Unsyphn

Inspiration

We've all been there. A SaaS vendor quietly drops data retention from 90 days to 30. Another slips a new sub-processor into their DPA over a long weekend. A third raises per-seat pricing by 18%, buried in a terms update nobody read. You find out at renewal, when the leverage is gone.

The average mid-market company runs 200 to 400 SaaS tools. Fortune 500s run 1,000 or more. Nobody has time to read every pricing page, every DPA, every sub-processor list every week. So changes go unnoticed. Compliance obligations get missed. Procurement walks into renewals blind.

Every SaaS vendor shipped an AI add-on in 2025. Pricing, data-use, and training-data clauses are changing monthly. Legal teams are drowning. And GDPR sub-processor changes carry a 30-day notification obligation, today tracked in spreadsheets, one missed change away from a compliance finding.

We kept asking the same question: what if the thing that was supposed to protect you actually watched?

That's Unsyphn. Vendors change their terms, raise prices, and quietly add new sub-processors. You usually find out at renewal, if at all. Unsyphn reads every change across your vendor stack and helps you act first.

What it does

Unsyphn is a continuous vendor change intelligence layer that sits above your existing SaaS stack, not in competition with your GRC, CLM, or vendor management tools, but feeding them.

It monitors every pricing page, terms-of-service, DPA, sub-processor list, SLA, and security attestation across your portfolio automatically. When something changes, it doesn't just tell you something changed. It tells you what changed, what it means in dollars, what compliance obligation it triggers, and who needs to know, routed directly to the right person via Slack, Jira, or email.

Key capabilities:

Continuous monitoring hourly or daily pulls per vendor tier, hashed and diffed against the last snapshot
Grounded ChangeReports every finding cites the exact clause, source URL, and fetch timestamp. No citation, no claim.
Policy engine GRC teams write rules in plain language. No engineering tickets. Rules preview against 12 months of real change history before shipping.
Renewal Radar T-90, T-60, T-30 alerts with full change history and a renegotiation packet built from every clause that changed since you signed
Sub-processor watch GDPR/DPF obligations met automatically, with evidence
Compliance Evidence Bundle every change, source, timestamp, and owner action compiled into a signed PDF. What was a two-week audit scramble is a two-minute export.

How we built it

The stack is purpose-built around one constraint: every claim must be grounded in a real source. Hallucination is not a product risk we can tolerate. It is a legal and compliance risk our buyers cannot afford.

Nimble        live web pulls (pricing, ToS, DPA, sub-processors, security)
ClickHouse    append-only snapshot + change history (immutable audit trail)
Gemini        structured ChangeReport generation with clause-level citations
Policy Engine rule DSL compiled from natural language
Senso         publishes canonical grounded briefs (immutable, citable URLs)
Slack / Jira  routing layer for vendor owners and GRC teams
Stripe        transactional layer (Compliance Pack add-on, test mode)
Datadog       per-step LLM tracing, quality SLOs, drift alarms

The monitoring loop is simple by design. Nimble pulls the live page. We hash it and compare against the last snapshot in ClickHouse. If unchanged, we log and stop. If changed, Gemini produces a structured ChangeReport: section, before and after, materiality, dollar impact calculated against the org's seat count, recommendation, and clause-level citations. The policy engine classifies severity, P1, P2, or P3, based on rules the GRC team owns. Then it routes: Slack DM to the vendor owner, Jira ticket if P1 or P2, email digest if P3. Senso publishes the canonical grounded brief.

Only on a real diff do we invoke Gemini, keeping inference costs proportional to actual change frequency, not monitoring frequency.

For the demo, one vendor ran live. Nimble pulled the real page. Gemini diffed it against a Wayback Machine snapshot. A ChangeReport with dollar impact and clause citations appeared in under 30 seconds. The policy fired. The Slack alert hit the demo channel. The Jira ticket was created. The Evidence Bundle exported as a signed PDF. The Stripe Compliance Pack upgrade completed in test mode.

Challenges we ran into

Grounding without hallucination. Getting Gemini to produce structured ChangeReports with valid clause-level citations, consistently, at scale, required significant prompt engineering and schema enforcement. We measure citation validity at 100%. Any response without a resolvable source URL is rejected before it reaches the feed.

Noise vs. signal. Vendor pages change constantly: cookie banners, nav updates, marketing copy. Training the materiality classifier to distinguish a pricing change from a footer tweak was harder than expected. The per-vendor noise floor took multiple iterations to calibrate.

The cold-start problem. A vendor monitoring product with no history is not useful. We solved this with Wayback Machine backfill, seeding 6 to 24 months of historical snapshots on onboarding so the first meaningful change fires within a week, not a quarter.

Immutable evidence under time pressure. Building an audit trail that is genuinely append-only, timestamped, and independently verifiable, while also being readable by a non-technical auditor, required careful design of the Senso publishing layer. Signed PDFs that hold up in front of an auditor take longer to get right than signed PDFs that just exist.

Accomplishments that we're proud of

A live, real change detection in the demo, not seeded, not faked
A policy engine where a GRC lead can write a rule in plain English, preview it against 12 months of real change history, and ship it without touching engineering
An Evidence Bundle that goes from auditor request to signed PDF in two minutes, we timed it
The grounded-by-construction constraint holding across the entire product surface: every claim in every report has a citation, or it does not ship
Redline publishes its own sub-processor and ToS pages, monitored by itself, the self-dogfood story that wins the Q&A
A brand identity, Unsyphn, where the product thesis lives inside the name

What we learned

Grounding is not a feature. It is the architecture. Every decision about what to store, how to store it, and what to surface downstream was shaped by the constraint that claims must be citable. Once you accept that constraint, the data model writes itself.

The policy engine is where enterprise buyers actually live. The monitoring loop is the wedge; the DSL is the platform. GRC teams do not want to file engineering tickets to change a severity rule. The moment you hand them a text box and a 12-month preview, they become power users.

Procurement, legal, security, and finance all feel the same pain. They just name it differently. Procurement calls it renewal surprise. Legal calls it silent liability creep. Security calls it sub-processor sprawl. Finance calls it price creep. Same product, four entry points. The positioning has to work for all four simultaneously.

What's next for Unsyphn

Negotiation Copilot when procurement opens a renewal, Unsyphn generates an opening-position email, three concession ladders, and a redlined alternative DPA. Every claim sourced. Copy-paste into Outreach or Ironclad.

Spend Reconciliation invoice line items matched against current public pricing. Flags overbilling, missed promo periods, plan-tier mismatches. Finds 3 to 8% of SaaS spend sitting on the floor.

Policy Marketplace anonymized GRC-authored rules shared across the customer base. Your legal team's sub-processor rule becomes a template for every legal team.

Connector ring Okta for directory sync, Vanta and Drata for evidence push, Ironclad and Lexion for contract date ingestion, Ramp and Brex for invoice reconciliation. Once Unsyphn is in Slack, Jira, and Vanta simultaneously, switching cost compounds fast.

The moat is the snapshot graph. Months of clean cross-vendor change history, compounding with every customer, is not something an incumbent can replicate cold. We are the upstream change layer and the goal is to become the source that every other tool in the stack pulls from.