Compliance Score: a beginner's guide
Global compliance score from 12 weighted factors
The single compliance grade (and what goes into it)
A compliance grade is a single composite number (or A-to-F letter) that summarizes everything an automated audit found about a website's compliance posture across accessibility, privacy, internationalization, and (where applicable) industry-specific requirements. Instead of asking a non-technical stakeholder to read four separate technical reports — WCAG accessibility, GDPR privacy, CCPA disclosures, EAA conformance, hreflang structure — you give them a single grade and a one-paragraph executive summary. The grade rolls up the same underlying signals that any compliance consultant would look at, but in a form that lands in a board meeting.
You should care because compliance is one of those areas where the technical detail is so dense that nobody outside the compliance team actually reads the reports. A founder, a CMO, or a board member doesn't need to know the difference between WCAG 2.1 AA and WCAG 2.2 AA — they need to know whether compliance is a problem worth investing in this quarter. A single letter grade, computed transparently from a defined methodology, is the bridge between the technical detail and the strategic decision. As a bonus, the grade gives you a number to track over time, which makes the impact of remediation work visible in a way that abstract "we improved a few things" updates do not.
The four categories every compliance grade rolls up:
Accessibility. WCAG 2.2 AA conformance: color contrast, alt text, keyboard navigation, heading hierarchy, form labels, ARIA landmarks, skip links, focus indicators.
Privacy. GDPR and CCPA hygiene: cookie banner quality, third-party tracker inventory, privacy policy presence, data subject rights mechanisms, cookies before consent.
Internationalization. Multi-language support: hreflang tags, URL structure, language declarations, character encoding, currency and date formatting.
Legal page completeness. Are the standard required pages (privacy policy, terms of service, cookie policy, accessibility statement) present, linked, and current?
Each category gets weighted (accessibility usually carries the most weight because of the legal exposure; internationalization is sometimes excluded for single-market sites) and the weighted average becomes the overall grade.
Three questions a single compliance grade answers:
At a glance, is our compliance posture getting better or worse over time?
Which of the categories is the biggest risk right now, so I know where to focus engineering and legal effort?
For a board update, can I summarize all of this in one number?
The cost of not having a single grade is the slow accumulation of detailed reports that nobody on the leadership team actually reads. The fix is to roll up the existing detail into one number and one letter, computed the same way every time, and tracked on a recurring schedule. This is the difference between compliance being a black box and compliance being a measurable, accountable line item in the legal and engineering budgets.
The Compliance Score endpoint, in plain language
In one sentence: Global compliance score from 12 weighted factors
Calculates a composite compliance score (0-100) from 12 weighted components: cookie consent mechanism (16%), privacy policy presence and quality (15%), GDPR (General Data Protection Regulation) compliance signals (14%), terms of service (8%), CCPA/CPRA compliance (8%), security disclosure via security.txt (security.txt file) (8%), contact/DPO information (8%), accessibility statement (6%), technical accessibility (5%), children's data protection (4%), cookie technical compliance (4%), and multi-state US privacy (4%). Returns a letter grade (A+ to F), detailed breakdown with per-component findings, and actionable recommendations for improving compliance posture across GDPR, CCPA (California Consumer Privacy Act), ePrivacy Directive (EU ePrivacy Directive), and accessibility requirements.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Fetches the domain's main page and up to 5 sub-pages (privacy policy, terms, accessibility statement, contact, CCPA (California Consumer Privacy Act) opt-out) plus /.well-known/security.txt. Detects consent management platforms (OneTrust, CookieBot, Quantcast, etc.), IAB TCF v2 API (Application Programming Interface) signals, and granular consent options. Analyzes privacy policy content for GDPR (General Data Protection Regulation) terms (data rights, legal basis, DPO (Data Protection Officer), consent withdrawal, transfer mechanisms) and CCPA terms (California disclosures, right to know/delete). Parses security.txt (security.txt file) per the official internet standard for required fields. Detects accessibility statement with WCAG (Web Content Accessibility Guidelines) level references. Checks contact pages for physical address, email, and impressum compliance. Also evaluates technical accessibility via automated audit, children's data protection (COPPA (Children's Online Privacy Protection Act), age gates), cookie security attributes, and multi-state US privacy signals (GPC (Global Privacy Control), universal opt-out, AI disclosure).
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Compliance Score tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Global privacy regulations (GDPR (General Data Protection Regulation), CCPA/CPRA, ePrivacy Directive (EU ePrivacy Directive)) require specific disclosures, consent mechanisms, and contact information. A single compliance score lets you audit your own domains, track improvements over time, and demonstrate compliance readiness to stakeholders. Component breakdowns identify exactly which compliance areas need attention.
Picture this in real life. Imagine a legal / compliance team. Here's the situation they're walking into: Run a compliance score check on your own domain before launching to new markets (EU, California). Identify missing privacy policy sections, absent cookie consent, or missing security.txt (security.txt file) before regulatory exposure increases. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Compliance Score tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Compliance Score tool is built for you:
Does my website meet the legal requirements (accessibility, privacy, international standards)?
If a regulator audited my site tomorrow, what would they find?
Where are the gaps I should fix before they become an expensive problem?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Legal and compliance teams, accessibility officers, data-protection officers, and product managers shipping into regulated markets. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you discover the violation when a regulator, a lawyer, or an angry customer finds it for you. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the pro plan. The technical details: `GET /v1/score/compliance`.
When would I actually use this?
If you're still on the fence about whether the Compliance Score tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a legal / compliance team, a privacy engineer / DPO, and a third-party risk manager — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Self-Audit Before Launch
Imagine you're a legal / compliance team. Run a compliance score check on your own domain before launching to new markets (EU, California). Identify missing privacy policy sections, absent cookie consent, or missing security.txt (security.txt file) before regulatory exposure increases.
Why it matters: Catch compliance gaps before regulators or users flag them — avoid fines and reputational damage.
Story 2: Continuous Compliance Monitoring
Imagine you're a privacy engineer / DPO. Schedule periodic compliance score checks via domain monitoring subscriptions. Get alerted when score drops — for example, when a CMS (Content Management System) update removes the cookie consent banner or a deploy breaks the privacy policy page.
Why it matters: Detect compliance regressions immediately rather than during the next manual audit.
Story 3: Vendor Privacy Assessment
Imagine you're a third-party risk manager. Score vendor and partner domains for compliance signals as part of due diligence. A vendor without a privacy policy, cookie consent, or security.txt (security.txt file) may pose data handling risks to your organization.
Why it matters: Quantify vendor compliance posture with a single metric for risk assessments and procurement decisions.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Compliance Score tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Before launching into a new region (especially the EU, the UK, California, or Canada).
During a quarterly compliance review.
When a customer or partner sends you a security questionnaire.
In response to a complaint, audit notice, or legal threat.
If you can see yourself in even one of those bullets, the Compliance Score tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Compliance Score tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Compliance Score tool to check edgedns.dev and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/score/compliance?domain=edgedns.dev"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to calculate compliance score for (e.g., example.com) | edgedns.dev |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The scored domain |
score | number | Composite compliance score 0-100 (weighted sum of 12 components) |
grade | string | Letter grade: A+ (95-100), A (85-94), B (70-84), C (50-69), D (30-49), F (0-29) |
gradeDescription | string | Human-readable grade description (e.g., "Good - adequate with room for improvement") |
breakdown | object | Per-component scores with score, max, and details for each of the 12 compliance factors |
breakdown.cookieConsent | object | Cookie consent mechanism: CMP detection, IAB TCF, granular options, reject-all (max 16 pts) |
breakdown.privacyPolicy | object | Privacy policy presence, word count, GDPR/CCPA terms, contact info (max 15 pts) |
breakdown.gdpr | object | GDPR (General Data Protection Regulation) signals: data rights, legal basis, DPO (Data Protection Officer), consent withdrawal, transfer mechanism (max 14 pts) |
breakdown.termsOfService | object | Terms of service presence and document quality (max 8 pts) |
breakdown.ccpa | object | CCPA/CPRA: Do Not Sell link, opt-out, California disclosures (max 8 pts) |
breakdown.securityDisclosure | object | security.txt (security.txt file) per the official internet standard: Contact, Expires, Policy, PGP signing (max 8 pts) |
breakdown.contactInfo | object | Contact page, physical address, email, impressum (max 8 pts) |
breakdown.accessibilityStatement | object | Accessibility statement with WCAG (Web Content Accessibility Guidelines) level and contact info (max 6 pts) |
breakdown.technicalAccessibility | object | Technical accessibility from automated WCAG (Web Content Accessibility Guidelines) audit score (max 5 pts) |
breakdown.childrenProtection | object | Children's data protection: COPPA (Children's Online Privacy Protection Act) notice, age gate, parental consent (max 4 pts) |
breakdown.cookieTechnical | object | Cookie security: Secure flag, SameSite, third-party count, cookie wall penalty (max 4 pts) |
breakdown.multiStatePrivacy | object | Multi-state US privacy: GPC (Global Privacy Control) support, universal opt-out, state references, AI disclosure (max 4 pts) |
recommendations | array | Prioritized list of actionable compliance improvements |
componentCount | number | Number of compliance components evaluated (12) |
partialFailure | boolean | Whether any page fetches failed (score may be incomplete) |
confidence | object | Result confidence indicator: level (high/medium/low) and limitations list |
discoveryMetadata | object | URL (web address) discovery debugging metadata: urlsDiscovered (per-type), cmsDetected (platform or null), sitemapFound (boolean) |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
API (Application Programming Interface) — A way for one program to ask another program for something — like a waiter taking your order to the kitchen.
WCAG (Web Content Accessibility Guidelines) — The international standard for making websites usable by people with disabilities. Required by law in many countries.
GDPR (General Data Protection Regulation) — Europe's privacy law. Requires websites to be transparent about what personal data they collect and how they use it.
CCPA (California Consumer Privacy Act) — California's privacy law. Gives California residents the right to know what personal data a company has collected about them.
CMS (Content Management System) — Software that lets non-technical people publish web pages without writing code. WordPress, Webflow, and Ghost are popular examples.
security.txt (security.txt file) — A small text file at /.well-known/security.txt on your website that tells security researchers how to report vulnerabilities to you. Standardized by RFC 9116.
CPRA (California Privacy Rights Act) — An update to California's CCPA privacy law that adds new rights for residents and creates a dedicated privacy regulator. Took effect in 2023.
COPPA (Children's Online Privacy Protection Act) — A US law requiring websites to get verified parental consent before collecting personal information from children under 13.
DPO (Data Protection Officer) — A person designated inside a company to oversee its compliance with privacy laws like GDPR. Required for many organizations that handle large amounts of personal data.
GPC (Global Privacy Control) — A browser signal that tells websites 'do not sell or share my personal information.' Recognized as a valid opt-out by California and several other states.
ePrivacy Directive (EU ePrivacy Directive) — An EU privacy law specifically about electronic communications and tracking technologies like cookies. The reason every European website asks you to accept cookies.
RFC (Request for Comments) — The official internet standards documents. When someone says 'RFC 8484' they mean a specific numbered standards document — in that case, the one defining DNS over HTTPS.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.