SiteBrace
Security and data handling

Where your audit data lives, and who can see it.

Site Brace runs flat-fee WCAG 2.1 Level AA audits on any website. The data we touch is narrow: the URL you want audited, the email where the report should land, optional page lists, and the payment metadata that confirms you bought the audit. This page documents exactly what we collect, where it lives, who has access, what we never do, how long we keep it, what to do if something goes wrong, and (candidly) what we are not yet certified for. If anything here is unclear, reach out through the contact form with subject SECURITY.

Operated by: Aliso LLC dba Site Brace. Related: Privacy Policy, Terms of Service.

What we collect

Two surfaces, both customer-initiated. Nothing is collected passively: there is no analytics, no third-party script, no marketing pixel, and no tracking cookie on sitebrace.com.

The intake form at /audit. Four fields, plus payment.

  • Website URL you want audited.
  • Email address where the report should be delivered.
  • Optional page list (up to 25 specific URLs) if you want a manual scope instead of sitemap-driven discovery.
  • Optional maximum page count.
  • Payment metadata: Stripe handles your card; Site Brace never sees the card number, CVC, or full account details. We receive only Stripe's success token, the charge ID, the amount, and the email associated with the purchase.

The contact form at /contact. Name, email, optional company, subject line, and your message. Used to reply to you and (if you later become a customer) to associate your audit with an existing record.

The marketing site sets one local-storage flag (sitebrace-notice-dismissed-v1) when you dismiss the privacy notice. The flag never leaves your browser, never transmits to Site Brace, and never identifies you.

Where the data lives

The marketing site (sitebrace.com). Static HTML, CSS, JavaScript, and images served by Cloudflare Pages. No database, no analytics warehouse, no server-side session store. The intake endpoint at api.sitebrace.com runs on Cloudflare Workers.

Intake metadata and customer records. Your email address, the audit URL, the audit slug, and payment status live in our HubSpot customer-relationship-management system, plus in the Cloudflare Workers KV record that drives the audit job. The HubSpot account is dedicated to Site Brace; data is not co-mingled with any other business the operator runs.

Audit reports and per-page scan results. Stored in Cloudflare R2 object storage and served from audit.sitebrace.com behind cryptographically random URL paths (about 192 bits of entropy). The audit subdomain is configured to block search engines, block known AI training crawlers via robots.txt, return X-Robots-Tag: noindex, nofollow, noarchive, nosnippet, noimageindex on every URL, and include the equivalent <meta name="robots"> tag in every rendered page.

The audit pipeline. Per-audit jobs run inside GitHub Actions. The runner fetches your target URLs, runs axe-core inside a headless Chromium browser via Playwright, writes the result back to R2, then terminates. Nothing intermediate persists on the runner.

Email transit. Transactional email (intake confirmation, report-ready notification, re-scan notification) is sent via Resend from mail.sitebrace.com. Replies and operator-initiated mail use Brevo as a sending relay. Inbound mail to hello@sitebrace.com is forwarded by Cloudflare Email Routing. Audit report content never travels through email; emails contain links to the report URL, not the report itself. For customer correspondence, please use the contact form.

Who has access

  • Aliso LLC personnel with operator scope. Today this is the founder. Access to Cloudflare, HubSpot, GitHub, Resend, Brevo, and Stripe consoles is via two-factor authentication. Console actions are audit-logged by the underlying provider.
  • You. Your audit-report URL is sent only to the email you provided on intake. The URL is your access gate; anyone you forward it to can view the report for the duration of the 12-month retention window.
  • Cloudflare as our infrastructure subprocessor for Pages, Workers, R2, Email Routing, and DNS.
  • HubSpot as our customer-relationship-management subprocessor for your contact record and audit-status history.
  • Resend as our transactional email subprocessor (intake confirmations, report-ready emails, re-scan notifications).
  • Brevo as our sending-relay subprocessor for operator-originated replies from hello@sitebrace.com.
  • Stripe as our payment subprocessor. Stripe sees your card and billing details; Site Brace never does.
  • GitHub as our pipeline subprocessor. The audited URL and per-page scan output pass through the GitHub Actions runner for the duration of each audit; nothing persists there after the job finishes.

The full data-flow narrative, with the same provider list and what each handles, is in the Privacy Policy.

What we never do

  • We never deploy an overlay widget. Site Brace does not sell, recommend, or install accessibility overlays, accessibility widgets, or any JavaScript that injects ARIA attributes at runtime. Overlays are not on our roadmap.
  • We never promise legal compliance. We deliver a technical conformance report against WCAG 2.1 Level A and AA. We do not certify ADA compliance, Section 508 compliance, European Accessibility Act compliance, or AODA compliance. Those are legal determinations a lawyer makes, not a deliverable an automated audit produces.
  • We never train AI models on your data. Not on your audit URL, your audit results, your contact-form messages, or anything else you send us. The audit-report subdomain explicitly blocks GPTBot, ChatGPT-User, CCBot, Google-Extended, anthropic-ai, ClaudeBot, PerplexityBot, FacebookBot, Bytespider, and Amazonbot in robots.txt and via X-Robots-Tag.
  • We never transit audit report content through email. Emails contain links to the report stored in R2; the report bytes themselves never leave the audit subdomain via email.
  • We never sell, share, or rent your data. Not for analytics, not for marketing, not for any commercial purpose. The subprocessor list above is the complete list of third parties that touch your data, and each one is a processor under our instructions.
  • We never set tracking cookies on the marketing site. Zero first-party cookies, zero third-party cookies, zero analytics scripts, zero marketing pixels.

How long we keep it

  • Audit report and per-page scan results in audit.sitebrace.com R2 storage: 12 months from delivery, then automatically deleted. Re-scans extend the access window for the individual re-scan files; the original audit's 12-month clock stays fixed.
  • Intake record and customer-relationship-management record (email, audited URL, audit slug, payment status) in HubSpot and Workers KV: retained for the 12-month audit-access period so you can return to your report and run the 12 included re-scans. Deleted within 30 business days of a deletion request.
  • Contact-form messages: retained while the relationship is active. Deleted within 30 business days of a deletion request.
  • Email correspondence in Resend, Brevo, and Cloudflare Email Routing logs: retained per each provider's default while the relationship is active. Deleted within 30 business days of a deletion request, subject to the legal-records carve-out.
  • Paid invoices and tax records retained by Stripe and by Site Brace: 7 years, as required by United States and California tax and accounting law. We can scrub your name and company from any draft, unpaid, or voided invoice on request; paid-invoice records cannot be deleted during the retention period.
  • Local-storage notice-dismissed flag (sitebrace-notice-dismissed-v1): set in your browser only; never transmitted to Site Brace or any third party. Persists until you clear browser site data.

Earlier deletion of any data not subject to the legal-records carve-out can be requested through the contact form. The full retention policy and your data-subject rights (access, rectification, deletion, portability, objection) are in the Privacy Policy.

If something goes wrong

Breach notification. If we confirm unauthorized access to, loss of, or unauthorized disclosure of your personal data or audit content, we notify affected customers within 72 hours of confirmation. The notification describes the nature of the incident, the data categories involved, the containment and remediation steps we have taken, and any action we recommend you take.

Vulnerability disclosure and security questions. Use the contact form with subject SECURITY for any suspected vulnerability, suspected incident, or general security inquiry. We do not list a security mailbox separately because routing through the contact form puts the request into the same ticketing flow that pages the operator immediately. We commit to acknowledging within one business day and substantively responding within five business days. Please do not publicly disclose a suspected vulnerability before we have had a reasonable opportunity to investigate and remediate.

If you accidentally shared your audit report URL (a public Slack channel, a public GitHub issue, a forum post), contact us through the same channel and we will rotate the URL: the old path returns 410 Gone, a new path is issued, and the new link is sent to the email on file. The 12-month access clock is preserved across the rotation.

Compliance posture, honestly

Site Brace runs accessibility audits for a living, so we hold our own marketing site to the same standard we sell. Here is what that means concretely, and where the honest gaps are.

WCAG conformance target for sitebrace.com. WCAG 2.1 Level AA, the same target the U.S. Department of Justice cited in its April 2024 Title II web rule and the same target our $149 audit produces for customers. We test against all 30 Level A criteria and 20 Level AA criteria.

Methodology. Automated and manual, in that order.

  • Automated. Every published page on sitebrace.com is run through axe-core (the same rule engine we ship to customers) inside a Chromium 131 headless browser driven by Playwright. The audit covers the catalog of approximately 90 axe-core rules mapped to WCAG 2.1 A and AA success criteria. Automated testing catches roughly 30 to 40 percent of WCAG issues; the rest needs human eyes.
  • Manual. The operator runs a quarterly manual pass covering the items axe-core cannot detect: alt-text quality, link-context clarity, focus-order in form interactions, screen-reader behavior with VoiceOver on macOS and NVDA on Windows, keyboard-only navigation across the primary nav and the intake form, color-contrast spot checks for any new visual treatment, and zoom and reflow at 200 percent and 400 percent. Findings are tracked alongside customer audit findings in the same backlog.
  • Frequency. Automated axe-core run on every deploy as part of the build pipeline (see site_build.py). Manual pass quarterly and on any major content change.
  • Current accessibility statement. We have not yet posted a formal accessibility statement page. The next published version of this page will link to one; for now, the Privacy Policy and this Security page jointly cover the relevant disclosures.

What we are not certified for.

  • SOC 2: not currently certified. Planned once customer count justifies the audit cost. If your procurement requires SOC 2 today, contact us via contact form, subject SECURITY; we can provide a subprocessor list, security questionnaire responses, and copies of each upstream provider's SOC 2 attestation as an interim.
  • ISO 27001: not currently certified.
  • PCI DSS: not applicable to Site Brace directly. Stripe handles all card data and is itself PCI DSS Level 1 certified; Site Brace never sees, stores, or transmits cardholder data.
  • HIPAA: not applicable. We do not collect, store, or process Protected Health Information. Customers should not include PHI in the URL list, the contact form, or any email; if you do, we will remove it on request.
  • GDPR / UK GDPR: we operate from the United States and serve customers worldwide. Where European Union or United Kingdom data-protection law applies, we honor the rights and timelines in the Privacy Policy. We have not appointed an EU representative under Article 27; our processing volume does not currently require one.
  • State privacy laws (CCPA / CPRA / VCDPA / CTDPA / etc.): we honor data-subject access, rectification, and deletion requests on the timelines described in the Privacy Policy. We do not sell or share personal information.

If any of these gaps is a blocker for your procurement, ask. We respond to security questionnaires in writing and can usually turn one around within five business days.

How to verify these claims

This page is a public commitment. Two ways to confirm what it says.

  1. Read the binding documents. The Terms of Service and Privacy Policy are the agreements you accept when you submit the intake form or pay for an audit. If anything on this page differs from those documents, the legal documents govern.
  2. Ask a security or procurement question. Use the contact form with subject SECURITY and we will respond in writing within five business days, or sooner where the question is urgent.

Last reviewed: May 10, 2026.