Accessibility Statement

All form inputs are correctly associated with their labels via htmlFor and id attributes. Screen readers can correctly announce field labels.

All icon-only buttons have aria-label attributes. Decorative icons are marked aria-hidden. Interactive elements have appropriate ARIA roles.

All error messages use role=alert and aria-live=assertive. Success states use aria-live=polite. Screen readers announce dynamic content changes.

All interactive elements have visible focus indicators using focus-visible:ring styles. Keyboard navigation is fully supported.

All form inputs have appropriate autocomplete attributes to assist users who rely on browser autofill or assistive technology.

Navigation, main, header, and footer landmarks are correctly used. Lists use ul/ol/li elements. Headings follow a logical hierarchy.

All pages declare lang=en on the html element, enabling screen readers to use the correct language profile.

All meaningful images have descriptive alt text. Decorative images and icons are marked with aria-hidden or empty alt attributes.

Modal dialogs use role=dialog, aria-modal, and aria-labelledby. Focus is managed correctly when modals open and close.

Primary text meets WCAG AA contrast ratios. Teal on navy achieves approximately 7.2:1. Body text on white achieves approximately 4.6:1.

Loading spinners have role=status and aria-label. Disabled buttons use aria-disabled in addition to the HTML disabled attribute.

Password requirement indicators use aria-live=polite and aria-label to announce whether each requirement is met as the user types.

A 'Skip to main content' link is not yet present on any page. Keyboard users must tab through the full header navigation on every page load. This will be added in Phase 2.

WCAG 2.4.1 Bypass Blocks — Level A

HaveIBeenPwned password checking is not available on our current infrastructure tier. This feature will be enabled when we upgrade to Supabase Pro at our first pilot customer.

WCAG 2.1 AA — Best Practice

Our Content Security Policy includes unsafe-inline in script-src due to Next.js development requirements. This will be reviewed and tightened in Phase 2 following Cloudflare Turnstile optimisation.

Security best practice

Cloudflare Turnstile and Supabase Auth UI components are third-party and may not fully conform to WCAG 2.1 AA. We have no control over their accessibility implementation.

WCAG 2.1 AA — Third party scope

Generated PDF evidence packages are not yet tagged for screen reader accessibility. Tagged PDFs require additional PDF generation configuration and will be addressed in Phase 2.

WCAG 1.3.1 Info and Relationships — Level A

Our accessibility improvements have been self-assessed. An independent audit by a WCAG specialist has not yet been conducted. This is planned alongside our CREST penetration test.

Best practice