Skip to main content

Changelog

What we shipped.

Every meaningful change to the platform, in plain English. No cadence — entries land as work ships.

Public changelog for the Audulate platform. Each entry summarizes what

shipped, with links to the underlying build-order phases where applicable.

We don't commit to a cadence — entries are added as work ships, not on a

schedule. Internal infrastructure changes that don't affect users may not

appear here.

2026-05-12 · Landing page repositioning (Phases L1, L5, L7, L8, L10, L4, L6, L9)

  • L1 — Hero rewrite. New headline "GDPR risk, caught in the PR — not in the audit." Compliance CI/CD positioning leads. Animated gradient and pulsing early-access badge removed. Primary CTA changed to "Scan your site free"; secondary CTA "See a sample report" added.
  • L5 — Marketing-cliché cleanup. All 10 emoji feature/use-case icons replaced with lucide-react components. Banned words removed across the site: "everything you need," "in one place," "the way engineers want it," "Never miss." Regulation source list corrected: HHS, not NIST (matches what regulation-fetcher.ts actually fetches).
  • L7 — Features rewritten outcome-first. Each card now opens with the user-visible outcome before the mechanism. "Block PII leaks" softened to "Catch PII leaks" (we comment; the user blocks via branch protection).
  • L8 — Honest stat bar. Removed marketing-trivia stats. New row: 70+ GDPR + PECR rules · UK GDPR + PECR · AI verifies HIGH/CRITICAL · EU-hosted end to end. Each item verifiable from code.
  • L10 — Alternative-cost anchoring. New section before pricing: external DPO consultant (~£3k/mo), quarterly audit prep (60–100 engineer-hours), ICO enforcement risk (£4k–£4.4M). Each anchor names what Audulate actually does, never claims "prevents" fines.
  • L4 — Pricing moved up. Section order rewritten so pricing is reachable within 3 scrolls. "Recommended" badge removed from Growth. "Per workspace, not per seat" pill added under every tier price.
  • L6 — Architecture diagram + honest /security page. Four-node pipeline (Frontend → API → Worker → PostgreSQL) with verifiable labels. Removed unverified SOC 2 / pen test claims. New "What we don't do (yet)" section lists 5 honest gaps.
  • L9 — Changelog launched. This page.
  • L3 — Sample report page. /sample-report now anchors on a real scan of quebooking.com (a site we own) — score 84/100, 7 pages crawled, 7 findings (1 H / 2 M / 4 L), 6.5-second scan, 1 AI-verified downgrade. Telemetry sourced live from our production DB.
  • L2 — PR workflow section. New section above the Problem block shows what a Audulate GitHub PR comment looks like in real life — with a clear stand-in until a screenshot lands at public/screenshots/pr-comment.png.
  • L11 — REST API + reference docs (reverted). Initially shipped a Built for engineers section with curl snippets and a /docs/api reference page. Reverted the same day: the actual API in apps/api/ uses Supabase session cookies, not Bearer tokens — advertising a public API surface that doesn't yet exist would have been misleading. Section and /docs/api route removed; will be re-shipped once a real public API ships.

2026-05-11 · AI quality phases (Phases 73–78)

Six AI quality improvements shipped together. None increase scoring authority — rules remain the source of truth for compliance scores. AI is additive.

  • Phase 73 — Verify-finding. AI second-opinion on every HIGH/CRITICAL finding. Downgrades likely false positives to LOW with confidence ≥ 0.8 and attaches verification provenance to the finding evidence.
  • Phase 74 — Auto-summary. Every completed scan triggers a 3-sentence plain-English summary of the top risks. Plan-gated on aiSummaries.
  • Phase 75 — Cookie auto-classification. AI classifies detected cookies by category, provider, and purpose. Results cached in Redis globally and auto-populated into the tenant Cookie inventory. Tenant-confirmed cookies are never overwritten.
  • Phase 76 — Tenant-specific Explain Risk & Remediation Steps. Prompts now include the tenant name, the scanned site URL, the relevant privacy policy excerpt, and the framework's regulatory context. Framework-agnostic — works for GDPR, UK GDPR, CCPA, etc.
  • Phase 77 — AI sibling rules for high-variance domains. When a deterministic rule fails on a topic with high natural-language variance (retention period, breach notification, DPO contact, withdrawal mechanism, DSR rights), AI re-reads the policy and emits an INFO sibling finding if the topic IS actually covered by different phrasing.
  • Phase 78 — Industry-aware severity. Tenants are classified by industry on first scan (one-time AI call). Industry-specific severity overrides apply for relevant rules — e.g., breach notification is CRITICAL for healthtech/fintech, security headers are CRITICAL for ecommerce.

Earlier phases

Phases 1–72 backfilled in the project build-order tree (build order/). Highlights:

  • GDPR rule engine (Phase 4) — 70+ deterministic rules across cookie consent, privacy policy, security headers, DSR workflow, breach response, vendor management.
  • Website scanner (Phase 5) — Puppeteer-driven crawler, page-type detection, subdomain support, 0–100 scoring.
  • GitHub PR scanner (Phase 6) — webhook-driven PR analysis with line-level fix guidance posted as comments.
  • Cloud infrastructure scanning — read-only scans for AWS, GCP, Azure, and Kubernetes (Phases in the multi-framework build order).
  • GDPR module suite — DSR, RoPA (Art. 30), DPIA (Art. 35), breach register (Art. 33/34), vendor DPAs (Art. 28), privacy notices (Art. 13/14), DPO profile (Art. 37–39), consent management.
  • Regulation watcher — RSS feeds from EDPB, ICO, FTC, HHS, IAPP, PCI SSC. Each item is summarized and tagged to its framework.
  • Audit log + RBAC — five-tier RBAC enforced server-side; immutable audit logs for admin and member actions.
  • PDF + HTML report generation — scoped per-scan, per-website, framework-wide, or overall. GDPR programme HTML includes DPO, DPIAs, processors, RoPA, breaches, DSRs.

Conventions

  • Each entry leads with the date and a short title.
  • User-visible changes are stated in plain English, with cross-links to the implementing phase doc where useful.
  • We don't list internal refactors, dependency bumps, or copy tweaks unless they meaningfully change product behaviour.