Connect your own S3, R2, or B2 bucket and we’ll remediate every PDF that lands there — automatically. No uploads, no API code, no copy-paste. The accessible version writes back to your bucket.
Configure an integration once — a bucket, an input prefix, and an output prefix. From then on, every PDF that lands in the input prefix is detected, pulled, remediated, and written back to the output prefix. The original stays exactly where it is.
We never see, list, or touch any object outside the prefixes you configure. Per-user isolation, scoped credentials, KMS-sealed secrets. Pause and resume whenever you need to.
your bucket theaccessible.org your bucket
───────────── ───────────────── ─────────────
uploads/ ─▶ detected ─▶ remediated ─▶ written ─▶ remediated/Five auth modes, two detection modes. Pick the combination that matches your team’s security posture and latency needs.
| Provider | Auth | Setup | Event mode |
|---|---|---|---|
| Amazon S3 — IAM role Recommended | AssumeRole via STS | ~5 min | Yes |
| Amazon S3 — access key | IAM user key (KMS-sealed) | ~2 min | — |
| Cloudflare R2 | R2 token (KMS-sealed) | ~2 min | Yes (forwarder Worker) |
| Backblaze B2 | Application key (KMS-sealed) | ~2 min | — |
| Generic S3-compatible | Access key + endpoint | ~2 min | — |
Event mode reacts within seconds. Polling reacts within two minutes. You can switch between them on the integration detail page.
Production-ready primitives. Defaults that match enterprise IAM expectations. A pipeline that runs without a person watching it.
Upload a PDF to the input prefix in your bucket. We pull it, run the full remediation pipeline (tagging, alt text, reading order, contrast), and write the accessible version back to your output prefix. The original is untouched.
Pick polling for a two-minute cadence with zero AWS plumbing, or wire EventBridge (S3) or a forwarder Worker (R2) for second-latency processing. Switch modes any time from the integration detail page.
For AWS, the recommended path is a cross-account IAM role with a per-integration external ID — no long-lived access keys leave your account. We render the trust and permissions policy you need; you paste back a role ARN.
When access keys are unavoidable (corporate IAM restrictions, R2, B2), we seal them with AWS KMS the moment they arrive. The plaintext is never persisted. Rotate from the dashboard with one click.
We never see, list, or touch any object outside the input and output prefixes you configure. Per-user isolation enforced at the database layer. Pause an integration during a maintenance window without touching credentials.
Wire up to 25 integrations per user — separate by team, project, or pipeline stage. Each one has its own bucket, prefixes, credentials, and detection mode. Add or remove without touching the others.
Every event the integration receives lands in the audit log on the detail page — accepted jobs, rejected events, with the reason code. Pair with the 30-day usage rollup to see what you ingested and returned at a glance.
The AWS IAM-role path is the recommended setup — no long-lived credentials ever leave your account. Here’s the trust policy the dashboard renders for you. Paste it into a new IAM role, attach the permissions policy we also generate, and send us the role ARN.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::<our-account>:role/integration" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<per-integration-id-from-dashboard>"
}
}
}]
}If your team is publishing accessibility-compliant PDFs at any kind of volume — course materials, regulatory filings, public-records portals — a connected bucket pays for itself in week one.