March 30, 2026fix

Compliance Audit — 21 Findings Resolved

Comprehensive compliance audit addressing accessibility, content accuracy, and privacy.

A full compliance audit identified 21 findings across accessibility, content accuracy, and privacy — all resolved in this sprint.

Cookie consent banner — A non-intrusive banner now appears on first visit, allowing users to accept or reject non-essential cookies in compliance with both GDPR and CCPA requirements, with preferences persisted in localStorage and respected across sessions.
ARIA labels and htmlFor fixes — All form inputs, interactive buttons, and icon-only controls now carry proper ARIA labels and htmlFor attributes, ensuring screen readers can navigate every page without encountering unlabeled elements.
Marketing claims qualified — The "30 seconds" AI analysis speed claim was reviewed and qualified with "as fast as" or "typically under" language across 12 MDX content files to ensure accuracy and avoid misleading performance guarantees.
Security headers hardened — Response headers now include strict HSTS with a one-year max-age and includeSubDomains, X-Frame-Options set to DENY, X-Content-Type-Options set to nosniff, and Referrer-Policy set to strict-origin-when-cross-origin.
Dependency vulnerability patches — All npm audit findings were resolved by upgrading transitive dependencies, pinning vulnerable package versions, and replacing one abandoned library with a maintained alternative, bringing the audit to zero critical or high findings.
Tenant references removed — Every instance of "tenant" in UI labels, API responses, database comments, and documentation was replaced with "vendor" to reflect the platform's vendor-only launch scope and prevent confusion for early adopters.
Privacy policy alignment — The privacy policy and terms of service pages were updated to match the actual data collection practices, including PostHog analytics, Stripe payment processing, and Supabase authentication, with specific data retention periods disclosed.
Alt text audit — All decorative and informational images across marketing and dashboard pages were reviewed to ensure decorative images carry empty alt attributes and informational images have descriptive alt text that conveys meaning without redundancy.

Comprehensive compliance audit addressing accessibility, content accuracy, and privacy.

A full compliance audit identified 21 findings across accessibility, content accuracy, and privacy — all resolved in this sprint.

Cookie consent banner — A non-intrusive banner now appears on first visit, allowing users to accept or reject non-essential cookies in compliance with both GDPR and CCPA requirements, with preferences persisted in localStorage and respected across sessions.
ARIA labels and htmlFor fixes — All form inputs, interactive buttons, and icon-only controls now carry proper ARIA labels and htmlFor attributes, ensuring screen readers can navigate every page without encountering unlabeled elements.
Marketing claims qualified — The "30 seconds" AI analysis speed claim was reviewed and qualified with "as fast as" or "typically under" language across 12 MDX content files to ensure accuracy and avoid misleading performance guarantees.
Security headers hardened — Response headers now include strict HSTS with a one-year max-age and includeSubDomains, X-Frame-Options set to DENY, X-Content-Type-Options set to nosniff, and Referrer-Policy set to strict-origin-when-cross-origin.
Dependency vulnerability patches — All npm audit findings were resolved by upgrading transitive dependencies, pinning vulnerable package versions, and replacing one abandoned library with a maintained alternative, bringing the audit to zero critical or high findings.
Tenant references removed — Every instance of "tenant" in UI labels, API responses, database comments, and documentation was replaced with "vendor" to reflect the platform's vendor-only launch scope and prevent confusion for early adopters.
Privacy policy alignment — The privacy policy and terms of service pages were updated to match the actual data collection practices, including PostHog analytics, Stripe payment processing, and Supabase authentication, with specific data retention periods disclosed.
Alt text audit — All decorative and informational images across marketing and dashboard pages were reviewed to ensure decorative images carry empty alt attributes and informational images have descriptive alt text that conveys meaning without redundancy.