Skip to content
Reports · Compliance & signing pack

Conformance you can sign — and defend.

The Conformance Pack is one signed artifact an auditor accepts: the automatable slice measured and gated, the rest declared by a named person, measured-vs-declared never blurred. We measure; you declare; we never certify.

What's inside

One pack, everything an auditor asks for.

A named-person signature

The declaration is signed by a named declarant and frozen into immutable, tamper-evident bytes — a SHA-256 you can re-verify. It may honestly conclude "does not fully conform".

Measured vs declared, never blurred

Every line carries its provenance: tool-verified · evidence-assisted · AI-drafted-and-reviewed · human attestation — so an auditor sees exactly which claims a machine stands behind and which a person does.

The evidence register

A PII data-flow map, SARIF findings and a CycloneDX SBOM travel inside the pack — embedded or referenced with a hash — the supply-chain trail CRA, DORA and NIS2 ask for.

The keystone

The failure-gate you can't quietly pass.

Integrity

A caught failure locks the control.

A control the measurement caught failing is pre-set to Fail and locked. Marking it Pass requires a written justification — reproduced in full in the artifact's Integrity section. A thermometer you can hide readings from is rigged; this one can't be.

Honesty guardrails

What the pack will never claim.

It does not certify — no notified body, no competent authority. A clean automated result is necessary, not sufficient. Nothing is signed without a human, and organizational controls are recorded as human attestation — never dressed up as tool evidence.

The catalog

Ten frameworks, framed for the regulated buyer.

EU-regulated regimes first — then the engineering and supply-chain standards that feed them.

NIS2 · DORA · GDPR (technical)

The regimes with supervision and management accountability up front — measured slices, gated failures, and the declaration your organization actually owes.

SSDF · SLSA · OWASP ASVS · WCAG 2.2 · ISO 27001 · CRA · EN 301 549

The rest of the ten-framework catalog, each with the same three-way split: tool-evidenced, evidence-assisted, human attestation.

Self-assess free; sign paid. Working the controls costs nothing — signing and exporting the tamper-evident Conformance Pack is the paid activation.

Accessibility · EAA · EN 301 549 · WCAG 2.2

Accessibility conformance — sign it here, and make it binding.

Watchdog measures accessibility readiness and never claims conformance — the signed declaration and the binding clause are the business artifacts, and they live here.

The signed ACR / VPAT

A named declarant signs the accessibility declaration.

The WCAG-EM self-assessment freezes into a tamper-evident ACR/VPAT — a SHA-256 you can re-verify, the evidence travelling inside it. It may honestly conclude "does not fully conform." Watchdog measures readiness; the conformance claim is the declarant's — we never certify.

The opt-in contract clause

Watchdog Accessible Web Delivery — Conformance

Bind it into an acceptance-criteria profile: the delivered web product is assessed for accessibility (declared lens, binding), and a current, signed accessibility conformance self-declaration must exist for the accepted run. Opt-in — the readiness-only profile stays readiness-only; it never claims conformance.

Stop filing conformance you can't evidence.

We measure; you declare; we never certify.