09 - Security, Privacy & Accessibility

CivicLoop by Ta-Tech Solutions Purpose: The compliance spine. Accessibility, data residency, security controls, privacy, and the County's own Language Access obligation. This is the document that decides whether CivicLoop is allowed in the room - in government procurement, failures here are disqualifiers, not deductions.

1. Accessibility - Section 508 / ADA / WCAG 2.1 AA

The requirement. Section 508 of the Rehabilitation Act applies to information and communication technology that government procures, develops, or uses. The Revised 508 Standards are harmonized to WCAG Level AA; County panels increasingly expect WCAG 2.1 AA specifically. Non-conformance is frequently an automatic disqualifier, and procurement language (FAR Subpart 39.2, 36 CFR Part 1194) typically requires the vendor to supply a VPAT / Accessibility Conformance Report.

What CivicLoop does.

• Built to WCAG 2.1 AA from the first commit, not retrofitted: full keyboard navigation, screen-reader labelling on every interactive element, sufficient color contrast, visible focus states, no information conveyed by color alone, captions/transcripts for any audio, respects reduced-motion and text-scaling preferences.
• The voice intake channel is itself an accessibility feature - a resident who cannot or does not type can file a request by speaking. The SMS channel serves residents with no smartphone and assistive-feature-limited devices.
• CivicLoop ships with a VPAT / ACR the County can drop straight into its procurement file.
• Accessibility is in the build pipeline: automated accessibility checks run on every build, and the design principle in Document 06 ("accessibility is not a mode") is enforced, not aspirational.

Why this matters for the win. The incumbent PGC311 app, at 1.5 stars and unable to submit a request, is not meeting this bar. An accessible, conformant product with a VPAT in hand is both a disqualifier-avoided and a direct contrast point.

2. The County's Language Access obligation

Prince George's County has a Language Access for Public Services Act (2017, amended 2020) that legally requires County agencies to provide enhanced language access. The County is the most populous Black-majority county in the US, roughly 22% Hispanic/Latino and 25% foreign-born; the school system already serves 20+ languages.

CivicLoop treats language access as a legal compliance deliverable, not a feature:

• 35 languages on every surface - resident intake, notifications, the portal, the public map.
• Voice intake in those languages - a resident reports in the language they actually speak, by speaking it.
• Notifications in the resident's language, automatically, on every status change.
• The Director Dashboard shows languages-served as a live metric - the County can see, on screen, that the 311 function is meeting its statutory obligation.

The pitch frame: CivicLoop is, as far as we can determine, the only path by which the County's 311 function actually complies with the County's own language-access law. The incumbent is English-centric and cannot submit a request at all.

3. Data residency

• US region only. All CivicLoop data for a US County tenant is stored and processed in a US cloud region. No data leaves the country.
• The architecture supports region pinning per tenant, so a jurisdiction with a stricter in-state requirement can be accommodated.
• Backups are likewise US-region, encrypted.

4. Security controls

CivicLoop inherits the Ta-Tech engine's security model - the same controls running in production on the healthcare and workforce platforms - applied to County data.

5. The compliance authorization path

• Architected to NIST 800-53 controls - the framework underneath both StateRAMP/GovRAMP and FedRAMP.
• StateRAMP / GovRAMP authorization is pursued on the standard timeline. It is a months-long process by design; it does not block a pilot. The pilot runs under a documented security posture while the formal authorization proceeds - this is the normal and accepted path for a new entrant, and we are transparent about it.
• CivicLoop can provide a security questionnaire response and a controls matrix for the County's IT review up front.

6. Privacy

• Minimal collection. A resident can file a request with just a phone number. Name, email, and an account are optional. CivicLoop does not collect what it does not need.
• Public vs private, by design. A service request has public facts (there is a pothole here, it is resolved) and private facts (who reported it, their contact details, their comments). The public map generalizes locations and never exposes resident identity. The split is in the domain model (Document 03), not a display-time afterthought.
• The public transparency portal at /public has NO PII. It is anonymous, no account, NOT locale-scoped. The aggregator (web/src/lib/public/stats.ts) computes only weekly counts, medians, percentages, and an anonymized SVG scatter map. No resident name, phone, email, exact address, or request number is rendered. The same guarantee applies to /api/public/weekly.csv. A reporter or council staffer can use the portal without ever reading a resident's private fact.
• The auto-survey is token-based. The link at /[locale]/survey/[token] carries a single-use opaque token. No password, no auth, no PII in the URL. The token IS the credential and only the original requester (who received the SMS or email) has it. Responding burns the token. This trades zero-friction for the resident against a narrow, controlled trust boundary.
• Self-heal is admin-gated and cron-token-gated. The "Run now" button on /admin requires a county-admin session. The cron endpoint at /api/cron/self-heal is gated by the optional SELFHEAL_CRON_TOKEN env so an external scheduler can call it without a session, but no anonymous caller can. The endpoint is idempotent on a 6-hour per-request cooldown so a runaway cron cannot spam residents.
• Loop channel persona has a no-PII guardrail. Loop never names a resident and never quotes a resident comment verbatim in a channel reply (Document 07, Component M). Channel messages are staff-visible only and are not exposed on /public.
• Resident data rights. A resident can see everything on their own requests, export it, and - for an account holder - request deletion of their personal details (the request record persists for public- record integrity, de-identified).
• No automated decisions about people. CivicLoop v1's AI routes requests and predicts workload - it makes no eligibility, enforcement, or benefit decision about any resident (Document 07, Section 8). When Phase 2 / HHS introduces anything resembling risk scoring about people, that is a separate, explicitly human-in-the- loop design - out of v1 scope and called out so it is never assumed.
• AI transparency. Every AI decision is recorded with its rationale and is reviewable (Document 07). A resident or an auditor can ask why the system did what it did and get a real answer.

7. Public records & retention

• 311 service-request data is public record under the Maryland Public Information Act. CivicLoop is built for this: complete, immutable, timestamped records make a records request a query, not an excavation (Document 08, Section 7).
• Retention follows the County's records schedule, configurable per tenant. Records are retained, not silently purged; de- identification (not deletion) is the tool for resident privacy requests where public-record integrity must be preserved.

8. Incident response

• Monitoring - the hosted environment is monitored; anomalies (unusual access patterns, integration failures, error spikes) alert the Ta-Tech operations function and the County Admin's system agent (Document 07, Section 7c).
• Audit-first investigation - because every action is logged immutably and attributably, an investigation starts with evidence, not guesswork.
• Defined response process - containment, County notification, remediation, post-incident review. A breach affecting County or resident data triggers prompt County notification per the agreed terms and Maryland law.
• Backups and recovery - regular encrypted backups, US-region, with a tested restore path.

9. What we can hand the County's reviewers

By the presentation, ready to put in front of County IT and procurement:

• A VPAT / Accessibility Conformance Report (WCAG 2.1 AA).
• A security controls summary mapped to NIST 800-53 families.
• A data-flow and data-residency statement (what data, where it lives, who can see it).
• A privacy statement covering collection, the public/private split, resident rights, and the no-automated-decisions commitment.
• The Language Access mapping - how CivicLoop meets the County's 2017/2020 Act.

These are not built in the 9-day window - they are written alongside the doc set, because they are part of the written submission. The product embodies them; these documents attest to them.

10. The honest summary for the panel

CivicLoop meets the table-stakes a County must require - accessibility with a VPAT, US data residency, a real security model, privacy by design - and turns two of them into competitive advantages: accessibility (the voice and SMS channels are accessibility features, and the incumbent fails the bar) and language access (reframed from feature to legal compliance with the County's own law). The formal StateRAMP authorization is on the standard timeline and does not block the pilot - and we say so plainly rather than implying a status we do not yet hold.

Next: 10 - Build Plan & Milestones.