Our Compliance Standard

We don't bolt compliance on after the fact. We build it into the foundation. Here is exactly what every Forged Site includes and how we verify it continuously.

Dual-Substrate Verified Accessibility Privacy Security Consent Verification

Verified 2026-04-22

Dual-Substrate Reference-Grade Verified

As of 2026-04-22, idfs.ai has passed independent compliance audits from two different AI substrates (Claude-Vigil and Gemini-Vigil), both running the same 18-check WCAG 2.2 AA plus privacy plus security battery. Both independently concluded: 🟢 GREEN, zero P0 items, reference implementation quality.

What that means:

WCAG 2.2 AA: zero axe violations sitewide. Every Vigil-tier mobile accessibility score: 100.
Security headers: 6 of 6 present on every page (HSTS, CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy).
Consent Mode v2 plus GPC: zero trackers fire before consent. Global Privacy Control requests are automatically honored.
Privacy pages: all five (Privacy, Terms, Cookie Policy, Accessibility, Do Not Sell) present and footer-linked.
18 of 18 compliance checks cleared.

This is the methodology we ship to every IDFS AI client. Each Forged Site is built against the same battery before it goes live, and every production deploy is re-audited post-ship.

Read the Claude-Vigil morning audit Read the Gemini-Vigil re-audit

Accessibility (WCAG 2.2 AA)

Every person can use every page.

We conform to the Web Content Accessibility Guidelines (WCAG) 2.2 at the AA level — the standard referenced by the Americans with Disabilities Act (ADA), Section 508, and the European Accessibility Act. This is not an overlay. The actual HTML, CSS, and ARIA markup is written to be accessible from the source.

What This Means in Practice:

✓ Color contrast of at least 4.5:1 on all text, verified programmatically on every page
✓ Keyboard navigation works on every interactive element — skip-navigation links, visible focus rings, no keyboard traps
✓ Screen reader compatibility — semantic HTML, ARIA landmarks, meaningful alt text on every image, proper heading hierarchy
✓ Touch targets meet the WCAG 2.2 minimum of 24×24px on desktop and 44×44px on mobile
✓ Reduced motion support — animations respect the user's system preferences
✓ Focus not obscured — sticky headers and cookie banners never hide the focused element

Privacy (State-Specific)

Your privacy policy references your state's actual law.

Every Forged Site includes a privacy policy, terms of service, and cookie policy that are specific to the jurisdiction where the business operates. Not a generic template — actual references to the laws that apply to you.

State Privacy Laws We Cover:

California Active

CCPA / CPRA — "Do Not Sell or Share" footer link, GPC signal honored, specific consumer rights disclosures

New Jersey Active

NJDPA — Explicit consent for sensitive data, right to limit use, financial data protections

Virginia Active

VCDPA — Right to opt out of targeted advertising, profiling, and data sale

Colorado Active

CPA — Universal opt-out mechanism required, GPC signal honored

Connecticut Active

CTDPA — Data sale and targeted advertising disclosure requirements

Texas Active

TDPSA — Data processing agreement terms, specific category disclosures

Oregon Active

OCPA — Opt-out signal recognition, children's data protections

Montana Active

MCDPA — Standard consumer rights framework for data privacy

Security (Headers & Hardening)

Six headers that most agencies don't know exist.

Every Forged Site ships with enterprise-grade HTTP security headers. These prevent clickjacking, script injection, MIME-type attacks, and information leakage. Most small business websites have zero security headers. Ours have six, configured strictly.

Strict-Transport-Security

Forces HTTPS with preload — prevents downgrade attacks and man-in-the-middle interception

Content-Security-Policy

Explicitly whitelists which scripts, styles, and resources can load — blocks cross-site scripting (XSS)

X-Frame-Options

Prevents your site from being embedded in a malicious iframe — blocks clickjacking attacks

X-Content-Type-Options

Stops browsers from guessing file types — prevents MIME-type confusion attacks

Referrer-Policy

Controls what information is sent when users navigate away — prevents data leakage to third parties

Permissions-Policy

Disables camera, microphone, geolocation, and tracking APIs that your site doesn't need

Continuous Verification

Compliance isn't a one-time checkbox. It's a continuous process.

Most agencies run a compliance audit once during the build, hand you a report, and walk away. Six months later the site has new pages, updated content, and broken accessibility nobody noticed. Our approach is different: Vigil runs the full 18-check audit on every deploy, and a fast subset on every page edit. Compliance is verified continuously, not annually.

The Verification Cycle:

On Every Page Edit

Fast check (~30 seconds): security headers, accessibility scan on changed page, pre-consent cookie verification. Results appear as a notification to the building agent. Advisory — flags issues immediately.

Before Every Deploy

Full audit (2-5 minutes): all 18 checks across every page. Two independent AI substrates review independently. Blocking — the site does not go live until both pass.

Daily Monitoring

Automated daily sweep of all deployed sites. Regression alerts if any score drops below its previous grade. Results stored in the compliance database with full history.

Public Proof

Every Forged Site includes a /compliance-report page showing current scores, last verification date, and check-by-check results. Always current. Always public. Always auditable.

Ready for a Site That's Actually Compliant?

Every Forged Site includes Vigil's full compliance standard. No add-ons. No monthly fees. Just a website that works for everyone and proves it.

Get a Free Assessment