Free
- Public sample only: Public scans are bounded and expire. They provide orientation, not ongoing assurance.
- No response SLA: Community-grade support only; no guaranteed response window.
Trust
Evidence-first, scope-honest
AccessibleMadeFlexible is built for teams that need defensible accessibility operations: what was scanned, what failed, what changed, and what still needs human judgment.
What automation can and cannot do
Automated checks surface many failures and regressions; they do not replace manual audit, assistive technology testing, or legal advice. We reinforce this in public docs and review workflows so there is no deterministic “AI compliance” implication.
Public scans are intentionally bounded
Instant scans sample a small number of pages with rate limits and expiry. They are for orientation and sharing signal—not a substitute for monitored coverage, history, exports, or private workspaces.
AI is optional and review-gated
Draft assist and the in-app copilot call configured LLM providers (Anthropic or OpenAI) when keys are present and your plan allows it; otherwise remediation falls back to rule-based suggestions and copilot returns an explicit unavailable state. Usage is bounded by plan limits and requires human review before exports or remediation workflows advance.
Access and entitlements
API keys, crawl limits, and paid surfaces are enforced on the server. Client UI is not a security boundary for billing or organization data.
Accounts, email, and rate limits
Password reset and production signup verification require outbound SMTP configured by the operator. Abuse-sensitive paths use Redis-backed limits when Redis is healthy; if Redis is down, the app falls back to per-process windows (see detailed health and the in-app System page for live posture).
Evidence model and export posture
Procurement and operators should distinguish between stored operational data, review rationale, and externally shareable evidence.
| Surface | Stored data | Export posture |
|---|---|---|
| Scans and findings | Site/workspace metadata, findings, severities, and trend history. | Used in reports and dashboards with confidence labels. |
| Review operations | Review task status, reviewer notes, timestamps, and evidence linkage counts. | Operational evidence, exportable through org-scoped APIs. |
| Admin audit trail | Member/admin actions, entity references, and timestamps. | JSON/CSV org audit-log route for support, buyers, and internal governance. |
| Object storage evidence | Artifact storage mode depends on operator deployment configuration. | Environment-dependent. Confirm deployment posture during procurement review. |
Confidence labels used in product and exports
These labels are intentionally explicit so buyers can see what is machine detected, what is reviewed, and what is still uncertain.
| Label | Meaning | Export posture |
|---|---|---|
| Automated | Detected by scan automation; not manually reviewed yet. | Public-safe proof |
| Guided | Draft remediation guidance exists, but the change is not verified. | Public-safe proof |
| Reviewed | A human reviewed triage or recommendation quality. | Public-safe proof |
| Verified | A follow-up crawl confirms the issue condition changed as expected. | Public-safe proof |
| Assured | A managed-service or contractual lane accepted accountability for this scope. | Internal/contract-bound only |
| Stale | Evidence is older than policy tolerance and needs a fresh run. | Public-safe proof |
| Degraded | Platform dependencies are impaired, so coverage or automation is reduced. | Public-safe proof |
| Not comparable | Runs cannot be reliably compared (scope drift, failed run, or missing baseline). | Public-safe proof |
| Proof incomplete | Export exists but excludes required evidence lineage or review metadata. | Public-safe proof |
Procurement posture summary
ImplementedOrganization-scoped access controls, audit logs, and server-side entitlement checks are implemented.
Environment dependentEmail verification, Redis-backed limits, and object storage behavior depend on deployment configuration.
StagedProcurement extras such as custom SLA language and enterprise IAM controls are contract/operator scoped, not implied by default.
Procurement FAQ
- Does AROS guarantee legal compliance?
- No. The platform provides evidence, automation, and review workflow support. Legal/compliance determinations require qualified human review.
- What data is persisted?
- Workspace metadata, scan findings, remediation suggestions, review tasks, and audit events. Evidence storage mode depends on deployment object storage configuration.
- What evidence can procurement teams request during evaluation?
- Audit-log exports (JSON/CSV), reports with confidence labels, and review queue records with reviewer rationale. Operator-managed deployment settings determine infrastructure-specific artifacts.
- Can teams export evidence?
- Yes. Reports and audit-log export routes exist with organization-scoped access and permission checks.
- Are SSO and directory sync available by default?
- No. OIDC support is environment/operator-configured and SCIM remains staged in this build. Procurement commitments should reflect deployed configuration, not roadmap assumptions.
In-app trust and admin surfaces
Commitments by service lane
We only publish commitments that can be operationally bounded by plan or contract.
Starter
- Private workspace continuity: Historical scans and findings remain available while subscription is active.
- Re-scan after remediation: Teams can trigger verification scans after applying fixes, subject to plan scan limits.
Professional
- Review lane visibility: Review queues and status trails distinguish automated signals from reviewed decisions.
- Operational proof exports: Report exports include remediation state and timestamps suitable for buyer updates.
Enterprise
- Contract-shaped commitments: Priority response windows and specialist review terms apply only when written into contract scope.
- Managed assurance lane: Optional managed operations can include expert triage and verification cadence by SOW.
For data handling and security practices, see Security & privacy, Privacy overview, and Subprocessors. For integration paths, see API & integrations. For contact, see Support.