AI Vendor Changelog
A continuously updated feed of security, compliance, and legal-policy changes we detect across the AI vendors we monitor — new CVEs, certification changes, and terms-of-service updates. Every entry is generated deterministically from the underlying evidence.
Jul 1, 2026
1 sub-processor(s) removed: Glean Search Technologies India Private Limited.
Jun 30, 2026
The Master Service Agreement's previous URL stopped responding and we could not locate a current version automatically. We're searching for its new location; this is flagged for manual review.
Jun 28, 2026
11 new CVEs (published from 2019-07-09): CVE-2019-13450, CVE-2020-11469, CVE-2020-11470, CVE-2020-11500, CVE-2020-11876, CVE-2020-11877 (+5 more). 11 of these have no vendor fix listed yet.
Jun 28, 2026
1 actively-exploited (CISA KEV) vulnerability: CVE-2022-26138; 11 new CVEs (published from 2005-12-03): CVE-2005-3967, CVE-2012-2928, CVE-2012-6342, CVE-2015-8398, CVE-2015-8399, CVE-2016-4317 (+5 more). Exploitation likelihood is high — EPSS 98% for CVE-2022-26138 (probability of exploitation in the next 30 days). 11 of these have no vendor fix listed yet.
Jun 28, 2026
2 new CVEs (published from 2025-10-03): CVE-2025-61591, CVE-2025-61592. 2 of these have no vendor fix listed yet (CVE-2025-61591, CVE-2025-61592).
Jun 27, 2026
The Privacy Policy was substantially rewritten — 13 removed, 13 added. Review the current version.
Jun 27, 2026
2 new sub-processor(s) added: Baseten Labs, Inc., Modal Labs, Inc..
Jun 27, 2026
The Privacy Policy was substantially rewritten — 13 removed, 13 added. Review the current version.
Jun 27, 2026
21 new CVEs (published from 2025-08-01): CVE-2025-54130, CVE-2025-54131, CVE-2025-54132, CVE-2025-54133, CVE-2025-54135, CVE-2025-54136 (+15 more). 2 of these have no vendor fix listed yet (CVE-2025-61591, CVE-2025-61592).
Jun 26, 2026
The Privacy Policy changed — 11 added passages. Review the current version.
Jun 24, 2026
The Terms of Service changed — 6 added passages. Review the current version.
Jun 24, 2026
The Terms of Service changed — 6 added passages. Review the current version.
Jun 23, 2026
19 new CVEs (published from 2005-12-03): CVE-2005-3967, CVE-2012-2926, CVE-2015-8398, CVE-2015-8399, CVE-2016-4317, CVE-2016-6283 (+13 more). Exploitation likelihood is high — EPSS 67% for CVE-2012-2926 (probability of exploitation in the next 30 days). 5 of these have no vendor fix listed yet (CVE-2005-3967, CVE-2015-8398, CVE-2015-8399, CVE-2016-4317, CVE-2016-6283).
Jun 22, 2026
25 new CVEs (published from 2022-02-09): CVE-2022-22780, CVE-2022-22781, CVE-2022-22782, CVE-2022-22784, CVE-2022-22785, CVE-2022-22786 (+19 more). 1 of these have no vendor fix listed yet (CVE-2023-36539).
Jun 22, 2026
19 new CVEs (published from 2025-08-01): CVE-2025-54130, CVE-2025-54131, CVE-2025-54132, CVE-2025-54133, CVE-2025-54135, CVE-2025-54136 (+13 more). 2 of these have no vendor fix listed yet (CVE-2025-61591, CVE-2025-61592).
Jun 20, 2026
The Eula was re-published with only formatting changes — no clause change.
Jun 19, 2026
7 actively-exploited (CISA KEV) vulnerabilities: CVE-2021-26084, CVE-2021-26085, CVE-2022-26134, CVE-2022-26138, CVE-2023-22515, CVE-2023-22518 (+1 more); 25 new CVEs (published from 2021-08-03): CVE-2021-26084, CVE-2021-26085, CVE-2021-39114, CVE-2021-43940, CVE-2022-26134, CVE-2022-26138 (+19 more). Exploitation likelihood is high — EPSS 100% for CVE-2021-26084 (probability of exploitation in the next 30 days). 2 of these have no vendor fix listed yet (CVE-2022-26138, CVE-2024-21690).
Jun 19, 2026
25 new CVEs (published from 2023-01-09): CVE-2022-36928, CVE-2023-22880, CVE-2023-22881, CVE-2023-22882, CVE-2023-28597, CVE-2023-28598 (+19 more). 1 of these have no vendor fix listed yet (CVE-2025-46789).
Jun 18, 2026
1 new sub-processor(s) added: Accenture Japan Ltd.
Jun 18, 2026
The Terms of Service was substantially rewritten — 8 removed, 50 added. Review the current version.
Jun 18, 2026
The Terms of Service changed — 62 added, 2 removed passages. Review the current version.
Jun 18, 2026
1 new sub-processor(s) added: Fireworks.ai, Inc..
Jun 18, 2026
2 sub-processor(s) removed: Apple, Google Firebase.
Jun 18, 2026
4 new sub-processor(s) added: Authzed, Inc., Oracle, Perplexity, Qualtrics.
Jun 18, 2026
11 sub-processor(s) removed: Oracle, Perplexity, Qualtrics, SendSafely, Sendbird, ServiceNow (+5 more).
Jun 18, 2026
15 new sub-processor(s) added: Google Cloud Platform, MongoDB, OneTrust, OpenAI, Oracle, Perplexity (+9 more).
Jun 18, 2026
2 sub-processor(s) removed: ElevenLabs Inc., Google Cloud-Plattform.
Jun 18, 2026
1 new sub-processor(s) added: Eleven Labs Inc..
Jun 18, 2026
16 sub-processor(s) removed: Eleven Labs Inc., Google Cloud Platform, MongoDB, OneTrust, OpenAI, Oracle (+10 more).
Jun 18, 2026
2 new sub-processor(s) added: ElevenLabs Inc., Google Cloud-Plattform.
Jun 18, 2026
1 sub-processor(s) removed: Piattaforma cloud Google.
Jun 18, 2026
15 new sub-processor(s) added: Google Cloud Platform, MongoDB, OneTrust, OpenAI, Oracle, Perplexity (+9 more).
Jun 18, 2026
5 sub-processor(s) removed: Google Cloud Platform, MongoDB, OneTrust, OpenAI, Oracle.
Jun 18, 2026
1 new sub-processor(s) added: Piattaforma cloud Google.
Jun 18, 2026
1 sub-processor(s) removed: Plataforma en la nube de Google.
Jun 18, 2026
5 new sub-processor(s) added: Google Cloud Platform, MongoDB, OneTrust, OpenAI, Oracle.
Jun 18, 2026
9 sub-processor(s) removed: Authzed, Inc., Google Cloud Platform, MongoDB, OneTrust, OpenAI, Oracle (+3 more).
Jun 18, 2026
3 new sub-processor(s) added: Apple, Google Firebase, Plataforma en la nube de Google.
Jun 17, 2026
1 new CVE (published from 2026-05-13): CVE-2026-45033. A fix is available from the vendor for all of these.
Jun 17, 2026
2 new CVEs (published from 2026-06-04): CVE-2026-42824, CVE-2026-45497. 2 of these have no vendor fix listed yet (CVE-2026-42824, CVE-2026-45497).
Jun 17, 2026
9 actively-exploited (CISA KEV) vulnerabilities: CVE-2019-3396, CVE-2019-3398, CVE-2021-26084, CVE-2021-26085, CVE-2022-26134, CVE-2022-26138 (+3 more); 25 new CVEs (published from 2019-03-25): CVE-2019-3396, CVE-2019-3398, CVE-2021-26084, CVE-2021-26085, CVE-2022-26134, CVE-2022-26138 (+19 more). Exploitation likelihood is high — EPSS 100% for CVE-2021-26084 (probability of exploitation in the next 30 days). 2 of these have no vendor fix listed yet (CVE-2022-26138, CVE-2024-21690).
Jun 17, 2026
25 new CVEs (published from 2023-01-09): CVE-2022-36928, CVE-2023-22883, CVE-2023-28596, CVE-2023-36539, CVE-2023-39199, CVE-2023-39204 (+19 more). 2 of these have no vendor fix listed yet (CVE-2023-36539, CVE-2025-46789).
Jun 17, 2026
The Privacy Policy changed — 1 removed passage. Review the current version.
Jun 17, 2026
The Privacy Policy was re-published with only formatting changes — no clause change.
Jun 17, 2026
The Terms of Service was re-published with only formatting changes — no clause change.
Jun 16, 2026
MICROSOFT CORP disclosed a material cybersecurity incident to the SEC (Form 8-K, Item 1.05) on 2024-01-19.
Jun 16, 2026
1 new CVE (published from 2026-05-13): CVE-2026-45033. A fix is available from the vendor for all of these.
Jun 16, 2026
25 new CVEs (published from 2023-01-09): CVE-2022-36928, CVE-2023-22883, CVE-2023-28596, CVE-2023-36539, CVE-2023-39199, CVE-2023-39204 (+19 more). 2 of these have no vendor fix listed yet (CVE-2023-36539, CVE-2025-46789).
Jun 16, 2026
MICROSOFT CORP disclosed a material cybersecurity incident to the SEC (Form 8-K, Item 1.05) on 2024-01-19.
Jun 16, 2026
2 new CVEs (published from 2026-06-04): CVE-2026-42824, CVE-2026-45497. 2 of these have no vendor fix listed yet (CVE-2026-42824, CVE-2026-45497).
Jun 16, 2026
MICROSOFT CORP disclosed a material cybersecurity incident to the SEC (Form 8-K, Item 1.05) on 2024-01-19.
Jun 16, 2026
9 actively-exploited (CISA KEV) vulnerabilities: CVE-2019-3396, CVE-2019-3398, CVE-2021-26084, CVE-2021-26085, CVE-2022-26134, CVE-2022-26138 (+3 more); 25 new CVEs (published from 2019-03-25): CVE-2019-3396, CVE-2019-3398, CVE-2021-26084, CVE-2021-26085, CVE-2022-26134, CVE-2022-26138 (+19 more). 2 of these have no vendor fix listed yet (CVE-2022-26138, CVE-2024-21690).
Jun 16, 2026
1 sub-processor(s) removed: Accenture Japan Ltd.
Jun 16, 2026
12 new sub-processor(s) added: Accenture International Limited, BULL LTDA – LE 960833, Bristlecone Incorporated, Bull Advanced Computing Canada Inc., Bull GmbH, Bull Nederland B.V. (+6 more).
Jun 16, 2026
The Privacy Policy was re-published with only formatting changes — no clause change.
Jun 15, 2026
1 new CVE (published from 2026-05-13): CVE-2026-45033. A fix is available from the vendor for all of these.
Jun 15, 2026
12 new sub-processor(s) added: Accenture International Limited, Cognizant Worldwide Limited, Deloitte Consulting LLP, EPAM Systems, GlobalLogic Inc., GlobalLogic Technologies Private Limited (+6 more).
Jun 15, 2026
25 new CVEs (published from 2023-01-09): CVE-2022-36928, CVE-2023-22883, CVE-2023-28596, CVE-2023-36539, CVE-2023-39199, CVE-2023-39204 (+19 more). 2 of these have no vendor fix listed yet (CVE-2023-36539, CVE-2025-46789).
Jun 15, 2026
2 new CVEs (published from 2026-06-04): CVE-2026-42824, CVE-2026-45497. 2 of these have no vendor fix listed yet (CVE-2026-42824, CVE-2026-45497).
Jun 15, 2026
36 new sub-processor(s) added: (d/b/a Bird), Amazon Web Services, Cantab Research Ltd (trading as Speechmatics), Cloudflare, Clumio, Databricks (+30 more).
Jun 15, 2026
9 actively-exploited (CISA KEV) vulnerabilities: CVE-2019-3396, CVE-2019-3398, CVE-2021-26084, CVE-2021-26085, CVE-2022-26134, CVE-2022-26138 (+3 more); 25 new CVEs (published from 2019-03-25): CVE-2019-3396, CVE-2019-3398, CVE-2021-26084, CVE-2021-26085, CVE-2022-26134, CVE-2022-26138 (+19 more). 2 of these have no vendor fix listed yet (CVE-2022-26138, CVE-2024-21690).
Jun 15, 2026
The Privacy Policy changed — 1 removed passage. Review the current version.
Jun 15, 2026
The Privacy Policy was substantially rewritten — 16 removed, 31 added. Review the current version.
Jun 15, 2026
The Terms of Service was re-published with only formatting changes — no clause change.
Jun 15, 2026
The Sub-processor List's previous URL stopped responding and we could not locate a current version automatically. We're searching for its new location; this is flagged for manual review.
Jun 15, 2026
The Terms of Service was substantially rewritten — 30 removed, 26 added. Review the current version.
Jun 15, 2026
The Terms of Service changed — 6 added, 88 removed passages. Review the current version.
Jun 14, 2026
The Privacy Policy was re-published with only formatting changes — no clause change.
Jun 13, 2026
The Privacy Policy changed — 1 added passage. Review the current version.
Jun 13, 2026
The Terms of Service changed — 26 passages removed. Review the current version.
Jun 8, 2026
Governance readiness downgraded: Enterprise-Ready → Conditional. Driven by: 1 new CVE: CVE-2024-23743.
Jun 8, 2026
1 new CVE: CVE-2024-23743.
Jun 8, 2026
1 new CVE (published from 2026-03-31): CVE-2026-22561. A fix is available from the vendor for all of these.
Jun 8, 2026
1 new CVE: CVE-2025-63872.
Jun 8, 2026
1 new CVE (published from 2026-03-19): CVE-2026-26136. 1 of these have no vendor fix listed yet (CVE-2026-26136).
Jun 8, 2026
Governance readiness downgraded: Conditional → High Risk.
Jun 8, 2026
1 new CVE (published from 2026-03-31): CVE-2026-22561. A fix is available from the vendor for all of these.
Jun 8, 2026
23 new CVEs (published from 2025-08-05): CVE-2025-54794, CVE-2025-54795, CVE-2025-55284, CVE-2025-58764, CVE-2025-59041, CVE-2025-59536 (+17 more). A fix is available from the vendor for all of these.
Jun 8, 2026
1 new CVE (published from 2025-05-19): CVE-2025-43714. 1 of these have no vendor fix listed yet (CVE-2025-43714).
Jun 8, 2026
Governance readiness downgraded: Enterprise-Ready → Conditional. Driven by: 1 new CVE (published from 2025-05-19): CVE-2025-43714. 1 of these have no vendor fix listed yet (CVE-2025-43714).
Jun 8, 2026
1 new CVE (published from 2025-05-19): CVE-2025-43714. 1 of these have no vendor fix listed yet (CVE-2025-43714).