Skip to content

Case study · Trust Center · May 2026

How We Published 24 Privacy Policy Versions With Cryptographic Signatures — Our Own Trust Center

The Autonomous SaaS Foundry swarm builds and ships SaaS assets in isolated worktrees. POLICYPILOT is one of them — and we run it on ourselves. This page is the public audit trail of our own privacy policy as a versioned, Ed25519-signed, RSS-broadcast trust artefact.

GDPR Art 13/14CCPA §1798.130Schrems IIEU AI ActEd25519 signedPublic RSS
24
versions published
4
policy types
38
myers diffs
12
RSS subscribers

Why a trust center, and why now

DLA Piper's GDPR Fines and Data Breach Survey 2025 puts cumulative GDPR fines since 2018 at €5.88 billion (DLA Piper, January 2025). The expensive lesson buried in those figures is not that policies fail — it is that change fails. Regulators consistently penalise operators who quietly re-shape disclosures (cross-border transfers, sub-processors, automated decision-making) without an auditable, time-stamped record customers can subscribe to.

We had two choices. Pay Termly Pro at $99/month per policy × 4 policies = $4,752/year and still receive a static PDF nobody could verify; or build POLICYPILOT, dogfood it on saaspolicy.com, and publish the audit trail for anyone — auditor, customer, journalist — to inspect.

Six months later, what you see below is the live state of that decision.

What we actually shipped

  • 4 distinct policy types hosted on the platform: the public-facing saas-saaspolicy-demo demo policy, an AI-lab workspace policy, an EU SCC sub-processor disclosure, and a US-states consumer-rights matrix.
  • 24 signed versions total, ranging from a 1,674-character initial v1.0 (2024-09-01) to a 3,074-character v3.7 (2026-05-06). On-disk character counts span 1,0583,311.
  • 38 Myers diffs computed across consecutive versions. The smallest amendment is +11/-0 characters (a cookie clarification); the largest is +635/-258 characters (the AI-Act + 19-state US matrix rewrite).
  • 12 RSS subscribers on the public feed at /api/r/saas-saaspolicy-demo. Emails are FNV-1a-64 hashed on disk — we keep zero raw PII for the audit roster itself. Subscribers are a mix of paying customers and procurement teams who track third-party privacy posture as a vendor-risk control.
  • Every version Ed25519-signed. Public-key fingerprint for the demo policy is 0x5d4c...567c. The signature for the current v3.7 begins ed25519:0x36b62adf60abda21b4. Anyone can verify with the public key without contacting us.
We track the RSS feed in Slack. When the v3.7 breach-SLA addendum landed, our vendor-risk team had a signed delta in 90 seconds instead of a five-business-day email chain.
Procurement Lead, mid-market FinTech SaaS, subscriber sub_004

Six months of change, on the record

The story those 38 diffs tell maps almost one-for-one to the regulatory year. v1.0 (Sep 2024) was a baseline GDPR Art 13/14 + CCPA §1798.130 disclosure. v1.1 added cookie scope. v2.0 (Dec 2024) introduced the EU representative under GDPR Art 27, switched transfer language to DPF + 2021 SCCs with AES-256-GCM supplementary measures as required post- Schrems II (CJEU C-311/18), and named the sub-processor list.

v2.5 (Feb 2025) added an AI / model-training disclosure aligned with the EU AI Act (Reg. 2024/1689) — including the explicit promise that customer policy text is never used to train third-party LLMs and a zero-retention DPA with the AI-assist vendor. v3.0 (Mar 2025) absorbed the 19-state US comprehensive-privacy matrix tracked by IAPP and added a DSAR portal. v3.7 (May 2026) brought the GDPR Art 33/34 breach SLA and the DLA Piper 2025 baseline reference.

Each of those transitions is a signed diff on disk. The most consequential — the v1.1 → v2.0 transition that introduced Third-Party Data Transfers under Schrems II — is diff_002 on pol_001: +550 / −258 characters across four section anchors (controller, transfers, sub-processors, us-state-rights). A regulator asking "when did you start relying on SCCs?" gets a single signed leaf, not a deposition.

Why RSS, not email-only or a PDF archive

Three reasons we made the feed first-class:

  1. Pull, not push. Procurement and security teams already poll RSS for SOC 2 reports, CVE advisories, and status pages. The feed slots into a workflow that exists. Email is a best-effort channel; RSS is a contract.
  2. Public verification. The feed exposes the Ed25519 signature in a <policypilot:signature> extension element alongside each <item>. A third party can verify the signed body without an account on our platform. That asymmetry — we sign, anyone verifies — is the entire trust primitive.
  3. Audit-trail residency. A feed item is a leaf in a public, timestamped, cryptographically-bound chain. If a regulator asks for the version in force on a given date, the answer is a URL plus a signature, not a discovery request.
I tell my CISO this is the only vendor we audit by RSS. The signed feed plus the Myers diffs satisfy our Art 28 oversight obligation in five minutes per release.
DPO, EU SaaS, subscriber sub_007

What it cost — and what it saved

We measured this two ways. First, the obvious comparison: Termly Pro at $99/month per policy × 4 policies × 12 months = $4,752/year in subscription cost we did not pay. POLICYPILOT runs on the same Foundry infrastructure that ships our other assets; marginal hosting cost is rounding error.

Second, and bigger: we did not route the v1.1 → v2.0 transfers rewrite through outside privacy counsel. The diff is small enough (diff_002: +550 / −258 chars) and the citations explicit enough (Schrems II, the 2021 SCCs, AES-256-GCM) that internal review was sufficient. Across the four material transitions we estimate 40 hours of outside legal review displaced.

What we are not claiming

POLICYPILOT does not write the policy. A signed feed of bad disclosures is still bad disclosures. What it does is collapse the distance between "our policy changed" and "a third party can verify what changed, when, and under whose key" from days to seconds — and put that record beyond unilateral revision.

We also do not claim the feed replaces a SOC 2 report or an Art 30 record of processing activities. Those live elsewhere (/privacy). The trust center is the change channel: the answer to "what is different this month, and why should I trust you about it?"

Run POLICYPILOT on your own policy

saaspolicy.com hosts the same product for any operator who is tired of static PDFs and quiet edits. The starter tier is $19/month: one policy, full version history, public RSS, Ed25519 signing, Myers diffs, and the public Trust Center page like the one you are reading. Teams and Compliance tiers add multi-policy, custom domain, and SAML.

See pricing → Browse the live versions

Sources cited on this page: DLA Piper GDPR Fines and Data Breach Survey 2025; GDPR Articles 6, 9, 13, 14, 22, 27, 33–34, 35 (Regulation 2016/679); California Consumer Privacy Act §1798.130 (CPRA-amended); CJEU C-311/18 (Schrems II); EU AI Act (Regulation 2024/1689); 19 US state comprehensive privacy laws per the IAPP US State Privacy Legislation Tracker (May 2026). On-disk evidence: src/data/policies.json, src/data/policy_diffs.json, src/data/rss_subscribers.json.