State of Vendor Privacy — Q2 2026

What changed in SaaS vendors' privacy policies, DPAs, and subprocessor lists in April – June 2026 — aggregate data from Thorgate's vendor tracking catalog.

Published July 8, 2026 · 6 min read

Summary

In Q2 2026, Thorgate tracked 470 compliance documents — privacy policies, terms of service, data processing agreements, subprocessor lists, and security pages — across 100 SaaS vendors. Over the quarter we captured 26,818 document versions and identified 1,910 distinct substantive document changes.

Of those, 580 were classified major (subprocessor changes, retention shifts, jurisdictional changes, breach-notification term changes), 145 moderate, and 1,185 minor. A further 1,902 detected changes were purely cosmetic — reformatting, navigation edits, version-number bumps — and are excluded from all counts above.

The most common category of substantive change was subprocessor changes (146 distinct changes).

Method

Thorgate fetches each tracked document daily, stores a content-hashed version history, and classifies each detected change with a deterministic AI classifier (severity, category, materiality). Cosmetic reformats are excluded from change counts. Counts deduplicate multi-workspace tracking: one vendor edit counts once regardless of how many Thorgate workspaces track that vendor.

What changed, by category

Category Distinct changes
Subprocessor changes 146
Other substantive 68
Certifications 50
Data use / AI disclosures 40
Jurisdiction / transfers 22
Security commitments 18
Liability terms 3

Category-level classification was introduced on May 30, 2026; the category breakdown covers May 30, 2026 through the end of the quarter and therefore undercounts the full period. Severity and volume figures cover the entire quarter.

What changed, by document type

Document Distinct changes
Privacy policy 408
Terms of service 387
Data processing agreement 377
Security / trust page 376
Subprocessor list 362

The quarter's most active vendors

Vendors whose tracked documents changed most often this quarter. All observations are drawn from the vendors' own public documents.

Vendor Distinct changes
BambooHR 80
Mailchimp 76
Microsoft 365 69
Linode 68
Box 67
GitLab 63
Microsoft Azure 61
Salesforce 47
Snowflake 46
OpenAI 43

About this data

Thorgate continuously monitors the public compliance documents of SaaS vendors on behalf of compliance teams. This report aggregates catalog-level observations; no customer data is included. Compliance publications and infosec newsletters are welcome to cite this report with attribution. For methodology detail, per-vendor histories, or press inquiries: support@thorgate.com.

Citation

Cite as: Thorgate, "State of Vendor Privacy — Q2 2026" (July 2026). Available at https://www.thorgate.com/library/reports/state-of-vendor-privacy-2026-q2. Press inquiries: support@thorgate.com.