← Back to home

Changelog

What's new in PrivacyAutomated.ai. Most recent first.

June 7, 2026

The Seal becomes the product’s headline: public verifier portal, DPIA sealing, Trust Center self-verification

  • New Public seal verifier portal at app.privacyautomated.ai/verify. A regulator, auditor, or opposing counsel who receives a sealed evidence packet from a customer drops the signed JSON into this page and gets a plain-language verdict — “This record is authentic. Sealed on <date> for <controller>. The audit-event chain is intact since sealing.” — plus three drill-downs ordered by setup cost (read the verdict; check our side offline with openssl pkeyutl; verify against Bitcoin without trusting us via OpenTimestamps). No account, no API key, no contact with PrivacyAutomated required. Same Ed25519 substrate already documented under Trust Architecture Invariant 3; this commit just makes it a non-technical-regulator-friendly surface.
  • New Seal generalized past DSARs — DPIAs are now sealable. Approve any DPIA in the app and a Seal card appears on the detail page with the same one-click signed JSON + printable PDF the DSAR seal produces. The DPIA packet carries the screening, the risk register, the recommendation, the residual-risk field, the human review record (reviewed_by + reviewed_at), and a verbatim content snapshot so a regulator can re-verify the bytes the DPIA actually said at approval time. Same Ed25519 transparency key, same canonicalization, same /verify portal verifies both packet kinds without any code change on the regulator’s side.
  • New Self-routing seals. Every printable evidence-packet PDF (DSAR + DPIA) now carries a prominent emerald-bordered callout on its first page naming the verifier URL, the signing-key fingerprint, and the “no account required” framing. A regulator who only has the PDF in hand knows where to send the JSON without a separate email from you explaining the workflow.
  • New Inline verifier on every per-workspace Trust Center. The Trust Center page at /trust/<workspace-id> now hosts the same verifier widget mounted inline (anchor: #verify). When you share a sample sealed packet with a prospect’s procurement team, they paste it into the Trust Center page they were already on and get a workspace-contextual verdict (“authentic for <workspace name>”). The 12-week security questionnaire compresses into a minute of paste-and-verify; the verifier never auto-publishes a real customer record, so requester emails and verification details stay non-public unless the customer explicitly shares them.
  • New Cross-jurisdictional conflict detection now reads the customer’s own retention policies and legal-hold procedures. When the AI surfaces a tension on a DSAR — e.g., a deletion request meeting a litigation-hold marker — it now cites from two closed menus: the externally-reviewed statutory corpus (Invariant 13) and a per-invocation scan of the workspace’s uploaded retention policies, litigation-hold procedures, and any document mentioning IRS §6001 / SOX §802 / HIPAA retention / FRCP 26 / 37. Citations bind to specific (document_id, chunk_id) pairs; a fabricated customer-policy reference is rejected by the validator the same way a hallucinated statute reference is. New conflict_detection_v3 prompt; v2 stays in the public registry at /api/prompts for historical replay (Invariant 10).
  • Improvement Trust Architecture page bumped to thirteen invariants. Invariants 12 (no AI-authored regulatory record without an authenticated human signing it off — enforced by a database CHECK constraint, not application code) and 13 (the conflict-detection model can only cite from a curated externally-reviewed corpus, gated per-jurisdiction on a signed UPL review) are now on the page. Both were held back from the trust posture until a real customer had exercised the full chain end-to-end — an LLM-drafted conflict flag, promoted to a signed determination by an authenticated user, recorded in the audit chain — rather than being shipped as substrate-but-not-yet-property.
  • Improvement Jurisdiction picker in Settings. The free-text “Operating in” and “Customers in” fields are now a typeahead picker. Each suggestion shows the code, the human-readable name (US-CA — California; CA — Canada), and a green “Reviewed” badge when the jurisdiction has a signed UPL review on file so the conflict-detection feature will work for it. Closes the “I typed CA expecting California, the gate refused because CA is Canada in ISO 3166-1” class of bug. Reviewed list is fetched live from /api/upl/reviews so adding a jurisdiction to the manifest auto-surfaces in the picker without a code change.
  • Improvement Verifier URL surfaced inside the app. A signed-in customer about to email a sealed packet to a regulator now sees the app.privacyautomated.ai/verify URL with a copy-to-clipboard button (a) on every signed-evidence-packet card (DSAR + DPIA), right next to the download buttons, and (b) in Settings → Workspace alongside the existing Trust Center URL. The seal was always self-routing once printed; this fix makes it self-routing before printing too.
June 6, 2026

SLSA Build Level 3 supply-chain attestation for every production deploy

  • Security Production container images are now built by GitHub Actions inside a hosted, isolated Ubuntu runner — never on the operator’s laptop. Each build is attested at SLSA Build Level 3 via actions/attest-build-provenance, signed by GitHub’s OIDC identity through Sigstore Fulcio, and recorded in the public Sigstore Rekor transparency log. Our deploy script pulls images by their immutable :sha-<git-sha> tag rather than building locally, so the binary in production maps 1:1 to a Sigstore-verifiable attestation.
  • New Every prod deploy now publishes a self-contained build record to the public audit-transparency-log — naming the deployed git SHA, the GitHub Actions workflow run, and the SHA-256 digests of the api / worker / web images that went live. Same Git-witnessed transparency surface as the daily Merkle roots of the audit chain. Two streams of cryptographically- and source-control-witnessed evidence about what’s running in production.
  • Improvement Web container image no longer bakes CLERK_SECRET_KEY at build time. The secret is now injected at runtime by the orchestrator only; the build-time placeholder is a clearly named dummy that’s never used in production. Prerequisite for safely pushing images to a registry (even a private one).
  • Improvement Trust Architecture page Invariant 3 (daily Merkle-root publication) extended with the SLSA L3 supply-chain story; Security page Deployment card rewritten; SOC 2 readiness CC8 (Change management) updated to record the L3 attestation chain.
June 4, 2026

Hetzner Cloud migration, audit-chain hardening, more-complete Article 17 erasure

  • Improvement Production migrated from Spaceship VPS to Hetzner Cloud (SOC 2 Type 2 + ISO/IEC 27001) in the Falkenstein, Germany region. The application host and database both run inside Hetzner’s private network; the database port is unreachable from the public internet. EU-residency is now the default for customer data at rest. The sub-processor list and SOC 2 readiness statement have been updated accordingly.
  • Security Audit hash-chain hardened to eliminate a latent broken-link window under concurrent or multi-write transactions. audit_events.created_at now defaults to per-statement clock_timestamp() instead of transaction_timestamp(), and the writer’s “find previous row” SELECT now matches the verifier’s ordering exactly. Daily Merkle-root publication and weekly restore-verify drills continue to run on top of the strengthened invariant.
  • Fix Workspace right-to-erasure now explicitly purges security questionnaires (and their items), policy-update suggestions, and LLM call captures alongside the existing tables. Functionally most were already removed by foreign-key cascade; the explicit enumeration closes a defence-in-depth gap and lines up with the table list now shown on the security page.
  • Improvement Postmark broad-sending approval landed (May 26), so outbound transactional email volume no longer caps at a sandbox ceiling.
  • Improvement Sub-processor list now names Slack as an optional, customer-controlled sub-processor — engaged only when a workspace installs the Slack integration for DSAR receipts and Q&A routing.
  • Legal DPA § 5.1 and the Privacy Notice § 4 (Service Providers) and § 5 (International Data Transfers) updated to reflect that the primary application and database infrastructure is now hosted in the EU (Germany), with off-site backup in the US (Backblaze B2). SCC reliance language is unchanged but is now correctly scoped to onward transfers from the EU host to U.S.-based service providers.
  • Improvement Error monitoring (Sentry) migrated from the US region to Sentry’s EU region (Frankfurt). API and Next.js bundles now route every captured event to the EU project; PII scrubbing rules are unchanged. Customer-facing impact: error telemetry stays in the EU end-to-end, removing one onward transfer from the SCC analysis.
June 3, 2026

DPA update — language-model call captures named and bounded

  • Legal The Data Processing Addendum now explicitly names language-model call capture as a processing activity, sets a default ninety (90) day retention TTL for capture records (configurable per workspace, minimum seven (7) days while replay is enabled), and points at the workspace-admin endpoints customers use to (a) search captures by Data Subject identifier in response to an Article 17 erasure request and (b) delete individual capture records. Annex 2 of the DPA describes the technical measures (row-level security, daily TTL prune, cascade-delete on workspace deletion). No change to product behaviour; the DPA now matches what has been live.
May 28, 2026

Friendlier emails & plan-gate UX

  • Improvement Asker-facing answers from the privacy inbox now use plain-language framing, render Markdown formatting (bold, bullets), include a "Reviewed by the privacy team" pill for human-approved answers, and sign off with your workspace name.
  • Improvement Manager escalation emails show confidence as "Low · 34%" instead of a raw 0.34 float, include the asker in the subject line, and render the AI draft answer with proper Markdown.
  • Fix Free-plan workspaces no longer see raw 402 JSON error blobs on plan-gated pages. The DSAR list, the Assessments list, the DSAR routing card, and the auto-approve toggle now show a calm "Upgrade required" prompt with a link to plan settings.
  • Improvement The DPIA risk register now leads with a colored numbered chip per row, matching the heat-map above. Reading the heat-map and finding the row is instant.
May 28, 2026

Claude Opus 4.8

  • Improvement Inference upgraded to Claude Opus 4.8; verification (judge) model upgraded to Opus 4.7. Maintains the n-1 version gap that makes the judge pass meaningful while moving to the newest available model.
May 26 – 28, 2026

UI sprint — 20 polish items shipped

  • New Home dashboard with at-a-glance KPIs, DSAR + escalation tiles, and an onboarding checklist for new workspaces.
  • New Command palette (Cmd / Ctrl-K) for keyboard-first navigation to any page.
  • New Persistent DSAR deadline banner: any open DSAR within seven days or overdue follows you across every page.
  • New Risk register heat-map on DPIA detail — 3×3 likelihood × severity grid with chips that link to the corresponding risk in the table.
  • New Inline editing on RoPA, Vendor, and Assessment records — click-to-edit text fields throughout.
  • New Activity-bell with unread count, polled every 60s.
  • New Dark mode — tri-state (System / Light / Dark) toggle in the nav.
  • New Toast notifications for async actions (uploads, approvals, edits).
  • Improvement Sticky in-page section nav on long DPIAs and the Settings page.
  • Improvement Loading skeletons across list and detail pages.
  • Improvement Mobile responsive pass — sidebar becomes a slide-out drawer below md breakpoint; tables h-scroll.
  • Improvement Accessibility audit — skip-to-content link, dialog roles + aria-modal on modals, global keyboard focus rings.
  • Improvement Q&A confidence pill expansion — tooltip shows the composite confidence formula (retrieval × LLM self-confidence × citation validity).
  • Improvement Inbox card sticky action bar — Approve / Reject / Edit stay one click away even on long drafts.
  • Improvement DSAR detail lifecycle stepper — Received → Verified → Tasks fanned → Responses → Closed.
May 25, 2026

Q&A — general regulatory guidance

  • New "Baseline practice" privacy questions (e.g. "do I have to encrypt data at rest") now answer directly with general regulatory guidance and a "verify with counsel" caveat, instead of escalating every regulatory question.
  • Improvement When the AI does escalate, the drafted answer now includes useful regulatory research keyed to the workspace's saved jurisdictions, instead of a placeholder.
  • New Workspace-level jurisdictions setting — pick the regulators you operate under and the AI keys its answers and DPIA generation to them.
May 24, 2026

AI safety — multi-label intent classifier

  • Security Inbound questions now route through a multi-label hard-block intent classifier with seven categories (including prompt-injection and conflicting-intent). Suspicious inputs quarantine to inbox for human review.
  • Security Independent judge model verifies every Q&A answer before it leaves the system; low-confidence answers escalate.
  • Fix PIA generator no longer hallucinates vendor-specific mitigations when the intake report indicated no vendors were involved.
May 22, 2026

Operational readiness

  • New Off-site encrypted backups to Backblaze B2 (US-East). Daily automated, 35-day retention, AES-256 client-side encryption.
  • New Dead-man's-switch monitoring on the backup pipeline. Backup misses alert the on-call address within an hour.
  • New Documented backup restore drill — performed and verified prior to GA.
May 20, 2026

Billing & plans

  • New Stripe Managed Payments — subscription billing, checkout, customer portal, webhook handler with idempotency.
  • New Plan-gated features (DPIA, DSAR, vendor research, audit export, auto-approve) with per-plan AI-ops and dollar-spend caps.
  • New 14-day trial on paid plans with a 3-days-out warning email; trial expiry drops the workspace to Free without losing data.

Want to be notified of major updates? Email info@privacyautomated.ai with the subject "Changelog notifications".