The criteria under which we would shut this product down.

Classifier false-positive rate on adverse signals (friction, retention)

ThresholdIf sustained false-positive rate exceeds 25 percent over a calendar quarter on any of the adverse signal types, we sunset that signal type.

WhyA signal that fires more wrong than right is worse than no signal. It pulls manager attention into manufactured problems and discredits the real ones.

Sub-floor leakage

ThresholdAny single confirmed instance of team-level data appearing for a team below the 10-person floor triggers a Sev 1 public incident. Three confirmed instances in a calendar year sunset the product.

WhyThe floor is the load-bearing privacy commitment. One verified breach is recoverable with public disclosure. Three is structural failure that no remediation closes.

Insight quality

ThresholdIf the rolling 90-day customer rating of insight usefulness drops below 40 percent useful, we pull the LLM-generated insight surface and run rules-only until quality recovers.

WhyLLM insights presented as actionable but consistently wrong are the same trust failure as wrong audit findings. Pulling the feature is preferable to shipping noise.

Regulatory change response window

ThresholdIf a material regulatory change (EU AI Act, state-level employee-monitoring law, NLRB guidance shift) requires a product change to remain compliant, we either ship the change within 90 days or sunset operations in the affected jurisdiction.

WhyCompliance products that lag the regulation become legal liabilities for the customer. Faster than 90 days is fine. Slower is not.

Data subject request fulfillment

ThresholdIf we cannot fulfill a verified data subject access or deletion request within 30 days, we publicly disclose the failure and engage outside counsel to resolve. Two unresolved DSAR failures in a calendar year sunset the product.

WhyThe retention-zero architecture is supposed to make DSAR trivial because there is no individual data to retrieve or delete. A failure to deliver on that posture means the architecture has broken.

LLM provider boundary breach

ThresholdIf a provider sub-processor is found to be storing or training on customer-routed prompts in violation of the published sub-processor list, we cut the integration within 7 days. If no compliant alternative exists, we sunset the LLM-classifier path and run rules-only.

WhyThe LLM provider boundary is the load-bearing claim of the trust architecture. A breach there is the same class of failure as a sub-floor leakage.

Customer satisfaction floor

ThresholdIf customer-reported integrity concerns exceed 10 percent of the active customer base in a single quarter, we trigger an external review. If the external review confirms a structural integrity problem, we sunset the affected feature or the product as warranted by the finding.

WhyCustomers pay attention to integrity. When they raise concerns at scale, the data is more reliable than internal self-assessment.

Audit finding response

ThresholdAny finding from the annual independent third-party audit that is not resolved or formally accepted with mitigation within 180 days triggers public disclosure. Critical findings unresolved at 365 days sunset the product.

WhyThe annual audit is the structural commitment that ties our revenue to the quality of our work. Letting findings rot kills the commitment.

Pricing-rigor breach

ThresholdIf commercial pressure ever requires us to ship under terms that violate the Trust Principles ('unlimited audits,' AI without review gates, customer attestation as proof), we sunset rather than ship. We do not amend the Trust Principles to enable a deal.

WhyThe Trust Principles are constraints, not goals. Loosening them to close revenue is the failure pattern this whole framework defends against.

Capacity overrun

ThresholdIf we onboard customers faster than we can meet the published response SLAs (privacy email, AUP enforcement, incident response), we pause new-customer onboarding until staffing catches up.

WhyThe SLAs are commitments, not aspirations. Breaking them quietly because we are growing is the volume-business failure mode.