Security & Compliance

CivicComply is built for government. This page answers the security questions your IT team and procurement office will ask.

Accessible Document Widget

The widget is a single JavaScript file installed on your website via a script tag. Here is what it does and does not do.

What code runs on our website?

A single vanilla JavaScript file (under 1,000 lines, zero dependencies, no frameworks). It is served from our CDN as a static file. The source is unobfuscated and fully auditable — we can provide the source code on request.

What does the widget read from our page?

It reads <a href> attributes to identify same-origin PDF links. It does not read cookies, local storage, form data, user input, or any other page content.

What does the widget write to our page?

It adds a small button element next to each PDF link, and a dialog element for the accommodation request form. It does not modify existing page elements, inject iframes, or load third-party scripts.

What network requests does the widget make?

Two types: (1) a GET request to api.civiccomply.com to fetch the document manifest (a list of which PDFs have accessible versions), and (2) a POST to api.civiccomply.com when a user submits an accommodation request. It also makes HEAD requests to your own server to check for locally hosted accessible versions.

Does it track users or set cookies?

No. The widget does not use cookies, local storage, session storage, or any tracking pixels. No analytics, no fingerprinting, no third-party trackers.

What happens if your API or CDN is down?

If the CDN is down, the script does not load and your page is unaffected — no errors, no broken layout. If the API is down, the widget still renders buttons but defaults to showing the accommodation request form instead of the accessible version lookup. It never blocks or breaks your page.

Does it work with our Content Security Policy (CSP)?

Yes. Add cdn.civiccomply.com to script-src and api.civiccomply.com to connect-src. No inline scripts, no eval, no unsafe-inline required.

Can a compromised widget inject malicious code?

The widget is a static file on Azure Blob Storage behind Azure Front Door. Access requires Azure storage keys held in our CI/CD pipeline. We recommend Subresource Integrity (SRI) hashes for enterprise deployments — the browser will reject any modified file. Versioned URLs are available on request.

Is the widget open source?

The widget source is available for security review upon request. It is unobfuscated vanilla JavaScript — no build step, no bundler, no transpiler. What you see in the file is what runs in the browser.

Platform & Infrastructure

Where is our data hosted?

All data is hosted on Microsoft Azure in US regions. Database: Azure Database for PostgreSQL. File storage: Azure Blob Storage. Compute: Azure App Service. CDN: Azure Front Door.

Is data encrypted?

Yes. Data is encrypted at rest (Azure Storage Service Encryption, AES-256) and in transit (TLS 1.2+ on all endpoints). Database connections use SSL.

What data do you store about our organization?

Organization name, website domain, contact information (name, email, title, phone), scan results (WCAG violations found on your public website), accommodation requests submitted by your constituents, and generated compliance reports.

What data do you store about our constituents?

Only what they voluntarily submit via the accommodation request form: name (optional), email (optional), the page URL, and their description of the accessibility barrier. We do not track, fingerprint, or profile visitors.

Who can access our data?

Only authenticated users in your organization (email-verified, password-protected accounts with JWT authentication). CivicComply staff have administrative access for support purposes only. We do not share data with third parties.

How is authentication handled?

Email/password with bcrypt hashing. JWT access tokens (8-hour expiry) and HTTP-only refresh tokens (30-day expiry). Email verification required before account activation. Cloudflare Turnstile for bot protection on signup.

Do you have a SOC 2 report?

We are in the process of pursuing SOC 2 Type II certification. In the meantime, we provide this security documentation and are happy to complete your agency's security questionnaire directly.

What is your data retention policy?

Scan results and accommodation requests are retained for the life of your account. You can request data deletion at any time. Unverified accounts are automatically purged after 48 hours.

How do you handle vulnerabilities?

Report vulnerabilities to security@civiccomply.com. We commit to acknowledging reports within 24 hours and providing a remediation timeline within 72 hours.

Regulatory Compliance

What accessibility standards does CivicComply scan against?

WCAG 2.1 Level AA — the standard required by the DOJ Title II ADA mandate for state and local government websites.

Is the widget itself accessible?

Yes. The widget is built to WCAG 2.1 AA standards: full keyboard navigation, ARIA labels, focus management, screen reader announcements, and high-contrast compliant colors across all four color variants.

Does the widget help with ADA compliance?

Yes. Every accommodation request submitted through the widget creates a timestamped, documented audit trail. This demonstrates good-faith effort to identify and resolve accessibility barriers — a key factor in DOJ compliance evaluations.

Need to complete a security questionnaire?

We are happy to fill out your agency's procurement security forms, participate in vendor risk assessments, or schedule a call with your IT team.

Contact security@civiccomply.com