Compliance & vendor review

Embeddable Widget Due-Diligence Kit

Accessibility, privacy, and security reference for compliance and vendor-review teams evaluating The Charge Port's embeddable EV widgets.

Prepared byThe Charge Port
Document dateJuly 2026
Version1.0

This kit is written for the people who have to sign off on a new vendor: risk, privacy, security, and accessibility reviewers. It is meant to be forwarded and read on its own. Every statement below describes how the product is actually built and operated; where something is a commitment or a design intent rather than a completed, independently verified fact, we say so plainly.

What the widgets are

The Charge Port licenses its verified EV datasets as small, drop-in widgets that a partner embeds on its own website with a single line of HTML (an <iframe>, plus an optional resize script). Live widgets today include a NACS charging-compatibility checker, a cold-weather range estimator, a charging-time calculator, and a cost-to-charge calculator.

Across all of them, the model is deliberately narrow:

  • They present reference information and run calculations in the visitor's browser.
  • They ask the visitor for nothing that identifies them — no name, email, login, or account.
  • They run inside a cross-origin iframe, walled off from the host page by the browser.
  • Nothing is installed on the partner's site and nothing runs on the partner's servers.
1

Accessibility Statement

The Charge Port is committed to building and maintaining every embeddable widget to conform to the Web Content Accessibility Guidelines (WCAG) 2.1, Level AA. Accessibility is treated as a build requirement and an ongoing remediation obligation, not a one-time checkbox.

What that means concretely for these widgets

  • Labeled controls. Every input, select, and interactive control has a programmatic label, so assistive technology announces what each field is for.
  • Announced results. When a calculation updates, the result is exposed through an ARIA live region so screen-reader users hear the new value without having to hunt for it.
  • Contrast in both themes. Text and meaningful UI are designed to meet the WCAG AA contrast targets (4.5:1 for normal text, 3:1 for large text and interface components) in both the light and the dark theme.
  • Keyboard operability. Every function can be reached and operated with the keyboard alone, in a logical order, with a visible focus indicator — no mouse or touch required.
  • Adequate target size. Interactive targets are sized to at least 44 × 44 CSS pixels so they are usable by people with limited dexterity and on touch devices.
  • Robust structure. Semantic headings and markup, a sensible reading order, and text that reflows and remains legible when zoomed or resized.

Honest disclosure — conformance status

Conformance is currently self-assessed against WCAG 2.1 AA by The Charge Port. We have not yet commissioned a third-party accessibility audit, and we do not yet publish a formal VPAT (Voluntary Product Accessibility Template) or ACR (Accessibility Conformance Report). We intend to obtain an independent evaluation as the product matures; an interim self-assessment summary is available on request.

We describe here the standard we build and remediate to. Where a review or a user report surfaces a barrier that falls short of that standard, we treat fixing it as a priority rather than defending the gap.

Reporting an accessibility issue

If you or one of your users encounters an accessibility barrier in any Charge Port widget, please contact contact@thechargeport.com. We aim to acknowledge accessibility reports within one business day and to work with you on a remediation path.

2

Privacy Attestation

The widgets are designed to be privacy-preserving by default. They are built so that a partner can embed them without taking on new obligations for their visitors' personal data.

What we collect from your visitors

  • No personal information. The widgets ask for nothing that identifies a person — no name, email address, phone number, login, or account. Calculations run in the visitor's browser against data compiled into the widget.
  • No cookies. The widgets set no cookies on the host site's visitors and write nothing to the browser's local or session storage.
  • No visitor data stored. No record about the host site's visitors is created or retained. The widgets keep no visitor profiles.

The only telemetry

The widgets are instrumented to emit only anonymous, aggregate usage counts — how often a widget is viewed or interacted with — associated with the partner's license key. These counts are used solely to produce that partner's own usage and engagement reports. No usage event carries anything that identifies an individual visitor.

What we never do

  • We do not sell data. Visitor or usage data is never sold.
  • We do not share with third parties beyond the single analytics sub-processor that tallies the anonymous usage counts (named in Section 3). No one else receives any data from the widgets.
  • No advertising. No visitor data crosses into advertising, ad-targeting, or ad-measurement systems. The widgets carry no advertising and set no advertising identifiers.

Positioning note for financial institutions

Because the widgets collect no nonpublic personal information (NPI) or personally identifiable information (PII), the embed is designed to remain outside the scope of the Gramm-Leach-Bliley Act (GLBA) and its implementing Regulation P. There is no consumer financial information flowing through the widget for those rules to attach to.

This is a statement of design intent, not legal advice. We recommend your own compliance team or counsel confirm how it applies to your specific deployment and program.

3

Security Overview

The security posture follows from the architecture: because the widgets are static, isolated, and hold no data, most of the risks a vendor review looks for are removed by design rather than mitigated after the fact.

Architecture
Each widget is a static, server-rendered page — pre-built HTML and JavaScript with its data baked in at build time. There is no application server processing visitor input at request time, no database, and no visitor-facing API. It is delivered to your page inside a cross-origin iframe, which the browser isolates from the host page under the same-origin policy: the widget cannot read your page's DOM, cookies, storage, or systems, and your page cannot read the widget's. Hosts may additionally apply the iframe sandbox attribute for defense in depth. Nothing is installed on your site — integration is a single <iframe> tag, plus an optional resize script.
Delivery
HTTPS only, served from a global edge CDN (Vercel). Traffic between the visitor's browser and the widget is encrypted in transit.
Data storage
None. The widgets are stateless — they hold no visitor data at rest because they collect none. There is no data store to breach, export, or misconfigure.
Update model
Data refreshes and fixes are deployed centrally by The Charge Port. Because each widget loads live from our CDN, you always receive the current version automatically. You never patch, update, or maintain anything, and there is no third-party package for you to keep current on your side.
Cancellation
Billing is month-to-month (annual optional). On cancellation the widget keeps functioning through the end of the term you have already paid for. After that it switches to a preview state — still rendered, with a license notice, never a broken or blank section on your page. Removal is deleting one line of HTML; there is no data to migrate or export because none is stored.

Sub-processors

These are the only third parties involved in operating the widgets. No other party receives data.

Sub-processorRoleData it handles
Vercel Inc. Hosting & global content delivery (edge CDN) Serves the static widget files over HTTPS. Handles standard request delivery; no widget data store.
Vercel Web Analytics (Vercel Inc.) Anonymous, aggregate usage counts Receives only the anonymous widget-usage events described in Section 2. Cookieless by design (no cookies, no persistent identifiers); sessions are discarded within 24 hours. The same vendor as hosting — no additional third party is involved.

Security contact & incident response

Report a suspected security issue to contact@thechargeport.com. We commit to acknowledging security reports within one business day and to keeping affected partners informed through resolution.

Questions or a deeper review?

We are glad to answer follow-up questions from your risk, privacy, security, or accessibility teams, and to provide the interim materials referenced above (self-assessment summary, architecture detail) on request.

This document describes The Charge Port's embeddable-widget product as of the date above and is provided for your evaluation. It reflects the product's design and current operation; statements noted as commitments or design intent are identified as such. It is not legal advice. The Charge Port is an independent publisher and is not affiliated with any vehicle manufacturer, charging network, or government agency.

Prepared for prospective partners — distribute freely within your organization.