back through OAuth, and Attio rejects any write call we attempt because no write scopes are on the token.

  • object_configuration:readObjects, attributes, select options
  • record_permission:readRecords inside each object
  • list_configuration:readLists and their attribute schemas
  • list_entry:readEntries on every list
  • user_management:readWorkspace members and their access levels
  • webhook:readWebhook endpoints and recent delivery state
  • note:readNotes attached to records
  • task:readTasks and assignments
  • meeting:readMeetings synced into the workspace
  • call_recording:readCall recording metadata (no audio)
  • file:readFile metadata (no file contents)

What we do not request: any :write scope, billing data, or your Attio account password (OAuth never sees it).

03 / What we store, and where

The audit pipeline writes to a Postgres database hosted in the United States (AWS us-east-2). Three buckets of data live there:

OAuth tokens
Encrypted with AES-256-GCM in the database. Used only to call the Attio API as you, exclusively for the audit you authorized. Revocable from within Attio at any time, after which we drop the token at next use.
Raw API snapshots
The JSON blobs we fetch from Attio (objects, records, lists, members, notes, tasks, meetings, comments, webhook metadata). Retained for up to 30 days so we can re-run analyzers without re-hitting the Attio API, then purged.
Findings
The analyzer output (counts, percentages, sample IDs). Tied to the audit. Deleted with the audit unless you opt to save the report.
Access state
Who created the audit, who they invited, and which invites have been accepted. We need this to gate the report URL.

04 / How long we keep it

  • Unsaved audits: deleted seven days after the audit finishes. A daily cleanup job removes the audit row, its findings, and the raw API snapshots together.
  • Saved audits: kept indefinitely until you unsave or delete them from My reports. Saving keeps the report and findings; raw API snapshots are still purged at 30 days.
  • Tokens: kept as long as the connection is active. Removed when you disconnect or revoke from Attio.

05 / Who can see your report

The report URL is not enough. Every request is gated by either a session cookie (you, signed in via Attio OAuth) or a magic link scoped to a specific email. Visitors without either are routed to a request-access page that asks the workspace owner for an invite.

  • Owner: the person who ran the audit.
  • Admin: teammates the owner invited and granted invite-others permission.
  • Viewer: teammates invited by email. Can read; can not invite others.

06 / Anonymized benchmarks (opt-in)

Right after OAuth we ask one question: may we include your audit’s findings, anonymized and aggregated, in benchmarks that compare common patterns across Attio workspaces? Default is no. The toggle lives in settings and you can change your mind at any time.

Included in aggregates
Counts and percentages, e.g. “median workspace has 4.7% duplicate companies.” Workspace size buckets. Industry, if you told us.
Never included
Record names, emails, domains, deal values, attribute contents, workspace name, member identities, or anything that could identify a specific workspace.

07 / Sub-processors

The full list of vendors involved in running Audit for Attio. Linked to each company’s privacy policy.

  • Vercel

    Application hosting and CDN

    United States
  • Neon

    Postgres database for tokens, audits, findings

    United States (AWS us-east-2)
  • Trigger.dev

    Background job runner for the audit pipeline

    United States
  • Resend

    Transactional email (audit-ready, invites, magic links)

    United States
  • Attio

    Source of the workspace data being audited

    United States / European Union

08 / Your rights

  • Delete on demand. Email us and we will purge your audits, findings, and tokens within seven days. Saved reports go with them.
  • Export. Every report has a PDF download and an LLM-ready markdown export inside the actions menu.
  • Revoke access. Revoke the OAuth connection from within Attio. We stop calling the API on the next request and remove the token.
  • Withdraw benchmark consent. Toggle off in settings. Your already-aggregated data stays aggregated (we cannot un-aggregate anonymized numbers), but no new findings from your workspace are added.

09 / Contact

Anything we missed, anything you want changed, anything you want deleted:

audit@dialed.tech

Consent & data · Audit for Attio