If your team “vibe coded” a CRM with Claude to move faster, the constraint isn’t the UI. It’s whether the system can answer three boring questions on demand: who changed what (audit logs), what gets deleted when someone asks (GDPR erasure), and whether your emails land in inboxes (SPF/DKIM/DMARC).
Those questions showed up fast in Thorstein Nordby’s LinkedIn post—“Where are your audit logs? How does GDPR right-to-erasure work? What’s your email deliverability setup? SPF, DKIM, DMARC…”—and the comment thread did what comment threads do: half dunking, half defending, all circling the same point. A CRM is not a weekend CRUD app. Not once it touches revenue and personal data.
Here’s the one move that keeps “we built our own CRM” from turning into a quiet pipeline tax: treat compliance + deliverability as product requirements, not later clean-up. Start with auditability. Everything else hangs off it.
Why this matters now: enforcement and sender rules don’t care about your sprint
The risk isn’t theoretical. Compliance summaries put cumulative GDPR fines at more than €7.1B since enforcement began, and report 330+ fines in 2025, with breach notifications up 22% year over year (OrbiqHQ; UnifyGTM). Even if those numbers don’t map cleanly to any one category of violation, they describe the environment: scrutiny is active, and the paperwork trail matters.
At the same time, mailbox providers have been tightening baseline requirements for bulk senders. Google’s sender guidelines frame SPF, DKIM, and DMARC as foundational controls for authentication and anti-spoofing (Google Workspace Admin Help). That’s not a “marketing ops preference.” It’s table stakes for outbound and lifecycle programs that are supposed to create qualified pipeline.
So when someone says “we vibe coded our own CRM,” the right response isn’t moral panic. It’s operational triage: can this thing survive an audit request, a deletion request, and a deliverability incident without turning into a fire drill?
The primary tactic: build an “audit-first” spine before you add features
Audit logs sound like an enterprise checkbox. They’re not. They’re the spine that lets you run the rest of the system with guardrails instead of vibes.
Nordby’s list leads with “Where are your audit logs?” for a reason. Without immutable (or at least tamper-evident) change history, every downstream workflow becomes guesswork: duplicate resolution, attribution disputes, lead routing bugs, “why did this deal stage change,” and yes—GDPR requests.
Seen from the other side, this is what the “Claude + one developer can do it” argument in the comments is actually about. Siddharth Sharma wrote that Nordby is “overestimating how important those things are,” and that deliverability lives in outbound tools while marketing email can live elsewhere—so a simpler CRM can stay simple. That’s a fair constraint call. But it doesn’t remove the need to prove what the system did. It just shifts where the proof has to come from.
Audit-first doesn’t mean “build Salesforce.” It means: every object that matters for revenue and privacy (contact, company, deal, activity, consent status, suppression status) produces an append-only event stream of changes: timestamp, actor (human or system), source (UI, API, import), old value, new value, and request ID. Short sentence. No exceptions.
Because once the questions start, they don’t stop. And the hardest ones aren’t even technical—they’re timeline questions.
GDPR erasure is a distributed-systems problem (and you have ~30 days)
GDPR’s right to erasure (Article 17) requires organizations to erase personal data “without undue delay” when valid grounds apply, such as withdrawal of consent or unlawful processing (Data Protection Commission, Ireland). In practice, guidance commonly references about one month / 30 days to respond to data subject requests (DPO Centre; Flosum).
That SLA is brutal if the CRM is the only place you thought about identity. UnifyGTM’s compliance guidance makes the operational point clearly: honoring an erasure request means executing deletion across every system holding the data—CRM, email tools, enrichment providers—not just the primary database (UnifyGTM).
And the context is more complex. Personal data tends to exist in places teams forget: logs, analytics tools, backups, third-party processors. Jetico notes that while backups may be retained temporarily, the data should be placed “beyond use” and then deleted under retention controls—so the goal is documented process + controls, not panic deletion (Jetico).
This is where audit-first pays off. If each record has a consistent internal identifier and every downstream sync writes its request ID back into the event log, you can answer: where did this person’s data go, what was deleted, what was suppressed, and what is pending in a backup retention window.
Vincent Hoftijzer’s comment—“most of these questions still remain unanswered even in businesses that already have a modern CRM in place”—lands. A bought CRM doesn’t magically solve erasure. But a DIY CRM without an audit spine makes it almost impossible to even know what to fix.
Email deliverability: SPF/DKIM/DMARC are baseline, not a strategy
If the CRM is sending email directly (or triggering sends), deliverability becomes part of the product. Google’s guidance describes the basics: SPF authorizes sending sources, DKIM provides cryptographic integrity, and DMARC ties them together with alignment and policy (Google Workspace Admin Help). EPHost’s rollout pattern is the sane one: implement SPF/DKIM first, then DMARC in monitoring mode (p=none) before enforcing quarantine/reject (EPHost).
But authentication isn’t the finish line. Blueshift’s 2026 deliverability guidance is blunt: inbox placement also depends on sender reputation, engagement, list hygiene, complaint rates, content quality, sending consistency, and consent practices (Blueshift). In other words: you can “pass DMARC” and still get buried.
So the practical design requirement for a DIY CRM isn’t “can it send emails.” It’s “can it protect reputation.” That means first-class suppression, consent state, and a clean separation between transactional and marketing streams—plus monitoring that catches drift before it wrecks pipeline.
Armon Butler’s comment—“When the engineer who built it leaves next quarter, who maintains it?”—is the maintenance version of the same argument. Systems that touch revenue need continuity. Audit logs are a big part of how you hand continuity to the next person without tribal knowledge.
Run it this week: an audit-log MVP that doesn’t boil the ocean
Hypothesis (make it falsifiable): If the CRM ships an append-only audit log for contacts/deals and every integration writes request IDs, then DSAR/erasure response time will drop and data disputes (routing, attribution, stage changes) will be resolved faster because changes become traceable.
Setup: Owner = RevOps or Eng lead; reviewer = Legal/Privacy point person. Scope = contacts + deals only (don’t start with “everything”). Tools = whatever stack exists, but require one central event table/stream.
Launch (2–5 days): Add event capture on create/update/delete, include actor + source + old/new values, and expose a read-only audit view internally. Add a “privacy action” event type for erasure/suppression actions and propagate that request ID into downstream tools.
Readout (week 2): Time one mock erasure request end-to-end. Count how many systems you had to touch. List the unknowns. That list is the roadmap.
Success = DSAR/erasure workflow can be executed and evidenced within the “about one month / 30 days” expectation (DPO Centre; Flosum), with a clear record of actions taken. Guardrails = no increase in duplicate creation rate; no regression in lead routing latency. Stop-loss = if audit logging adds material write latency or breaks integrations, roll back to capturing only critical fields and re-test.
Nordby’s post ends with “Build your product. Buy your CRM.” That’s often right. But when teams do build anyway, the real line isn’t “weekend vs. enterprise.” It’s whether the system can tell the truth later—about who did what, what got deleted, and what got sent.
Vibe coding can ship screens. Audit logs ship accountability.
