How We Scan

What We Scan

We scan publicly accessible checkout and payment pages only — the same pages any customer would see when making a purchase. We focus specifically on the payment flow because cross-origin iframes (Stripe Elements, PayPal, Adyen Drop-in) are invisible to every other automated accessibility scanner.

How We Scan

Our scanner uses a headless browser to load your checkout page exactly as a real customer would. It then runs axe-core accessibility checks, custom WCAG 2.2 heuristics, and payment provider detection. This is functionally identical to a human visiting your page with a browser — no exploits, no automation bypasses.

What We Collect

We extract page structure (DOM), WCAG accessibility violations, payment provider identification, and compliance signals. All query parameters and personally identifiable information (PII) are stripped from URLs before processing. We log only the protocol and hostname for debugging — never the full URL path.

Caching Policy

Audit results are cached by domain for 30 days. This means repeat scans of the same domain return instant results without re-visiting your site. Cached results include a timestamp so you know when the scan was performed. You can force a fresh re-scan at any time, which replaces the cached entry.

What We Never Do

• Submit forms or enter data into fields
• Attempt logins or access authenticated pages
• Extract personal data, emails, or phone numbers
• Inject cookies, scripts, or tracking pixels
• Test credentials or attempt authentication bypasses
• Store raw page screenshots (analysis is ephemeral)
• Share or sell scan data to third parties

Rate Limiting

We enforce rate limits to prevent abuse and minimize traffic to scanned sites. Each domain is limited to one concurrent scan. Cached results are served for repeat requests within the 30-day window. Our scanner identifies itself via standard HTTP headers and respects robots.txt directives.