Sprint-by-sprint shipping log. Most recent first. Older detail lives ingit historyand the per-sprint summaries in project memory.
2026-06-04Marketing — Wave 1
Landing page tuned for the GRC-manager buyer
Feature"From recent work" section added below the framework grid: one live consultancy engagement (anonymised) and two reference audits, with the live/reference split labelled honestly. Footnote points to the full write-ups on the blog.
FeatureHero now carries three equally-weighted CTAs — start the trial, explore demo verticals, or book a 30-minute demo. The third lands a GRC manager who does not self-serve.
FeatureHero trust line reframed for the assessor: ICO registration number, EU data residency, SOC 2 Type II in progress, ISO 27001 self-attested, MSA + DPA on request.
FeatureClosing CTA picks up a soft-close row beneath the contact form — link to the blog and a direct founder email — so readers who scrolled past the form get a fresh next step rather than a repeat of the hero.
FeatureNew /auditor-demo page — a static, sanitised preview of what an auditor sees in the Raize Orion auditor portal. Mirrors the layout of the real token-gated /auditor/[token] route with synthetic-data tables for scope, control coverage, Type II window, evidence, findings and policies. Linked from the landing as "See what your auditor sees".
FeatureFramework picker chip row above the framework grid — URL-stateful (?fw=<id>), dims unselected tiles, smooth-scrolls to the grid when a deep link lands. The buyer-path tiles from Wave 2 now drop visitors directly onto the relevant framework on landing.
FeatureCookieless analytics event added on the framework picker (gm.framework_picker) using @vercel/analytics — surfaces which frameworks visitors filter to, no cookies set. CI tripwire audit:marketing-cookies still green.
Platformdocs/operations/cookie-position.md re-reviewed and stamped 2026-06-04: no cookies introduced by any Wave 1–4 change.
2026-06-04Marketing — Wave 3
Retention surfaces on the landing page
Feature"Recent writing" tile strip above the final CTA — top 3 blog posts, auto-fed from the posts data file. Practitioner content is the highest trust signal for a domain buyer; the blog was previously only a nav and footer link.
FeatureTrust Center promoted from a footer credential to a hero feature block — two-column layout with a "stand up your own trust page in 10 minutes" pitch and a live-preview tile showing compliance score, frameworks, sub-processors, and last-update timestamp.
Feature2-page platform overview PDF generated from gen:datasheet and linked from the header nav. Lets a GRC manager forward something internally without writing one themselves. Cookieless static asset; no third-party document hosting.
2026-06-04Marketing — Wave 2
Buyer-path clarity on the landing page
FeatureHero subhead reframed from a dense ten-framework list into a three-situation hook: clearing security questionnaires every quarter, building toward a Type II audit, or running one evidence base across multiple frameworks. SEO keyword density preserved.
FeatureNew buyer-path tile row under the hero — four self-select paths for first-time founders (SOC 2), UK SaaS (ISO 27001 + GDPR), EU-regulated entities (NIS2 Art. 21 + 23), and payment processors (PCI DSS Req 1–12). Each tile carries a ?fw=<id> query string so the upcoming framework picker can pre-select on landing.
FeatureNew "What you get on day one" strip above pricing — three numbers a programme lead can take to a budget conversation: 10-minute first evidence row, day-one cross-framework mapping, 90-day first audit-ready pack.
2026-06-01Frameworks
Four new frameworks — ISO 22301 · NIS2 · Cyber Essentials/Plus · IASME Cyber Assurance
FeatureRaize Orion now ships 10 built-in frameworks. Each new one is fully first-class: control catalogue, guided tour, project schedule, and policy templates — selectable per organisation from the framework switcher.
FeatureISO 22301:2019 Business Continuity — 37 requirements across clauses 4–10, anchored on the Business Impact Analysis (RTO / RPO / MTPD), continuity strategy, plans and exercising.
FeatureNIS2 (Directive (EU) 2022/2555) — 32 requirements: management-body governance (Art 20), the ten minimum risk-management measures (Art 21), and the 24-hour / 72-hour / 1-month incident-reporting clock (Art 23).
FeatureCyber Essentials & Cyber Essentials Plus — the five technical controls plus a dedicated CE Plus independent-verification set (40 requirements).
FeatureIASME Cyber Assurance — 61 requirements across 13 themes, incorporating the Cyber Essentials technical five plus governance, risk, UK GDPR / data protection, business continuity and incident response.
FeatureFour new policy templates (Business Impact Analysis Procedure, BC Exercise & Testing Plan, Secure Configuration Policy, NIS2 Incident Reporting Procedure); existing templates now map to the new frameworks so adopting once satisfies across frameworks.
PlatformNo data migration required — framework selection is per organisation. A build-time tally check keeps each framework's control counts, category totals and policy mappings honest.
FeatureCustom Frameworks builder — define your own framework, add requirements, and map existing built-in or custom controls into them. Built on a parallel uuid namespace so the six built-in frameworks keep their typed exhaustiveness.
FeatureAccess Reviews (UAR) — launch a review campaign, seed subjects manually or pull the roster straight from BambooHR HRIS, certify / revoke / flag each entry, and completing the review writes timestamped evidence to the access-management controls. Subjects past their termination date that are not revoked are flagged automatically.
FeaturePersonnel Security — background-check tracking (PII-safe by design: provider reference + bucketed clear/consider status only, never raw report data) and security-awareness training completions, both landing as control evidence with no manual upload.
FeatureSix new evidence connectors: Generic REST/JSON (point at any HTTPS JSON endpoint and declare checks → control codes), Google Cloud, Auth0, BambooHR, Jamf Pro, Kandji. Total: 19 named connectors plus a generic one.
FeatureNine existing connectors deepened with high-signal checks: AWS (IAM password policy), GitHub (code-scanning alerts), Okta (sign-on policy), Cloudflare (member 2FA), Sentry (org 2FA enforcement), Slack (session duration), Google Workspace (2SV enforcement vs mere enrolment), Azure AD (guest-account inventory), Datadog (security-monitoring rules).
PlatformWeb Analytics + Speed Insights wired into both the app and marketing site for real-user performance and visitor telemetry.
PlatformSix migrations (199–204) applied to prod and staging in parallel; every edge redeploy smoke-tested through the real dispatch path before commit; all UI builds green.
2026-05-20Sprint 101
SCIM provisioning (Enterprise) · MFA grace period · connector Test connection
FeatureSCIM 2.0 provisioning shipped for Enterprise: mint a token in SSO settings, paste into your Okta or Azure AD SCIM connector, and new hires land in Raize within ~60 seconds with the right role. Deprovision flips access just as fast. Smoke-tested live against an Okta tenant.
FeatureConnectors gain a "Test connection" button next to "Run now". Runs the same handler dispatch with vault-decrypted creds but writes no evidence and fires no alerts — sub-10s verification that a credential still works after rotation.
FeatureDrift alerts deep-link into the app. Slack and email notifications now include a "View in Raize Orion" button that opens the connector's runs drawer at the exact failing run.
FeatureMFA enrolment gets a 7-day grace window. New users see a banner counting down days remaining and can use the app at aal1 while they set up TOTP — instead of being walled off on day one. Existing users with MFA already enabled see no change.
SecuritySCIM access is gated at the database — if an Enterprise org downgrades, every existing SCIM token stops authenticating immediately, no manual revocation needed.
FeatureDrift alert subscriptions gain per-control-code routing. Send CC6.* + IA-* to your security Slack, CC7.* + AU-* to ops — pattern-match with simple suffix wildcards, no more channel flood.
FeatureAlerts now fire when a connector run ITSELF fails, not just on findings. Rotated AWS credentials or a vault outage no longer means weeks of silent collection — you hear about it on the first failure.
FeaturePer-subscription "Send test" button. Verify your Slack webhook or recipient email works without waiting for a real compliance finding to flush out a typo.
FeatureSubscriptions are now editable in place — change rate limit, severity, or filter without losing the vaulted webhook URL.
FeaturePer-subscription change history with colour-coded diffs — who paused it, who tightened the rate limit, who deleted it. Captured automatically via DB trigger, queryable for SOC 2 CC6.6 evidence.
FeatureNew /blog at raizehq.dev/blog with three launch posts on GRC for SaaS founders. Plain TSX, no MDX runtime, fast.
PlatformPer-job cron health on Platform Admin — operators see at a glance which scheduled jobs are degraded or failing, sorted by severity.
PlatformConnector handlers now run through a static-audit script (npm run audit:connectors) on every change. Five rules encoded from real prior bugs: dead status-ladder rungs, hand-rolled URL operator encoding, boolean-coercion under-counts, post-refactor field drift, unguarded fetch.
2026-05-15Sprint 97
Marketing → Next.js · app stays on Vite
PlatformNew marketing site at raizehq.dev rebuilt on Next.js 14 (App Router). Server-rendered, edge-cached. Lighthouse perf 0.95+, LCP <1s.
PlatformApp moved to app.raizehq.dev — same Vite SPA, same Supabase backend, just a clean subdomain.
FeaturePricing has its own URL (/pricing). Privacy + DPA + Changelog all crawlable as separate documents.
FixStale "Annual (-10%)" pricing label dropped. Year-2125 renewal date corrected. Friendlier billing-portal error when no Stripe customer exists.
2026-05-14Sprint 96
Red Team ASV scan + remediation
SecurityInternal PCI-DSS-aligned ASV scan against the public surface. 0 critical, 1 high, 3 medium findings.
Security76 Supabase Advisor warnings closed: SECURITY DEFINER search_path pinned, anon EXECUTE revoked from 51 RPCs (kept the 6 truly public ones).
2026-05-14Sprint 96b
Board-level audit report PDFs
FeatureNew shared chart module renders a Dashboard-style overview page in every audit report PDF — compliance gauge, risk severity bars, framework coverage, implementation progress.
FeatureWired into AOC PDF (gap analysis / internal audit) + Auditor Portal PDF + Export Suite. Real org name now in the header (was "[Organisation Name]" placeholder).
FixStripe launch promo coupon allowlist must use Stripe ID, not receipt name. Coupon RAIZE_LAUNCH_10 created (10% off, 30-day window). Annual prices reset to monthly × 12.
2026-05-13Sprint 95
MFA enforcement + branded transactional email
SecurityTOTP MFA required for every authenticated user, regardless of role. New MfaGate between auth and dashboard.
FeatureBranded per-task deadline reminder emails replace the plain text version. MFA enrolment + success emails added.
FixPost-MFA-reload session bootstrap now reads localStorage directly — bypasses a gotrue-js _acquireLock that intermittently bounced users back to the sign-in page.
2026-05-11Sprint 60
Continuous Monitoring catalogue → 50 control checks
Feature50 automated control checks across all 6 frameworks — daily run @ 07:00 UTC, drift events flow into the unified register, one-click create-task remediation.
FeatureNew ControlChecksPanel on Continuous Monitoring shows pass/fail/error breakdown with a rose pill the moment any check errors out (would have caught the 6 schema-drift bugs the MeriCare audit found in 30s).
2026-05-10Sprint 47
PCI DSS framework module + 8 new playbooks
FeaturePCI DSS v4.0.1 ships as the 6th framework — 80 controls cross-mapped to the existing 5. HIPAA + PCI playbook marketplace gets 8 new entries (4 per framework).
2026-05-08Sprint 27/28
Consultant walkthrough — 8 defects fixed
FixSynthetic 3-framework consultant walkthrough caught 8 real defects across auth, dashboard, calendar, audit log, and policy editor. All 8 fixed in same session.
PlatformEmail pipeline shipped end-to-end via Resend + raizehq.dev DKIM/SPF/DMARC. Bulk Send imports staff lists from CSV/XLSX/DOCX.
Ship something new every sprint.
Approximately one customer-visible release per week. Subscribe via the in-app notification preferences (Settings → Email → Product updates).
