Building Fenn

Fenn is my first GRC portfolio project, a fictional UK agritech SaaS built from scratch. The brief, the website, and the documents exist as if the company were real. New to tech as a whole but drawn to GRC in theory, I chose to go beyond writing isolated case studies because there's a limit on what's publicly available about how real companies do this work, and a limit on my understanding of it as a result. I "hired" myself to do the work without the pressure of real risk, deadlines, or consequences.

A few choices behind Fenn:

  • Agritech. SaaS and GRC are unfamiliar enough on their own without piling a third unknown industry on top.
  • UK-based. Building Fenn under UK GDPR, the Data Protection Act 2018, and ICO guidance allows me to become familiar with the regulatory environment I'll be navigating for school and placement.
  • B2B SaaS at Series B. This is the stage where GRC genuinely starts to matter. The company is big enough to have real legal obligations (data processor duties, sub-processor disclosures, DPAs) and small enough that one person can model the full scope end to end.

Building Fenn as a privacy-focused company was my first instinct and priority. Next I had to choose the features that would actually create that privacy: customer-held keys, no surveillance default, Proton internally, the sub-processor list. The third step was communicating that privacy to Fenn's customers. "Your land. Your data. Your decision." captured Fenn's commitment in a straightforward but marketable phrase.

For the decision trail behind every choice, see the build log →