The Layover Audit Standard

HR Confirmation + an attributed reference from an identity-verified manager.

Everything in Employment Verified, plus a named former manager who verified their identity, confirmed the working relationship, attested the candidate’s milestones item by item, and answered the one question every reference call is really asking: would you hire this person again.

HR Confirmation + document verification.

A complete, shareable credential on its own: who the candidate is, where they worked, the titles they held, the dates they held them, and how the employment ended — every claim verified against documents. Not a lesser record; a record without a reference attached.

HR Confirmation is non-negotiable. The Flight Inspector blocks any mint without one. Every claimed title and every claimed employment date is verified against this document before mint, and the verification is stamped into the audit ledger as a server-clock attestation.

The candidate’s titles, employment dates, and exit status are verified against HR documentation before mint. Each document is hashed at upload; the hash outlives the document itself (see Delete-After-Verify below).

The reference layer is never anonymous. The manager verifies their identity through LinkedIn or verified-email authentication, confirms the working relationship, and attests the record element by element. Their name, title, and verified identity are bound into the credential — a real person, on record, accountable for what they signed.

The candidate authors up to three milestones — short, specific, falsifiable claims about what they actually did. The manager rules on each one individually: verify as written, verify with an edit(the manager’s corrected wording publishes, marked as edited), or decline (the milestone never publishes). At least one milestone must be verified for the reference to mint.

Alongside the milestones, the manager answers the rehire question, can confirm the candidate’s tool proficiencies, and may add a short note in their own words. Read the full attestation protocol →

Layover does not publish a performance score. A single uncalibrated rater cannot produce a number that means the same thing across two records, and a decimal dressed in audit language is false precision. What publishes is evidence — verified facts and an attributed attestation — and the recruiter’s own judgment does the rest.

Source documents are purged from storage immediately upon mint. Layover does not retain copies of HR letters, pay stubs, or separation packets after the credential is sealed. The mint is the moment the original documents leave our infrastructure.

What is preserved is the audit ledger: a SHA-256 hash of each verified document, the extracted structured data (titles, dates, attested milestones), the verified manager’s identity, and the Inspector’s verbatim attestation. Every timestamp in the ledger is written by the server, not the client browser — so the audit trail is monotonic and tamper-resistant against any clock drift on the uploading device.

At mint, the record is sealed with a SHA-256 signature computed over the attested content itself: the credential class, every published milestone, the rehire assessment, the manager-confirmed tools, the manager’s verified identity, the verified promotion set, and the source-document hashes. The signature is what makes the credential tamper-evident — change any attested fact and the seal no longer matches.

Before mint, the Inspector affirms — through a signed ignition switch — the following literal statement, which is then recorded verbatim into the audit ledger:

Every uploaded document is hashed at upload. Before mint, the Inspector reviews any prior records whose document hash matches — catching reused HR letters across multiple candidate accounts before they enter the credential ledger.

Producer, Creator, CreationDate, and ModificationDate are extracted from every uploaded PDF and surfaced in the Inspector’s review. Anachronism patterns — for example, a 2019-dated HR letter whose Producer string reads “iLovePDF 2024” — are flagged for closer scrutiny.

The manager verifies their identity through LinkedIn or verified-email authentication, rules on each milestone individually, answers the rehire question, and affirms — through a signed ignition switch — the following literal statement:

The Layover Link URL is the credential of record. Any downloadable asset — Clearance Keys, share cards — is a visual display of that record, not the record itself. Verification always resolves to the link.