Conformance you can sign — and defend.
The Conformance Pack is one signed artifact an auditor accepts: the automatable slice measured and gated, the rest declared by a named person, measured-vs-declared never blurred. We measure; you declare; we never certify.
One pack, everything an auditor asks for.
A named-person signature
The declaration is signed by a named declarant and frozen into immutable, tamper-evident bytes — a SHA-256 you can re-verify. It may honestly conclude "does not fully conform".
Measured vs declared, never blurred
Every line carries its provenance: tool-verified · evidence-assisted · AI-drafted-and-reviewed · human attestation — so an auditor sees exactly which claims a machine stands behind and which a person does.
The evidence register
A PII data-flow map, SARIF findings and a CycloneDX SBOM travel inside the pack — embedded or referenced with a hash — the supply-chain trail CRA, DORA and NIS2 ask for.
The failure-gate you can't quietly pass.
A caught failure locks the control.
A control the measurement caught failing is pre-set to Fail and locked. Marking it Pass requires a written justification — reproduced in full in the artifact's Integrity section. A thermometer you can hide readings from is rigged; this one can't be.
What the pack will never claim.
It does not certify — no notified body, no competent authority. A clean automated result is necessary, not sufficient. Nothing is signed without a human, and organizational controls are recorded as human attestation — never dressed up as tool evidence.
Ten frameworks, framed for the regulated buyer.
EU-regulated regimes first — then the engineering and supply-chain standards that feed them.
NIS2 · DORA · GDPR (technical)
The regimes with supervision and management accountability up front — measured slices, gated failures, and the declaration your organization actually owes.
SSDF · SLSA · OWASP ASVS · WCAG 2.2 · ISO 27001 · CRA · EN 301 549
The rest of the ten-framework catalog, each with the same three-way split: tool-evidenced, evidence-assisted, human attestation.
Self-assess free; sign paid. Working the controls costs nothing — signing and exporting the tamper-evident Conformance Pack is the paid activation.
Accessibility conformance — sign it here, and make it binding.
Watchdog measures accessibility readiness and never claims conformance — the signed declaration and the binding clause are the business artifacts, and they live here.
A named declarant signs the accessibility declaration.
The WCAG-EM self-assessment freezes into a tamper-evident ACR/VPAT — a SHA-256 you can re-verify, the evidence travelling inside it. It may honestly conclude "does not fully conform." Watchdog measures readiness; the conformance claim is the declarant's — we never certify.
Watchdog Accessible Web Delivery — Conformance
Bind it into an acceptance-criteria profile: the delivered web product is assessed for accessibility (declared lens, binding), and a current, signed accessibility conformance self-declaration must exist for the accepted run. Opt-in — the readiness-only profile stays readiness-only; it never claims conformance.
Stop filing conformance you can't evidence.
We measure; you declare; we never certify.