The Layover Audit Standard

HR Confirmation + HRIS performance review(s) + Manager Vouch.

Maximum triangulation. Three independent sources confirm titles, dates, and performance. The mark a recruiter sees as a diamond on the candidate’s Layover Link.

HR Confirmation + (HRIS performance review(s) OR Manager Vouch).

A baseline credential with one performance source riding on the verified HR floor. The minimum tier accepted into the Hangar.

HR Confirmation is non-negotiable. The Flight Inspector blocks any mint without one. Every claimed title and every claimed employment date is verified against this document before mint, and the verification is stamped into the audit ledger as a server-clock attestation.

The Manager Vouch carries higher weight because it represents direct, named accountability — a real, identified person who signed off on this candidate’s performance.

Each sensor is rated 1.0–5.0. The Altitude shown on a Layover Link is the overall blend; the per-sensor breakdown lives inside the audit pack.

Some records have a Manager Vouch but no HRIS reviews. Some have HRIS reviews on only two of five sensors. Layover does not penalize partial coverage by truncating the available evidence — each side is averaged over its own non-null entries. If only one source exists, that source weighs 100% of the score.

The credential tier (Full vs. Core) communicates the breadth of evidence; the Altitude itself reflects the quality of what’s there. This is the credit-score model: use what is verifiable, don’t punish gaps that aren’t the candidate’s fault.

Some records carry multiple performance reviews on file. Each review is normalized to the same five-sensor rubric, and the consolidated HRIS score is the element-wise mean across reviews.

No recency weighting is applied. Layover does not retroactively weigh a 2024 review more heavily than a 2022 one — the algorithm stays one-sentence-explainable.

Source documents are purged from storage immediately upon mint. Layover does not retain copies of HR letters, pay stubs, or performance reviews after the credential is sealed. The mint is the moment the original documents leave our infrastructure.

What is preserved is the cryptographic ledger: a SHA-256 hash of each verified document, the extracted structured data (titles, dates, sensor scores), the verified manager’s identity, and the Inspector’s verbatim attestation. Every timestamp in the ledger is written by the server, not the client browser — so the audit trail is monotonic and tamper-resistant against any clock drift on the uploading device.

Before mint, the Inspector affirms — through a signed ignition switch — the following literal statement, which is then recorded verbatim into the audit ledger:

Every uploaded document is hashed at upload. Before mint, the Inspector reviews any prior records whose document hash matches — catching reused HR letters across multiple candidate accounts before they enter the credential ledger.

Producer, Creator, CreationDate, and ModificationDate are extracted from every uploaded PDF and surfaced in the Inspector’s review. Anachronism patterns — for example, a 2019-dated review whose Producer string reads “iLovePDF 2024” — are flagged for closer scrutiny.

The manager rates the candidate across the five sensors, identifies themselves through corporate-domain authentication or LinkedIn verification, and explicitly confirms the candidate’s titles and employment dates within the company.

A signed ignition switch carrying the manager’s verbatim attestation rolls out alongside this page. The vouch screens persist the manager’s identity, the per-sensor ratings, and a server-clock timestamp regardless.

The Layover Link URL is the credential of record. Any downloadable asset — Clearance Keys, share cards — is a visual display of that record, not the record itself. Verification always resolves to the link.