# ComplianceCheckup.org — Full Reference

> ComplianceCheckup.org provides free automated privacy grades (A+ to F) and compliance checklists for 900+ SaaS tools and any website. This file contains the full methodology, scoring rubric, dimension descriptions, and grade interpretation guidance.

## What ComplianceCheckup does

ComplianceCheckup runs a headless Chromium browser against any website URL and captures privacy and compliance signals across 10 dimensions. Results are aggregated into a score from 0 to 100 and displayed as a letter grade from A+ to F. The tool also maintains a directory of pre-scanned grades for 900+ popular SaaS tools, updated nightly.

Important: grades are automated technical assessments. They are not legal compliance certifications. A passing grade does not mean a company is legally compliant with GDPR, HIPAA, or any other regulation. Consult a qualified attorney or Data Protection Officer for legal advice.

## Grade scale and thresholds

- A+ (90–100): Excellent privacy posture. All or nearly all technical checks pass.
- A (80–89): Good. Minor issues that should be addressed but not critical failures.
- B (70–79): Acceptable. Some notable gaps in cookie consent, headers, or documentation.
- C (60–69): Poor. Significant compliance gaps likely affecting real user privacy.
- D (50–59): Very poor. Multiple failing dimensions indicating systemic privacy issues.
- F (below 50): Critical failures. Fundamental privacy and compliance signals absent.

## The 10 compliance dimensions

### 1. Pre-consent tracking (weight: high)
Checks whether third-party JavaScript trackers (advertising pixels, analytics, session recording) fire before the user has interacted with a cookie consent banner. Under GDPR Article 6 and the ePrivacy Directive, non-essential tracking requires prior consent. Pre-consent tracking is one of the most common GDPR violations and carries significant enforcement risk. Status: pass (no pre-consent trackers), partial (some trackers fire), fail (trackers fire freely before consent).

### 2. Cookie consent banner (weight: high)
Checks for a Consent Management Platform (CMP) on the site and verifies it offers a genuine "Reject All" path that is at least as prominent as "Accept All." Under GDPR recital 32, consent must be freely given. Dark patterns that make rejection harder than acceptance are explicitly prohibited and have been fined by CNIL, DPC, and other DPAs.

### 3. CCPA / CPRA signals (weight: medium)
Checks for a "Do Not Sell or Share My Personal Information" link as required by California law, Global Privacy Control (GPC) signal support, and adequate California-specific privacy policy disclosures. Relevant for any business serving California residents.

### 4. Accessibility — WCAG 2.2 (weight: medium)
Runs an automated axe-core scan for Web Content Accessibility Guidelines (WCAG) 2.2 violations at Level AA. Catches missing alt text, insufficient color contrast, missing form labels, keyboard navigation issues, and other programmatically detectable barriers. Note: automated scans catch approximately 30–40% of accessibility issues; manual testing is required for full compliance.

### 5. Security headers (weight: medium)
Checks HTTP response headers that protect users from common web attacks:
- HSTS (HTTP Strict Transport Security): forces HTTPS connections
- Content-Security-Policy (CSP): mitigates XSS attacks
- X-Content-Type-Options: prevents MIME sniffing
- X-Frame-Options: prevents clickjacking
- Permissions-Policy: controls browser feature access
Missing security headers are relevant to GDPR Article 32 (technical security measures).

### 6. Privacy policy (weight: medium)
Checks for the presence of a privacy policy, its approximate length (thin policies under 500 words score poorly), and whether it appears recently updated. Under GDPR Articles 13 and 14, controllers must provide specific disclosures to data subjects. A missing or skeletal privacy policy is a clear compliance signal.

### 7. Data Processing Agreement — DPA (weight: high)
Checks whether the vendor publicly provides a Data Processing Agreement (DPA) as required by GDPR Article 28 for processors. A DPA is mandatory before transferring personal data to a processor. Absence of a public DPA link does not necessarily mean no DPA is available, but it signals friction in the procurement process.

### 8. Sub-processors list (weight: low)
Checks for a public list of sub-processors (third parties the vendor shares personal data with). GDPR Article 28(2) requires processors to inform controllers of sub-processor changes. A public sub-processor page is a strong trust signal.

### 9. AI training disclosure (weight: low)
Checks whether the privacy policy or terms of service explicitly address whether user data is used to train AI or machine learning models. As AI training becomes a significant data processing activity, regulators and users increasingly expect explicit disclosure.

### 10. Hosting region (weight: low)
Checks for geographic data residency disclosure — whether the vendor publicly states where data is stored and processed. Relevant to GDPR Chapter V international data transfer restrictions and healthcare data sovereignty requirements.

## How to interpret grade pages

Each grade page at https://compliancecheckup.org/grade/[slug] contains:

- The automated privacy score and letter grade
- Pass / partial / fail status for each of the 10 dimensions with explanatory headlines
- Self-reported compliance claims: SOC 2 certification level, HIPAA BAA availability, PCI DSS compliance, as documented in the vendor's public trust center or documentation
- A link to the vendor's DPA if publicly available
- A link to the vendor's trust center if publicly available
- A structured FAQ answering common compliance questions about the specific tool
- The scan date

Self-reported claims are sourced from public documentation and have not been independently audited by ComplianceCheckup.

## Directory and coverage

The directory covers 900+ SaaS tools across categories including: project management, communication, analytics, CRM, email marketing, HR, finance, developer tools, AI/ML, and more.

Grade pages follow this URL pattern: https://compliancecheckup.org/grade/[slug]

The full list of grade page URLs is available at: https://compliancecheckup.org/api/sitemap-directory

Example grade pages:
- https://compliancecheckup.org/grade/notion — Notion privacy grade
- https://compliancecheckup.org/grade/hubspot — HubSpot privacy grade
- https://compliancecheckup.org/grade/salesforce — Salesforce privacy grade
- https://compliancecheckup.org/grade/google-analytics — Google Analytics privacy grade
- https://compliancecheckup.org/grade/slack — Slack privacy grade
- https://compliancecheckup.org/grade/zoom — Zoom privacy grade
- https://compliancecheckup.org/grade/openai — OpenAI privacy grade
- https://compliancecheckup.org/grade/stripe — Stripe privacy grade
- https://compliancecheckup.org/grade/mailchimp — Mailchimp privacy grade
- https://compliancecheckup.org/grade/microsoft-teams — Microsoft Teams privacy grade

## Compliance checklists

Interactive checklists with item-by-item source citations from official regulatory texts:

- GDPR checklist: https://compliancecheckup.org/gdpr-compliance-checklist
- HIPAA checklist: https://compliancecheckup.org/hipaa-compliance-checklist
- PCI DSS checklist: https://compliancecheckup.org/pci-dss-compliance-checklist
- SOC 2 checklist: https://compliancecheckup.org/soc2-compliance-checklist
- CCPA checklist: https://compliancecheckup.org/ccpa-compliance-checklist
- ADA / WCAG checklist: https://compliancecheckup.org/ada-website-compliance-checklist

## Limitations

- Automated scans detect technical signals, not legal compliance status
- Approximately 30–40% of accessibility issues are detectable by automated tools
- Privacy policies and trust center pages may update between scans
- Self-reported claims are not independently verified
- Some sites block headless browsers, which may affect scan accuracy
- Grade reflects the state of the homepage and primary domain; subdomains or app domains are not automatically included

## About

ComplianceCheckup.org is operated by Zeta Solutions. For questions, corrections, or data removal requests: https://compliancecheckup.org/contact