Our Compliance Standard
We don't bolt compliance on after the fact. We build it into the foundation. Here is exactly what every Forged Site includes and how we verify it continuously.
Accessibility (WCAG 2.2 AA)
Every person can use every page.
We conform to the Web Content Accessibility Guidelines (WCAG) 2.2 at the AA level — the standard referenced by the Americans with Disabilities Act (ADA), Section 508, and the European Accessibility Act. This is not an overlay. The actual HTML, CSS, and ARIA markup is written to be accessible from the source.
What This Means in Practice:
- ✓ Color contrast of at least 4.5:1 on all text, verified programmatically on every page
- ✓ Keyboard navigation works on every interactive element — skip-navigation links, visible focus rings, no keyboard traps
- ✓ Screen reader compatibility — semantic HTML, ARIA landmarks, meaningful alt text on every image, proper heading hierarchy
- ✓ Touch targets meet the WCAG 2.2 minimum of 24×24px on desktop and 44×44px on mobile
- ✓ Reduced motion support — animations respect the user's system preferences
- ✓ Focus not obscured — sticky headers and cookie banners never hide the focused element
Privacy (State-Specific)
Your privacy policy references your state's actual law.
Every Forged Site includes a privacy policy, terms of service, and cookie policy that are specific to the jurisdiction where the business operates. Not a generic template — actual references to the laws that apply to you.
State Privacy Laws We Cover:
CCPA / CPRA — "Do Not Sell or Share" footer link, GPC signal honored, specific consumer rights disclosures
NJDPA — Explicit consent for sensitive data, right to limit use, financial data protections
VCDPA — Right to opt out of targeted advertising, profiling, and data sale
CPA — Universal opt-out mechanism required, GPC signal honored
CTDPA — Data sale and targeted advertising disclosure requirements
TDPSA — Data processing agreement terms, specific category disclosures
OCPA — Opt-out signal recognition, children's data protections
MCDPA — Standard consumer rights framework for data privacy
Security (Headers & Hardening)
Six headers that most agencies don't know exist.
Every Forged Site ships with enterprise-grade HTTP security headers. These prevent clickjacking, script injection, MIME-type attacks, and information leakage. Most small business websites have zero security headers. Ours have six, configured strictly.
Strict-Transport-Security
Forces HTTPS with preload — prevents downgrade attacks and man-in-the-middle interception
Content-Security-Policy
Explicitly whitelists which scripts, styles, and resources can load — blocks cross-site scripting (XSS)
X-Frame-Options
Prevents your site from being embedded in a malicious iframe — blocks clickjacking attacks
X-Content-Type-Options
Stops browsers from guessing file types — prevents MIME-type confusion attacks
Referrer-Policy
Controls what information is sent when users navigate away — prevents data leakage to third parties
Permissions-Policy
Disables camera, microphone, geolocation, and tracking APIs that your site doesn't need
Consent (Mode v2)
No tracking until you say yes. Verified, not promised.
Google's Consent Mode v2 became the mandatory standard in March 2024. Most cookie banner plugins claim to implement it but still fire analytics scripts before the user consents. We don't trust claims — we verify.
What We Build
- Cookie banner with Accept / Reject / Settings
- All analytics storage defaults to
denied - Global Privacy Control (GPC) signal auto-honored
- "Do Not Sell" footer link for CCPA compliance
- Cookie Settings button accessible from footer
- Consent preferences persist across visits
What We Verify
- Zero cookies/localStorage set before consent
- Zero network requests to tracking domains before consent
gtag('consent','default')fires before any configgtag('consent','update')fires correctly on Accept- Reject actually blocks all non-essential tracking
- Pre-consent scan runs on every deploy, automated
Continuous Verification
Compliance isn't a one-time checkbox. It's a continuous process.
Most agencies run a compliance audit once during the build, hand you a report, and walk away. Six months later the site has new pages, updated content, and broken accessibility nobody noticed. Our approach is different: Vigil runs the full 18-check audit on every deploy, and a fast subset on every page edit. Compliance is verified continuously, not annually.
The Verification Cycle:
On Every Page Edit
Fast check (~30 seconds): security headers, accessibility scan on changed page, pre-consent cookie verification. Results appear as a notification to the building agent. Advisory — flags issues immediately.
Before Every Deploy
Full audit (2-5 minutes): all 18 checks across every page. Two independent AI substrates review independently. Blocking — the site does not go live until both pass.
Daily Monitoring
Automated daily sweep of all deployed sites. Regression alerts if any score drops below its previous grade. Results stored in the compliance database with full history.
Public Proof
Every Forged Site includes a /compliance-report page showing current scores, last verification date, and check-by-check results. Always current. Always public. Always auditable.