Compliance

Adroyt is designed to help enterprise and mid-market organisations meet their regulatory obligations. We maintain a rigorous internal compliance programme and continuously adapt to evolving legal and regulatory requirements globally.

Adroyt acts as a data processor for customer personal data under the EU General Data Protection Regulation. Our commitments include:

• Lawful basis for all processing activities
• Data Processing Agreement (DPA) available at adroyt.io/dpa
• Standard Contractual Clauses (SCCs) for international transfers
• Right to erasure and data portability support
• 72-hour breach notification

Adroyt maintains a SOC 2 Type II report covering the Trust Service Criteria for Security, Availability, and Confidentiality. The report is available to enterprise customers under NDA. Contact us at [email protected] to request a copy.

Adroyt complies with the California Consumer Privacy Act and its amendments. We do not sell personal information to third parties. California residents may exercise their rights by contacting [email protected].

Adroyt operates an information security management system (ISMS) aligned with ISO/IEC 27001:2022. Formal certification is currently in progress. We implement all mandatory and a majority of optional controls from Annex A.

Adroyt is designed to be usable by everyone, including people with visual, auditory, motor, and cognitive disabilities. Our product targets WCAG 2.1 Level AA as a baseline, with Level AAA for colour contrast in our dark theme.

Standards we conform to

• WCAG 2.1 AA — Web Content Accessibility Guidelines (W3C)
• Section 508 — US Federal accessibility requirements
• EN 301 549 — European accessibility standard

How we verify

Every dashboard release is audited against the top 20 customer-facing pages using an automated test suite that runs Axe DevTools, Lighthouse, keyboard-navigation, and focus-indicator checks. The suite is enforced on every pull request via CI. Our current baseline (captured 2026-04-11) is published under _bmad-output/implementation-artifacts/axe-baseline.md.

Screen reader support

Adroyt is tested against the two most common screen-reader / browser pairings:

• NVDA with Mozilla Firefox
• VoiceOver with Apple Safari

Three critical flows — authenticated login → risks review, creating a new risk, and interacting with the AI side panel — are walked through manually each quarter. The latest walkthroughs are archived under _bmad-output/implementation-artifacts/.

Keyboard navigation

Every interactive element in Adroyt is reachable using only the keyboard. Tab order follows the visible reading order, focus indicators are always visible (we use the shadcn focus-visible ring with outline-offset: 2px), and modals return focus to the triggering element on close. The AI side panel is fully inert when closed so it does not leak focusable children into the tab order.

Contrast

All foreground/background pairings meet WCAG AA contrast ratios (4.5:1 for body text, 3:1 for UI components and large text) in both the dark and light themes. Muted body text clears 7:1 for headroom.

Known limitations

• Gantt charts and complex data visualisations have limited screen reader support — we provide equivalent tabular data views as a fallback. Work to expose Gantt bar semantics via aria-label is tracked in Epic 9.
• Custom drag-and-drop interactions in the Kanban board do not currently expose a keyboard-only alternative. A keyboard DnD pattern is planned for Epic 10.

Reporting an accessibility issue

If you encounter an accessibility barrier, please email [email protected]. We aim to respond within two business days and, for WCAG-level failures, ship a fix in the next release cycle.

Enterprise customers can request dedicated data residency in the EU (Ireland/Frankfurt) or US (Virginia/Oregon). Contact our sales team to discuss data residency requirements for your organisation.

For compliance documentation, audit reports, or questionnaires, contact: [email protected]