Integrity Statement · v1.0
This document records how the Integrity Framework v1.0 layers and the Startvest Trust Principles are implemented in this product. Where a layer or principle is not yet implemented, this document says so and what closes the gap.
A platform for SMBs to produce and maintain ADA / WCAG compliance documentation. Not certifications. Two surfaces: a marketing site with free SEO content and templates, and a dashboard product at /dashboard for structured logging of policies, statements, audits, remediation, training, vendors, feedback, incidents, and changes. PDF export of the good-faith effort record.
Customers pay for the documentation tooling. The product never sells “your site is compliant.” Statements are customer-published. Audits are customer-resolved. ADA compliance is the most failure-prone trust category in this framework's design. Overlay vendors collapsed for selling stamps. adacompliancedocs is built on the inverse premise.
Sells the documentation outcome. Marketing copy: “court-ready documentation,” “good faith effort record.” No ADA-certified badge issued. PDF export is evidence of work, not the product. Without the platform, the customer would still need the work done. The platform makes it tractable.
Startvest does not perform human ADA audits and does not certify customer sites. Audits are mechanical (axe-core via Puppeteer) or imported from third parties. Zero financial conflict. Startvest never gets paid to declare a customer compliant.
Audit findings come from axe-core (src/lib/scan.ts). Mechanical scanning, deterministic per WCAG ruleset. Findings carry a Source field (axe, wave, lighthouse, or manual). Statement, policy, training, vendor, incident, and change records are customer-attested.
Customer-attested and mechanically-verified fields coexist. The conformance statement carries a customer-set conformanceStatus. The publish guard (Layer 2 Constraint 3, below) blocks full publishes when critical or serious findings remain open.
AI is narrowly scoped to prose polish of customer-drafted incident response letters (src/app/api/incidents/[id]/polish/route.ts). System prompt explicitly forbids adding facts, concessions, admissions, or commitments. Customer reviews polished output before sending. AI does not generate audit findings, conformance claims, or any compliance verdict. Anthropic is the provider, disclosed on the privacy page.
Per-site subscription. Not per-audit. No “unlimited audits” pressure. Annual discount standard. No certificate upsell. No verification-badge tier.
Marketing copy explicitly rejects the overlay-vendor model and references the FTC / accessiBe action by name. Terms disclaim legal advice. Privacy page commits to no AI training on customer findings. The court-defensibility framing is the central pitch. Claims are limited to what the documentation chain can prove.
Status table for the seven framework constraints as implemented in adacompliancedocs.
| Constraint | Status | Implementation |
|---|---|---|
| Evidence chain integrity | IMPLEMENTED | Platform_AuditFindings references AuditId; audits reference OrgId. Findings carry Source for traceability. PDF export cites finding counts per audit. |
| AI output review gates | IMPLEMENTED (narrow scope) | Polish endpoint produces a draft; customer reviews + edits before sending. AI not in audit / statement / conformance path. |
| Customer self-attestation isolation | PARTIAL | Customer-attested vs system-verified fields exist but are not visually distinguished in the dashboard UI yet (open gap). The conformanceStatus=full publish guard is enforced via checkConformanceGuard in src/lib/statements.ts. Hard-block by default; explicit acknowledgeOpenFindings=true override is permitted but audit-logged. CI rule CRIT-SV-CONFORMANCE-CLAIM-GUARD enforces the guard pattern. |
| Reproducibility | PASS | axe-core version pinned via lockfile. Platform_Audits.AxeVersion and ScannerEngine columns shipped. New scans stamp the active axe-core version at import. Re-stamp prevention: subsequent imports against an existing audit row leave the version alone. |
| Evidence retention | PARTIAL | Soft-delete on org. Account data retained 30 days post-cancellation per privacy page. Gap: no statutory retention for audit / remediation evidence. Pending policy definition. |
| Independent verification hooks | NEEDS UPDATE | DSAR export covers customer self-export. Gap: no auditor-scoped read-only role for an external accessibility consultant or counsel. Pending. |
| Failure transparency | PASS | New findings default to open; status only advances via explicit action. No auto-resolve. Quickscan fallback explicitly labeled “catches about 30 percent of what axe-core would.” No silent degradation. |
| Guardrail | Status | Reference |
|---|---|---|
| Refund-on-failure clause | NEEDS UPDATE | Standard SaaS no-refund terms today. Pro-rated refund clause for documented errors in scan output or report bundle is drafted, not yet rolled into MSA. |
| Public methodology page | PASS | Live at /methodology. Documents the scan path, statement publish flow, AI accountability, retention, and failure modes. Versioned with changelog. CI rule HIGH-SV-METHODOLOGY-VERSIONED blocks merges that update the page without a Version + Changelog header. |
| Annual independent audit | OUT-OF-SEGMENT | adacompliancedocs sells SMB-tier ADA documentation to small-business owners reacting to demand letters. SOC 2 is not on this segment's procurement checklist and won't be at this category's price point. Framework conformance is the load-bearing trust signal here. Independent accessibility-expert review of axe-core integration + report output is currently unfunded and will engage when funded. |
| Customer-side compliance owner | PARTIAL | SMBs often lack a dedicated compliance owner. Sales qualification: identify the person responsible for the documentation chain at the customer (operations / legal / IT lead). Without one, the documentation will rot. Disqualify or set explicit handoff. |
| Whistleblower channel | NEEDS UPDATE | Set up integrity@startvest.ai with quarterly external counsel review. |
| Accountability community | NEEDS UPDATE | Identify accountability community: disability rights advocates, accessibility consultants, plaintiff attorneys representing accessibility complainants. Free tier or pack to invite scrutiny. |
| Public kill criteria | PASS | Live at /service-standards. Specific thresholds for scan accuracy floor, statement publish guard, quickscan fallback labeling, regulatory response window, audit log integrity. |
Self-assessment against the framework's standardized scorecard.
| # | Question | adacompliancedocs |
|---|---|---|
| 1 | Public methodology page exists? | YES — /methodology |
| 2 | Refund-on-failure clause in standard MSA? | NO. Drafted, not yet rolled into MSA. |
| 3 | Independent third-party audit, annually, with public findings? | NO. Deferred pending external funding. Engagement cost is currently unfunded. Moves to PARTIAL once funding is secured and an engagement letter is signed; YES only after a completed cycle with public findings. |
| 4 | Per-product INTEGRITY.md in public repo? | YES. This statement. |
| 5 | AI output review gate structurally enforced? | YES. Polish endpoint produces a draft; customer reviews + edits before sending. AI not in audit / statement / conformance path. |
| 6 | Public kill criteria with specific thresholds? | YES — /service-standards |
Score: 4 YES / 0 PARTIAL / 2 NO.Row 2 is drafted and pending finalization. Row 3 is deferred pending external funding. Published honestly rather than relabeling deferred work as “scheduled” or “in flight.”
Each of these is named here rather than hidden because the framework treats hidden gaps as a Layer 1 Veto 3 failure.
Platform_Audits.AxeVersion and ScannerEngine columns shipped. Layer 2 Constraint 4 (Reproducibility) flips PARTIAL → PASS.checkConformanceGuard + ConformanceGuardBlockedError in src/lib/statements.ts block conformanceStatus=full publishes when critical or serious axe findings are open. Override permitted via acknowledgeOpenFindings=true but audit-logged.audits/rules/architectural-rules.json initialized with framework rules including the conformance-claim guard.Integrity reports: integrity@startvest.ai. Monitored quarterly by external counsel.
Reviewer: Tom Pinder, Founder. Next scheduled review: 2026-07-25.