Policies

Public commitments that govern how this product behaves. Each section below summarizes a full policy document — full text lives in the repo and is the canonical source.

Accessibility statement

Our own product surfaces (customer dashboard, marketing site, internal tools we publish externally) target WCAG 2.2 Level AA conformance, with Level AAA where feasible on critical flows (sign-in, primary navigation, finding detail, report download).

Every customer-facing UI surface passes axe-core (0 serious/critical) and Lighthouse accessibility (≥95) before merging to main. CI enforces this. Once the diagnostic agent is live, our own surfaces are scanned by it on a recurring basis; findings are tracked like customer findings.

This statement is about our own product surfaces only. It is not a statement about customer sites — those are described in each customer’s own scan reports.

Canonical source: docs/policies/accessibility-statement.md

Refused use cases

Some categories of use are out of scope for this product. The diagnostic, decision, and remediation agents do not support:

  • Generating compliance attestation language. We never report a site as “ADA compliant,” “WCAG compliant,” or any similar guarantee.
  • Producing “Defense Pack” outputs (litigation-defense artifacts) without evidence of actual remediation activity (anti-laundering protection per PRD §25).
  • Self-healing remediation above tier 1 (visible structural rewrites are gated on human review per PRD §15.3).
  • Scanning sites outside the customer’s claimed domain (SSRF protection per PRD §20.5).
  • Sending sensitive evidence to third-party LLM providers without explicit routing-policy approval (PRD §20.7.1).

Canonical source: docs/policies/refused-use-cases.md

Data classification

Customer scan data is classified Confidential: source DOM, screenshots, axe output, finding metadata. Authentication credentials are Restricted (envelope-encrypted, never exit the trust boundary). Aggregate metrics (scan counts, fix rates) are Internal.

Retention follows the class. Confidential scan data is retained at full fidelity for 90 days; after 90 days only aggregate metrics remain.

Canonical source: docs/policies/data-classification.md

Access control

Principle of least privilege. Role-based access at the application layer (Compliance Officer, Engineer, Admin, Auditor — per PRD §17.1.7). Production access is gated on MFA; access reviews run on a defined cadence.

Canonical source: docs/policies/access-control.md

Incident response

Severity-graded runbook (SEV-1 through SEV-4). SEV-1 customer notification within 24 hours. Includes the data-leak playbook, security-incident playbook, and the standard accessibility-regression playbook.

Canonical source: docs/runbooks/incident-response.md

Vendor catalog

Every third-party SDK with access to customer data is catalogued with its data-flow, DPA status, and SOC 2 / ISO 27001 attestations. The catalog is reviewed annually (first annual review 2027-05).

Canonical source: docs/policies/vendors.md

Feedback

We treat accessibility feedback on our own product surfaces with the same priority as customer-reported defects. Filing channels are documented in the canonical accessibility statement.