The standard for AI builders · v3.2

Test the work.
Ship with confidence.

Touchstone is the governance layer for teams shipping AI into legal, privacy and security minefields. A repeatable methodology — survey, guide, build, audit, ship — wrapped around the eight domains regulators actually care about.

Explore the framework Run an audit

EU AI Act ready GDPR aligned Zero data egress

Audit · live

TS-2026-0411

SignSecure / v2.1

8-domain governance review

87/100

Production ready

OKLawful basis documented (Art. 6.1.b)

FIXRate-limit missing on /sign endpoint

OKDisclaimer scope reviewed

Built with Touchstone

SignSecure WWhetstone Fieldstone HormuzTracker SignSecure WWhetstone Fieldstone HormuzTracker SignSecure WWhetstone Fieldstone HormuzTracker

Find your entry point

Where are you building from?

Tell us where you are. We'll point you to the right corner of the framework.

I am awho has

The Framework

A proven path to production-ready AI.

Five phases. Eight principles. One auditable trail from first prompt to first customer — and every quarterly re-audit after that.

Take the survey →Run the checklist Audit a build ↗

01
Survey
Define the idea, validate the opportunity, pick format and model.
02
Guide
Follow the 8-principle methodology. Session by session, version by version.
03
Build
Iterate with live AI feedback, version control, and checklist scoring.
04
Audit
8-domain review — design, legal, security, GDPR, QA, flow, FAQs, terms.
05
Ship
Ship with confidence. Monitor in production. Schedule re-audits.

The Audit

Eight domains. One pass.

Every Touchstone audit runs the same eight domains, in the same order — so nothing ships blind to a category of risk. Findings are triaged by severity, tied to evidence, and exportable to your evidence vault.

Run an audit now

Domain 01

Design & UX

Hierarchy, accessibility, error states, empty states.

Domain 02

Product Flow

First-run experience, dead-ends, recovery paths.

Domain 03

Legal & ToS

Disclaimers, jurisdiction, advice-of-counsel boundaries.

Domain 04

GDPR / Privacy

Lawful basis, retention, DPIA, breach notification.

Domain 05

Security

Prompt injection, secrets, auth boundaries, rate limits.

Domain 06

QA & Evals

Golden sets, regression, hallucination thresholds.

Domain 07

FAQs & Comms

Risk language, scope statements, change logs.

Domain 08

Model Governance

Versioning, provider lock-in, fall-back routing.

Private access

The audit is invite-only.

Audit results drive ship / no-ship calls. Request access and we'll open the audit for you within two working days.

Request access Run the free checklist

Why this matters

The cost of shipping blind.

Founders are shipping AI into legal, privacy and security minefields they don't know exist. The consequences are documented, accelerating, and now codified into law.

€4.5B

GDPR fines issued in 2023 — a record high, up 168% YoY.

GDPR Enforcement Tracker

€35M

Maximum EU AI Act fine — or 7% of global turnover.

EU AI Act, Art. 99

72hr

GDPR breach notification window. Most AI startups have no process.

GDPR Art. 33

63%

Of vibe-coded apps ship with no security review.

Vercel, State of Vibe Coding 2025

Legal

Clearview AI

$75M fine — no GDPR basis, no consent, no erasure.

Security

Prompt injection

Confidential system prompts leaked via basic attacks.

Liability

Advice disclaimers

Legal, medical and financial tools — ToS gaps cost dearly.

Test the work.Ship with confidence.

SignSecure / v2.1

Where are you building from?

A proven path to production-ready AI.

Survey

Guide

Build

Audit

Ship

Eight domains. One pass.

The audit is invite-only.

The cost of shipping blind.

Test the work.
Ship with confidence.