EGP Legal Refresh Audit — 2026-05-30

Audit lead: Vesta + Gemma + Sade Unified (PPMO-KC + GenCom)
Date: May 30, 2026
Folder under audit: 00096-EGP-Legal-Terms-Rebuild/docs/
Files audited: 8 primary legal artifacts + Master ToC

TL;DR for Marc

3 documents bumped to V3 (Accessibility, AI Disclosure, Privacy Policy). All V2 files preserved in place; V3 files are net-new alongside.
0 in-place edits. Master ToC was rewritten (left-rail added, V3 rows added, sidecar relationship documented).
3 Marc-action ratify items — see Section Marc-Action Ratify Queue below.
1 outstanding gap: the TOS Use-Adherence Patch (2026-05-28) is still a sidecar and should be merged into a TOS V3 in the next sprint.
Forbidden-pattern grep: CLEAN. No app.gohighlevel.com, no "Claude" self-references, no improperly-encoded file:// paths in new artifacts.

Audit Scope

Scope per Marc's 2026-05-30 directive: review every doc in 00096-EGP-Legal-Terms-Rebuild/docs/ for stale dates, stale company references, deprecated tool/partner refs, missing AI/agent disclosures, missing or stale regulatory scope statements (PCI, GLBA, HIPAA, GDPR, CCPA, CPRA, CO, CT, VA, UT), missing GoverningLaw/Jurisdiction blocks, broken cross-references, TOS patch merge status, WCAG currency, and refund/processing-fee alignment.

Per-Doc Change Table

Doc	Old Version	New Version	Why Changed	Basis (Regulation/Standard)	Marc Ratify?
Accessibility Statement	V2.0 (Apr 1, 2026)	V3.0 (May 30, 2026)	WCAG 2.1 AA is superseded by WCAG 2.2 AA. Added EN 301 549 / EAA references for EEA-facing services.	W3C WCAG 2.2 Recommendation (October 5, 2023); Directive (EU) 2019/882 (EAA, enforceable June 28, 2025); EN 301 549 v3.2.1.	YES — standard upgrade is voluntary; confirm EGP wants to publicly commit to 2.2 AA before V2 is replaced on the public site.
AI Disclosure	V1.0 (Apr 1, 2026)	V3.0 (May 30, 2026)	V1.0 made no mention of the EGP persona-based AI agent architecture (Vesta, Gemma, etc.). FTC and state AI-disclosure regimes increasingly expect specific disclosure of agentic systems. Also added Colorado AI Act and EU AI Act references and C2PA provenance section.	Colorado AI Act SB24-205 (effective Feb 1, 2026); EU AI Act Regulation (EU) 2024/1689; NIST AI RMF 1.0; ISO/IEC 42001:2023; C2PA spec v2.x.	YES — the persona roster is now disclosed externally; confirm the table is the version you want public. (Removed internal-only personas Aisha, Surafel, Marc/Leda from the public table.)
Privacy Policy	V2.0 (Apr 1, 2026)	V3.0 (May 30, 2026)	V2.0 covered only CA/EU/VA. As of May 2026, five additional state laws are in force: CO (Jul 2023), CT (Jul 2023), UT (Dec 2023), TX (Jul 2024), OR (Jul 2024). Without coverage we are non-compliant for residents of those states. Also added GPC (Global Privacy Control) recognition and SPI right-to-limit per CPPA regs.	Colorado CPA C.R.S. Section 6-1-1301; Connecticut CTDPA Conn. Gen. Stat. Section 42-515; Utah UCPA Utah Code Section 13-61-101; Texas TDPSA Tex. Bus. & Com. Code Section 541.001; Oregon OCPA ORS Section 646A.570; CPPA regs under Cal. Civ. Code Section 1798.185(a)(16).	YES — this expands EGP's request-handling obligations to 5 additional states (45-day response). Confirm we have the operational SLA capacity at privacy@enroutegrowthplatform.com.
Terms of Service V2	V2.0 (Apr 1, 2026)	No V3 yet	No material legal change identified TODAY. Outstanding: the 2026-05-28 Use-Adherence Patch should be merged into TOS V3.	n/a today; merge owed.	NO today — future TOS V3 needs Marc ratify.
Cancellation Policy V2	V2.0 (Apr 1, 2026)	No V3	Reviewed against Processing Fee Policy. No misalignment found. No external regulatory pressure since April.	n/a	NO
Processing Fee Policy	V1.0 (Apr 1, 2026)	No V3	Reviewed. Aligned with Cancellation Policy. Card-surcharge state restrictions unchanged since April (CT, MA still prohibit; remaining states allow with disclosure).	n/a	NO
TOS Use-Adherence Patch (sidecar)	2026-05-28	Unchanged (still sidecar)	Sidecar status documented in Master ToC. Recommend merge into TOS V3 next sprint.	n/a	NO today — merge decision needed.
Master ToC	Mar 31, 2026 (no left-rail)	Rewritten May 30, 2026	Per `[[feedback-all-html-must-have-left-toc-canonical-2026-05-27]]`; added Recent Changes block; added V3-primary / V2-archived structure; documented sidecar patch relationship.	EGP internal canon (2026-05-27 P0).	NO (compliance with internal canon)

Material Findings

Accessibility Statement V2 cited WCAG 2.1. WCAG 2.2 has been a W3C Recommendation since October 5, 2023. Continuing to cite 2.1 understates EGP's accessibility commitment and creates exposure if a sophisticated plaintiff measures EGP against the current standard. FIXED in V3.
AI Disclosure V1 omitted the EGP persona architecture. Externally, EGP correspondence is signed "Vesta + Gemma Unified" but no public document disclosed what that means. Combined with FTC sweeps on undisclosed AI agents (e.g., Operation AI Comply, September 2024), this was a disclosure gap. FIXED in V3.
Privacy Policy V2 covered only 3 jurisdictions. 5 additional state privacy laws have been enforceable for 6 to 24 months. Each grants residents enforceable opt-out and access rights. Operating without published rights statements for those residents creates direct AG enforcement risk in CO/CT/TX. FIXED in V3.
TOS Use-Adherence Patch is still a sidecar. The patch was authored for a single counterparty challenge (Adorn) but its acceptance-by-use language belongs in the TOS body. Leaving it sidecar means EGP relies on V2 + a separate patch for enforcement, which is a weaker posture than a clean TOS V3.
Em-dashes appear in the TOS Patch sidecar. Per Marc's no-dash rule, the patch should be re-rendered (with regular hyphens) when merged into TOS V3.

Marc-Action Ratify Queue

Approve V3 Accessibility Statement — raises public commitment from WCAG 2.1 AA to WCAG 2.2 AA. Confirms EGP can operationally honor 2.2 AA on all client-facing surfaces.
Approve V3 AI Disclosure — publishes the canonical persona roster externally for the first time. Confirm the roster table is the one we want public (V3 deliberately excludes Aisha, Surafel, Marc, Leda).
Approve V3 Privacy Policy — commits EGP to honoring privacy requests from residents of CO, CT, UT, TX, OR (in addition to CA, EU/UK, VA). Confirm privacy@enroutegrowthplatform.com mailbox is monitored within the 45-day SLA window, and that https://app.enroute.global/privacy-request form is built (V3 references it as a submission channel).

No-Change Determinations

TOS V2 — no in-place edit; sidecar patch flagged for future merge.
Cancellation Policy V2 — reviewed; aligned with Processing Fee Policy; no regulatory delta.
Processing Fee Policy V1.0 — reviewed; CT/MA card-surcharge prohibitions unchanged.

Sanity-Check Results

app.gohighlevel.com grep across all docs: 0 occurrences. Clean.
file:// grep: 0 occurrences. No path-encoding risk surfaces.
Em-dash grep: present only in TOS Use-Adherence Patch (pre-existing, flagged for re-render at merge).
"Claude" self-reference grep: 0 occurrences. Persona attribution canon preserved.
Single-space "LaCie / Claude" URL refs: 0 occurrences. No URL-encoding risk surfaces.
Left-rail ToC present on all 4 new HTML artifacts (Accessibility V3, AI Disclosure V3, Privacy V3, Master ToC, Audit Summary). Per canon.

Recommended Next Steps

Marc ratifies the 3 V3 documents (above).
Once ratified, publish V3 files to app.enroute.global/legal/ (or whichever public legal index is canonical) and update any inbound deep-links from product UIs to point at the V3 URLs.
Schedule a TOS V3 sprint to (a) merge the 2026-05-28 Use-Adherence Patch as new Section 1.1 (Acceptance by Use), (b) re-render with no-dash rule, (c) add cross-references to the new V3 Privacy and AI Disclosure.
Stand up https://app.enroute.global/privacy-request intake form (referenced in Privacy V3 Section 7.10) if not already live.
Confirm privacy@, accessibility@, ai-governance@enroutegrowthplatform.com mailboxes are monitored with documented SLAs.