Summary
In Q2 2026, Thorgate tracked 470 compliance documents — privacy policies, terms of service, data processing agreements, subprocessor lists, and security pages — across 100 SaaS vendors. Over the quarter we captured 26,818 document versions and identified 1,910 distinct substantive document changes.
Of those, 580 were classified major (subprocessor changes, retention shifts, jurisdictional changes, breach-notification term changes), 145 moderate, and 1,185 minor. A further 1,902 detected changes were purely cosmetic — reformatting, navigation edits, version-number bumps — and are excluded from all counts above.
The most common category of substantive change was subprocessor changes (146 distinct changes).
Method
Thorgate fetches each tracked document daily, stores a content-hashed version history, and classifies each detected change with a deterministic AI classifier (severity, category, materiality). Cosmetic reformats are excluded from change counts. Counts deduplicate multi-workspace tracking: one vendor edit counts once regardless of how many Thorgate workspaces track that vendor.
What changed, by category
| Category | Distinct changes |
|---|---|
| Subprocessor changes | 146 |
| Other substantive | 68 |
| Certifications | 50 |
| Data use / AI disclosures | 40 |
| Jurisdiction / transfers | 22 |
| Security commitments | 18 |
| Liability terms | 3 |
Category-level classification was introduced on May 30, 2026; the category breakdown covers May 30, 2026 through the end of the quarter and therefore undercounts the full period. Severity and volume figures cover the entire quarter.
What changed, by document type
| Document | Distinct changes |
|---|---|
| Privacy policy | 408 |
| Terms of service | 387 |
| Data processing agreement | 377 |
| Security / trust page | 376 |
| Subprocessor list | 362 |
The quarter's most active vendors
Vendors whose tracked documents changed most often this quarter. All observations are drawn from the vendors' own public documents.
| Vendor | Distinct changes |
|---|---|
| BambooHR | 80 |
| Mailchimp | 76 |
| Microsoft 365 | 69 |
| Linode | 68 |
| Box | 67 |
| GitLab | 63 |
| Microsoft Azure | 61 |
| Salesforce | 47 |
| Snowflake | 46 |
| OpenAI | 43 |
About this data
Thorgate continuously monitors the public compliance documents of SaaS vendors on behalf of compliance teams. This report aggregates catalog-level observations; no customer data is included. Compliance publications and infosec newsletters are welcome to cite this report with attribution. For methodology detail, per-vendor histories, or press inquiries: support@thorgate.com.