Free Word download β’ Edit online β’ Save & share with Drive β’ Export to PDF
A Website Rating is a formal, signed document that scores a website against a defined set of criteria β covering technical performance, content quality, usability, and legal compliance β using a structured methodology and weighted scoring system. It records conditions at a specific point in time, assigns an overall composite score, and documents remediation recommendations for any deficiencies found. Unlike an informal internal audit, a website rating is executed by both the evaluating party and the client, creating a legally accepted record of findings that can support contract milestones, regulatory compliance evidence, or dispute resolution.
Without a signed website rating, an agency or consultant delivering a web audit has no documented record that the client received, reviewed, and accepted the findings β leaving payment disputes, scope disagreements, and liability claims to be resolved on the basis of email threads alone. For organizations with regulatory obligations β GDPR cookie compliance, WCAG accessibility, HIPAA-aligned data handling β an undocumented evaluation provides no audit trail if a regulator or litigant demands evidence of due diligence. A properly executed website rating closes these gaps: it establishes agreed scope before work begins, records objective findings with a reproducible methodology, caps the evaluator's liability to the fee paid, and creates a baseline against which future assessments can be measured. This template gives you a structured starting point you can customize to your scoring criteria and deliver as a professional, defensible document.
| If your situation is⦠| Use this template |
|---|---|
| Auditing a client website for WCAG 2.1 accessibility compliance | Website Accessibility Audit Report |
| Evaluating a website as part of a digital due diligence process | Digital Due Diligence Checklist |
| Rating a website's SEO performance against defined benchmarks | SEO Audit Report Template |
| Scoring multiple vendor websites during a procurement process | Vendor Evaluation Form |
| Documenting website changes required after an audit | Website Project Scope of Work |
| Formal agreement governing ongoing website management and maintenance | Website Maintenance Agreement |
| Assessing a newly built website before launch sign-off | Website Launch Checklist |
Why it matters: Without an agreed list of pages and functions, clients routinely claim the audit was incomplete and withhold payment or demand re-evaluation at no charge.
Fix: Attach a signed Schedule B listing every in-scope URL before the evaluation begins, and include an explicit exclusion list for anything the client asked about but was not included.
Why it matters: A score of 3 out of 5 on 'content quality' is undefendable without a written description of what distinguishes each score level β the client will always argue their site deserved a higher mark.
Fix: Define each numeric level for every criterion in Schedule A before the evaluation starts, and have the client sign off on the rubric.
Why it matters: An evaluator who misses a GDPR non-compliance issue could face a claim that the missed finding caused regulatory fines β which can reach 4% of global annual turnover under EU law.
Fix: Include an explicit liability cap limiting the evaluator's exposure to the fee paid for the rating, and add a disclaimer that the rating reflects conditions at a point in time only.
Why it matters: A unilaterally signed report does not constitute acceptance of findings β without the client's signature, disputes about delivery, content, and acknowledgment are unresolvable on the document alone.
Fix: Require the client's authorized representative to sign the acceptance block before the report is considered final and delivered.
Why it matters: Mixing 'zero broken links found' with 'the homepage feels cluttered' in the same scored field undermines the document's credibility if disputed in a legal or contractual context.
Fix: Separate objective measurable findings from qualitative observations in the document structure β score only objective criteria and include qualitative notes in a separate non-scored commentary section.
Why it matters: A website can change significantly within days β without a clear evaluation date, a client can argue findings are stale or never applied to their site.
Fix: State the exact evaluation date on the cover and in the acceptance clause, and include a note that findings are valid only as of that date and are not a guarantee of future compliance.
In plain language: Identifies the evaluator and the website owner by their full legal names, states the purpose of the rating, and records the date the evaluation was commissioned.
This Website Rating is entered into on [DATE] between [EVALUATOR LEGAL NAME] ('Evaluator') and [CLIENT LEGAL NAME] ('Client'). The purpose of this document is to provide a formal evaluation of the website located at [URL] ('Website') against the criteria set out herein.
Common mistake: Identifying the evaluator by trade name rather than registered legal entity β if a dispute arises over findings, the contracting party must match the entity that provided the service.
In plain language: Defines exactly which pages, subsections, and functions of the website were included in the rating and lists any areas that were explicitly excluded.
This evaluation covers the following pages and sections: [LIST]. The following areas are excluded from this rating: [EXCLUSIONS]. Any page or function not listed above is outside the scope of this document.
Common mistake: Leaving scope undefined so the client later claims the audit should have covered the entire site β including sections the evaluator never accessed or agreed to assess.
In plain language: Sets out the specific criteria being scored, the rating scale used (e.g., 1β5 or 0β100), the weight assigned to each criterion, and the source standards referenced.
Each criterion listed in Schedule A is rated on a scale of [1β5 / 0β100]. Criteria are weighted as set out in Schedule A. Evaluation methodology follows [STANDARD β e.g., WCAG 2.1 AA / Google Core Web Vitals / ISO 25010].
Common mistake: Using a rating scale without defining what each score level means β a score of 3 out of 5 is meaningless without a rubric describing what distinguishes a 3 from a 2 or a 4.
In plain language: Documents scores for load speed, mobile responsiveness, uptime, security (HTTPS, SSL), and Core Web Vitals measurements taken at the time of evaluation.
Largest Contentful Paint: [X]s (Target: <2.5s) β Score: [X/5]. Mobile responsiveness: [PASS/FAIL]. SSL certificate: [VALID/EXPIRED]. Uptime over 30 days: [X]%.
Common mistake: Recording a single snapshot measurement for load speed without noting the testing tool, geographic location, and device type β results vary significantly across these variables.
In plain language: Records the evaluator's assessment of navigation clarity, content accuracy, readability, call-to-action effectiveness, and user experience against the agreed criteria.
Navigation clarity: [X/5] β [FINDING]. Readability score (Flesch-Kincaid): [X]. CTAs present on key landing pages: [YES/NO]. Identified usability issues: [LIST OR 'NONE IDENTIFIED'].
Common mistake: Combining objective findings (broken links count) with subjective opinions (design is outdated) in the same scored criterion without distinguishing them β conflating the two undermines the document's credibility in a dispute.
In plain language: Documents whether the website meets applicable legal requirements including cookie consent, privacy policy, accessibility standards, and jurisdiction-specific disclosures.
Cookie consent mechanism: [COMPLIANT/NON-COMPLIANT β DETAIL]. Privacy policy present and dated: [YES/NO]. WCAG 2.1 AA compliance level: [PASS/PARTIAL/FAIL]. Required legal disclosures for [JURISDICTION]: [PRESENT/ABSENT β LIST].
Common mistake: Checking for the presence of a privacy policy without verifying its content covers the data types the website actually collects β a policy that doesn't match real data practices is a compliance deficiency.
In plain language: Calculates the composite score across all criteria using the agreed weights and assigns an overall rating category β for example, Excellent, Satisfactory, Needs Improvement, or Non-Compliant.
Total weighted score: [X/100]. Overall rating: [RATING CATEGORY] as defined in Schedule A. This rating reflects the website's status as of [DATE] and is subject to change if material changes are made to the Website.
Common mistake: Presenting a final score without showing the calculation β if a client disputes the result, an undocumented score has no audit trail to defend.
In plain language: Lists each deficiency found, the criterion it failed, the recommended corrective action, and a suggested priority level (critical, high, medium, or low).
Issue: [DESCRIPTION]. Criterion failed: [NAME]. Recommended action: [ACTION]. Priority: [CRITICAL/HIGH/MEDIUM/LOW]. Recommended completion: within [X] days of this report.
Common mistake: Including remediation items in the findings without assigning priority β a client who sees 30 issues with no urgency signal will likely deprioritize all of them.
In plain language: Confirms the evaluator has no financial interest in the outcome, that findings represent conditions at the time of evaluation only, and limits the evaluator's liability to the fee paid for the rating.
Evaluator confirms it has no financial interest in any product, service, or vendor referenced herein. This rating reflects conditions as of [DATE]. Evaluator's total liability under this document shall not exceed the fee paid by Client for this evaluation: $[AMOUNT].
Common mistake: Omitting a liability cap entirely β without one, a client could argue that a missed compliance finding caused regulatory fines and seek damages far exceeding the evaluation fee.
In plain language: Records that both parties have reviewed and accepted the findings, identifies the governing jurisdiction, and provides signature blocks for both evaluator and client.
By signing below, Client acknowledges receipt and acceptance of this Website Rating as of [DATE]. This document is governed by the laws of [STATE/PROVINCE/COUNTRY]. Evaluator: [NAME/TITLE/DATE]. Client: [NAME/TITLE/DATE].
Common mistake: Having only the evaluator sign and treating the document as a unilateral report β without the client's signature, disputes about whether findings were communicated and accepted are much harder to resolve.
Insert the evaluator's and client's full registered legal names β not brand names or trading names β and the exact URL being evaluated. Record the date the evaluation was commissioned.
π‘ Confirm the URL is the live production site, not a staging environment, unless the rating is explicitly scoped to a pre-launch review.
List every page, section, and function included in the rating, and explicitly name any exclusions. Attach this as Schedule B so both parties sign off on scope before work starts.
π‘ Screenshot the site map on the evaluation date and attach it to the document β sites change, and a dated site map establishes what was in scope at the time.
For each criterion, assign a weight (percentage of total score), define what each score level means in plain terms, and reference any external standard being applied (WCAG, Core Web Vitals, ISO).
π‘ Share the completed Schedule A with the client for approval before conducting the evaluation β agreed criteria eliminate most post-delivery disputes.
Run page speed and Core Web Vitals tests using Google PageSpeed Insights or Lighthouse, record HTTPS and SSL status, and check mobile responsiveness across at least two device sizes. Note the tool name, version, and test date for each metric.
π‘ Run speed tests three times and record the median result β single-run results are distorted by network variability.
Work through each rated criterion systematically, recording objective findings (broken link count, missing alt text count) separately from qualitative assessments. For the compliance section, cross-reference the applicable jurisdiction's legal requirements.
π‘ Use a browser accessibility extension such as axe DevTools to generate a reproducible accessibility finding log you can attach as an appendix.
Multiply each criterion score by its weight, sum the results, and compare to the rating categories defined in Schedule A. Show the full calculation in a table so the client can verify the arithmetic.
π‘ If the weighted score falls near the boundary between two rating categories, add a narrative note explaining the deciding factors β borderline scores without context generate the most disputes.
For every deficiency, state the finding, the criterion it failed, the specific corrective action, and a priority tier (critical, high, medium, low). Assign a suggested completion window for each priority tier.
π‘ Limit critical items to genuine legal compliance failures or security vulnerabilities β overusing 'critical' dilutes the urgency and reduces the chance clients act on what actually matters.
Send the completed document to the client's authorized representative for review. Do not finalize or deliver the report until both parties have signed the acceptance block and governing law is confirmed.
π‘ Use a timestamped e-signature tool to create an auditable record of exactly when each party accepted the findings.
A website rating document is a formal written evaluation that scores a website against defined criteria β covering technical performance, usability, content quality, and legal compliance β using a structured methodology and weighted scoring system. It is used by agencies, auditors, and consultants to deliver defensible, signed findings to clients or internal stakeholders, and serves as a record of the website's condition at a specific point in time.
A formal, signed website rating is appropriate when findings will be used to support a contractual obligation β such as a web development agreement milestone sign-off β when compliance findings must be documented for regulatory purposes, when a third-party evaluator is being paid to deliver an objective assessment, or when procurement decisions will be based on the evaluation scores. Informal internal reviews are sufficient for routine monitoring, but any evaluation with legal or financial consequences should use a signed document.
For the rating to function as a legally accepted document β confirming the client received and acknowledged the findings β signatures from both the evaluator and the client are generally recommended. Without a client signature, there is no documented evidence of acceptance, which complicates payment disputes, scope disagreements, and any subsequent liability claims. The evaluator's signature alone is sufficient only when the document is intended as a unilateral internal report with no contractual consequence.
A complete website rating typically covers four categories: technical performance (load speed, uptime, mobile responsiveness, SSL), content and usability (navigation, readability, accessibility, CTA effectiveness), legal and regulatory compliance (GDPR cookie consent, privacy policy, WCAG accessibility level, required disclosures), and SEO fundamentals (meta tags, structured data, crawlability). The relative weight of each category should be agreed with the client before evaluation begins.
Each criterion is assigned a weight reflecting its relative importance, expressed as a percentage of the total score. The evaluator scores each criterion on an agreed scale (typically 1β5 or 0β100), multiplies each score by its weight, and sums the results to produce a composite score. The composite score is then mapped to a rating category β such as Excellent, Satisfactory, Needs Improvement, or Non-Compliant β as defined in the rating schedule. Showing this calculation in full is important for auditability.
Yes, in many contexts a signed website rating can serve as contemporaneous documentary evidence β for example, to show that a web developer delivered a non-compliant site, that a vendor's website failed to meet contracted performance standards, or that a company was aware of an accessibility deficiency at a specific date. The document's value as evidence depends on how clearly scope, methodology, findings, and signatures are documented. Consider engaging a lawyer when the rating is intended for litigation or regulatory proceedings.
A website audit is a broad investigative process β it identifies issues, analyses root causes, and may be informal or internal. A website rating is a formal scored evaluation that produces a documented, defensible assessment with a composite score, signed acceptance, and remediation recommendations. Audits inform ratings: you conduct the audit work, then formalise the findings in a rating document when the output needs to be legally or contractually significant.
The rating document itself is not regulated, but the compliance criteria it assesses are governed by law. WCAG accessibility requirements are mandated for public sector websites in the US (Section 508), UK, and EU, and are increasingly required for private sector sites under disability discrimination law. GDPR and ePrivacy rules apply to cookie consent and data handling assessments for any site accessible to EU users. Evaluators should clearly reference the applicable legal standard for each compliance criterion and note the jurisdiction in the governing law clause.
For websites with active legal compliance obligations β such as healthcare, financial services, or e-commerce sites handling personal data β an annual formal rating is a reasonable baseline, with an additional review any time the site undergoes a material redesign or change in data collection practices. For websites subject to ongoing service-level agreements, a quarterly or semi-annual rating aligned to contract milestones is common. A rating more than 12 months old should not be relied upon as evidence of current compliance.
A website maintenance agreement governs the ongoing obligations to keep a site updated, secure, and operational over time β it is a service contract. A website rating is a point-in-time evaluation document that scores the site's current condition. The rating often identifies what the maintenance agreement must address; the two documents are complementary rather than interchangeable.
A vendor evaluation form scores a supplier's overall business capabilities β financial stability, service quality, reliability, and pricing. A website rating focuses exclusively on the technical, content, and compliance attributes of a website. Use a vendor evaluation form to choose between web development agencies; use a website rating to assess the deliverable those agencies produce.
A service agreement defines the scope, payment, and obligations for services to be performed β it is forward-looking and governs the working relationship. A website rating is a backward-looking assessment document that records what was found at a point in time. A service agreement may require a website rating as a defined deliverable, but the two serve entirely different legal functions.
A website development agreement is the contract that governs the build of a website β timelines, payment, IP ownership, and acceptance criteria. A website rating is the document used to formally score whether the delivered site meets those acceptance criteria. The development agreement sets the standard; the website rating records whether the standard was met.
Agencies use website ratings as a formal deliverable within web audit, redesign, or ongoing retainer engagements, providing clients with a signed document that supports invoicing milestones and scope-of-work completion.
Regulated financial websites must meet FCA, SEC, or equivalent disclosure requirements β a formal rating documents compliance status and provides evidence for regulatory examinations or internal audit trails.
Healthcare websites handling patient data must meet HIPAA security standards and WCAG accessibility requirements; a signed rating documents the compliance baseline and identifies remediation obligations before regulatory review.
E-commerce sites require cookie consent, GDPR-compliant checkout data handling, and performance benchmarks that directly affect conversion β a periodic formal rating captures each of these and links deficiencies to revenue impact.
Section 508 of the Rehabilitation Act requires federal agency websites to meet WCAG 2.1 AA accessibility standards. The ADA has been applied to private sector websites in numerous federal court decisions, creating de facto accessibility obligations for businesses serving the public. State privacy laws β including the CCPA in California β impose specific cookie consent and privacy policy disclosure requirements that a rating covering US-facing sites should assess.
PIPEDA (and provincial equivalents in Quebec, Alberta, and BC) governs personal data collection on Canadian websites, including consent requirements and privacy policy obligations. Quebec's Law 25 (Bill 64) introduced stricter consent, data localization, and breach notification requirements effective 2023. Federally regulated websites must meet the Standard on Web Accessibility. Website ratings for Quebec-based clients should verify that both English and French language requirements are met under the Charter of the French Language.
The UK GDPR and the Privacy and Electronic Communications Regulations (PECR) govern cookie consent and data handling on UK-facing websites post-Brexit. Public sector websites must comply with the Public Sector Bodies Accessibility Regulations 2018, requiring WCAG 2.1 AA compliance and a published accessibility statement. The ICO has issued enforcement notices and fines for non-compliant cookie banners, making cookie consent a high-priority compliance criterion for UK website ratings.
GDPR applies to any website that processes personal data of EU residents, regardless of where the website operator is located β fines reach up to 4% of global annual turnover. The ePrivacy Directive requires informed, freely given cookie consent before non-essential cookies are set. The European Accessibility Act (EAA) extends mandatory WCAG compliance to private sector websites and apps from June 2025. Member state implementations vary, particularly for advertising technology and cross-border data transfers under Standard Contractual Clauses.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Agencies and consultants delivering standard website audits to SMB clients with no regulatory compliance dimension | Free | 30β60 minutes to complete per evaluation |
| Template + legal review | Evaluations that include GDPR, WCAG, or sector-specific compliance findings that could expose the evaluator to third-party liability | $300β$700 | 2β5 days |
| Custom drafted | Regulated industries, evaluations commissioned as evidence for litigation or regulatory proceedings, or enterprise-level contracts requiring bespoke indemnity and liability terms | $1,500β$4,000+ | 1β3 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Free Forever PlanΒ Β·Β No credit card required
