Government Compliance

How CivicLoop County OS aligns with the standards a U.S. county is held to. The healthcare analogue (HIPAA/WHO) does not apply; the obligations below do.

Accessibility - Section 508 / WCAG 2.1 AA / ADA Title II

• Semantic HTML, keyboard-operable controls, aria-* on icon-only buttons, visible focus, color-contrast tokens, and prefers-color-scheme support.
• The platform targets WCAG 2.1 AA. A VPAT can be produced for procurement.
• ADA Title II web-content rule: the resident-facing 311 flow and public portals are the priority surfaces and are built mobile-first and screen-reader friendly.

Language access

• Full English + Spanish across every surface, including server-action error messages, so limited-English-proficiency residents are not dropped to English. Additional languages are additive (one message file per locale).

Open data / interoperability - Open311

• GeoReport v2 (Open311) endpoints in both directions: services list/detail and requests GET/POST, with api_key gating and .json extension fallback. Other systems can integrate without lock-in.
• The public transparency + spending portals publish live, machine-readable aggregates (CSV export).

Public records / transparency

• Public pages expose public-record aggregates only and never resident PII (see DATA_PRIVACY.md).
• Every module and portal prints to a branded PDF for records requests and council packets.

Security baseline - NIST 800-53 aligned

• Access control (RBAC + RLS), audit (automation runs/flags, Sentry), encryption in transit + at rest, least privilege (service role only server-side), and incident response (runbook + rollback). See TRUST_AND_SECURITY.md.

Procurement transparency

• Vendor registry, supplier-diversity (MBE/WBE/Veteran) reporting, and certified-spend percentage are first-class in the Procurement module and on the public spending portal.

Records retention

• County retention schedules vary by record type; data is retained per the County's schedule and removed on request where lawful. Nothing is hard-deleted silently by automation (the janitor only closes past-deadline opportunities and flags duplicates for human review).