Skip to main content
Status indicator: Under construction — coming soon

Security & compliance

WCAG Audit is built with security-first principles. Here's exactly how we handle your data.

Data & privacy

Architecture

All accessibility checks run locally — in your browser (Chrome extension) or on your machine via Playwright (CLI, GitHub Action). Page content, source code, and audit findings never leave your device unless you explicitly enable AI vision review (proxied through wcagaudit.io to Anthropic Claude) or cloud server tests.

CLI telemetry

When you run wcag-audit scan, we receive only aggregate usage metrics: license key, route count, framework name, issues-found count, CLI version, timestamp. The findings themselves, your source code, and the contents of WCAG_FIXES.md stay on your machine. This is used for credit metering and your dashboard history — not analytics, advertising, or third-party sharing.

What happens when you enable AI vision review

If you opt in to AI vision review, page screenshots and a subset of the DOM are sent to wcagaudit.io, which forwards the request to Anthropic Claude using our server-side API key. We do not retain screenshots or model output beyond the request lifecycle, and AI vision is gated to paid plans by feature flag. You can disable AI vision at any time with --no-ai.

Storage

Audit results are stored only in your browser (extension) or on your filesystem (CLI outputs). We log only URLs audited, route counts, and aggregate issue counts — used solely for credit metering.

Retention

Usage logs are retained for 12 months. You can request full account deletion at any time by emailing support@wcagaudit.io.

Infrastructure

This page covers wcagaudit.io's managed infrastructure. The optional companion server is self-hosted on your own infrastructure — see the download page for setup instructions.

For our managed stack, we use a small set of trusted vendors. Every dependency is named below along with what it handles and its compliance status.

  • Vercel
    Hosting — serverless Next.js runtime
  • Supabase
    Postgres database — hosted in US East (Virginia)
  • Clerk
    Authentication & session management
  • Stripe
    Payments & billing
  • Resend
    Transactional email delivery

In progress

SOC 2 Type II

Status: In progress

Audit in progress, expected Q4 2026. Certificate will be published here when complete.

Penetration test

Status: In progress

Annual third-party pentest scheduled for Q3 2026. Report summary will be published here.

Responsible disclosure

Found a security vulnerability? Email security@wcagaudit.io. We aim to respond within 24 hours and will credit researchers who report valid issues responsibly.

Need help? Book a demo