VPAT for SaaS Vendors: A Practical Guide to Accessibility Compliance and Enterprise Sales

SaaS vendors are increasingly asked to provide a VPAT during security and compliance reviews—often right alongside SOC 2, ISO 27001, and privacy documentation. For accessibility, a well-prepared VPAT can be the difference between “approved” and “come back next quarter.”

This article explains what a VPAT is, what enterprise buyers expect from SaaS vendors, how to build a credible VPAT mapped to WCAG, and how to keep it current as your product evolves.

What is a VPAT (and why SaaS buyers ask for it)?

A VPAT (Voluntary Product Accessibility Template) is a standardized document used to report how a product meets accessibility requirements. In practice, it’s a procurement-friendly way to communicate conformance to standards such as Section 508 (U.S. federal accessibility requirements) and WCAG (Web Content Accessibility Guidelines).

For SaaS vendors, the VPAT answers a buyer’s key questions:

• Can people with disabilities use the product with assistive technologies (screen readers, keyboard navigation, voice input, etc.)?
• How closely does the product conform to WCAG criteria?
• What gaps exist today, and what’s the remediation plan?
• What evidence supports the claims (testing methods, environments, dates)?

Buyers use VPATs to compare vendors consistently, reduce legal and operational risk, and ensure their workforce and customers can access critical software.

VPAT, ACR, WCAG, and Section 508: how they fit together

Many SaaS teams hear these terms interchangeably, but they’re not the same thing:

• WCAG is the technical standard describing accessibility success criteria (commonly 2.1 AA, increasingly 2.2 AA).
• Section 508 is a U.S. regulation for federal agencies and many organizations that sell into the public sector.
• VPAT is the template used to document conformance; it can cover multiple standards.
• ACR (Accessibility Conformance Report) is the completed report produced using the VPAT template.

If you want a deeper comparison of deliverables and what procurement teams actually request, see VPAT vs. ACR: What’s the Difference and Which One Do Buyers Actually Want?.

Which VPAT edition should SaaS vendors use?

Most SaaS vendors use the VPAT 2.5 (or later) format and complete the sections relevant to their customer base. Common options include:

• WCAG Edition: Focuses on WCAG criteria and is often the core of SaaS accessibility reviews.
• Revised Section 508 Edition: Needed for U.S. federal procurement and organizations aligning to 508 requirements.
• EN 301 549 (EU) Edition: Relevant for European public sector procurement and organizations aligning to EU accessibility requirements.

If you sell into multiple regions, buyers may ask for a combined report. The best approach is to confirm what your target customers require, then produce the most applicable edition(s) with clear testing evidence.

What procurement teams expect in a strong SaaS VPAT

A VPAT is more than a checkbox. Enterprise reviewers often look for signs that the report is accurate, current, and based on real testing. A strong SaaS VPAT typically includes:

• Clear product scope: exact product name, version, modules included, and what’s excluded (e.g., legacy admin panel, third-party components).
• Testing methodology: how you tested (manual + automated), which assistive technologies, browsers, and operating systems.
• Honest conformance statements: not “Supports” across the board—buyers expect nuance where gaps exist.
• Specific remarks: what works, what doesn’t, and how users are impacted (with examples).
• Remediation commitment: timelines, roadmap references, and a way to request accommodations or report barriers.

In regulated or high-impact industries—like healthcare—buyers may scrutinize accessibility more intensely because access barriers can become safety and trust issues. Related context: Digital Accessibility for Hospitals & Clinics: WCAG Compliance, Inclusive Design, and Patient Trust.

How to create a VPAT as a SaaS vendor (step-by-step)

1) Define the product boundaries

List the user-facing surfaces that matter: marketing site (sometimes requested), app UI, admin console, onboarding flows, reporting dashboards, documentation portals, and any downloadable content (PDFs, slide decks, invoices). Include authentication flows and embedded third-party widgets if they’re part of the experience.

2) Map requirements to real user journeys

WCAG criteria are easiest to validate when tied to tasks. Identify critical flows such as “create a project,” “invite a user,” “run a report,” “export data,” or “submit a support ticket.” This helps you test what buyers and users actually care about.

3) Test with both automated and manual methods

Automated tools catch common issues (missing labels, contrast failures, structural problems), but they cannot validate everything. Manual testing should cover:

• Keyboard-only navigation (focus order, traps, skip links, visible focus)
• Screen reader compatibility (names, roles, states, live regions, form errors)
• Color and contrast (including charts, status colors, disabled states)
• Forms and validation (error identification, instructions, programmatic association)
• Dynamic UI (modals, toasts, menus, data tables, drag-and-drop)

Platforms like Corpowid (corpowid.ai) can speed up the process by running automated accessibility audits and ongoing monitoring across your SaaS UI, helping teams identify recurring WCAG issues and track improvements over time.

4) Write VPAT responses with evidence and user impact

When you mark a criterion as “Supports,” “Partially Supports,” or “Does Not Support,” procurement teams want to understand why. Include:

• Where the issue occurs (page/module, component)
• What the user experiences (e.g., “screen reader does not announce error message”)
• Any workaround (if it exists, without implying it’s acceptable long-term)
• Planned fix (ticket ID, target release window, or roadmap quarter)

5) Validate with assistive technology coverage

At minimum, many SaaS vendors test common combinations such as:

• NVDA + Chrome (Windows)
• JAWS + Chrome/Edge (Windows) where relevant to enterprise customers
• VoiceOver + Safari (macOS)
• VoiceOver + Safari (iOS) or TalkBack + Chrome (Android) if mobile web is in scope

Document the exact versions used and the date of testing. VPATs without environment details often get flagged as unreliable.

6) Publish an accessibility statement and support channel

Many buyers look for an accessibility statement that explains your standards target, known limitations, and contact method. Corpowid (corpowid.ai) can also help generate and maintain an accessibility statement that aligns with your testing outcomes and remediation status.

Common VPAT pitfalls for SaaS vendors (and how to avoid them)

• Overstating conformance: Marking “Supports” everywhere can backfire if a buyer runs their own tests.
• Ignoring third-party components: Chat widgets, embedded BI tools, payment flows, and CAPTCHA can introduce major barriers.
• Stale reports: A VPAT that’s older than 12 months (or predates major UI changes) may be rejected.
• No remediation narrative: “Partially Supports” without a plan raises risk concerns.
• Testing only happy paths: Error states, empty states, loading, timeouts, and permission-based UI often contain accessibility defects.

How to keep your VPAT current in a continuous-delivery world

SaaS products ship weekly—or daily—so a VPAT should be treated as a living artifact. Practical ways to maintain it:

• Make accessibility part of release criteria: include keyboard and screen reader checks for new components.
• Adopt a design system with accessible patterns: reusable components reduce regression risk.
• Monitor production regularly: catch new issues from content changes and UI updates. Corpowid (corpowid.ai) supports continuous monitoring so teams can detect accessibility regressions early rather than during procurement.
• Schedule periodic manual re-tests: quarterly or biannually, especially for complex workflows.

Why VPATs matter beyond government buyers

Even if you don’t sell to government, VPAT requests show up in enterprise procurement across industries—travel, healthcare, education, finance, and beyond. Accessibility is increasingly viewed as part of overall customer experience and risk management. For example, customer-facing sectors with high transaction volume and diverse audiences often prioritize inclusive digital experiences; see Digital Accessibility for the Travel & Hospitality Industry: WCAG, Inclusive Design, and Compliance.

Accessibility also supports public-facing initiatives and brand trust. If you’re building high-visibility digital experiences, inclusive design can become a strategic requirement, not just a compliance task—context here: America’s 250th Anniversary: Building a Digital Celebration Everyone Can Access.

VPAT readiness checklist for SaaS vendors

• Defined scope (modules, platforms, versions, exclusions)
• WCAG target stated (commonly 2.1 AA or 2.2 AA)
• Automated + manual testing completed with documented environments
• Findings translated into accurate VPAT remarks with user impact
• Remediation plan and timelines for partially supporting criteria
• Accessibility statement and support contact in place
• Ongoing monitoring and regression prevention process established

Next steps: turn VPAT work into a repeatable process

If you’re building (or updating) your first VPAT, start with an honest baseline, connect criteria to real user workflows, and document evidence carefully. Then operationalize accessibility so your VPAT stays accurate as the product changes.

For a SaaS-specific view of what buyers ask for and how to structure your program around enterprise expectations, read VPAT for SaaS: How to Meet Accessibility Requirements and Win Enterprise Deals.