I have been working on my own "Digital Twins Universe" because 3rd-party SaaS tools often block the tight feedback loops required for long-horizon agentic coding. Unlike Stripe, which offers a full-featured environment usable in both development and staging, most B2B SaaS companies lack adequate fidelity (e.g., missing webhooks in local dev) or even a basic staging environment.
Taking the time to point a coding agent towards the public (or even private) API of a B2B SaaS app to generate a working (partial) clone is effectively "unblocking" the agent. I wouldn't be surprised if a "DTU-hub" eventually gains traction for publishing and sharing these digital twins.
I would love to hear more about your learnings from building these digital twins. How do you handle API drift? Also, how do you handle statefulness within the twins? Do you test for divergence? For example, do you compare responses from the live third-party service against the Digital Twin to check for parity?
As a European founder building startups since 2015, I’ve spent a massive chunk of my career navigating the "alphabet soup" of EU regulation: GDPR, DSA, DMA, AI Act, CSRD, SFDR, CBAM... the list is exhausting.
While the goals are usually noble, I’m increasingly convinced we’re regulating ourselves into irrelevance. I’m not a Big Tech company yet my interests align with theirs. We desperately need an EU that prioritizes actual growth over well-intentioned paperwork. To me, the AI Act and the GDPR are the worst offenders here, representing the largest possible gap between "good intentions" and the actual effect they have on the ground.
Consider frontier LLM labs. We have the talent, the Nordic data centers, and access to the GPUs. But why would any investor drop $100B on a frontier LLM lab here when the legislative environment is fundamentally more hostile than the US? It feels like we’ve already watched Mistral and Aleph Alpha get left in the dust.
To give you an idea of the "compliance vs. reality" GDPR gap: I worked on a project processing healthcare data for millions of people. We had a clear, easy-to-find privacy policy and a responsive DPO. Total GDPR requests for info or deletion? Exactly 53. Out of millions. We spent thousands of hours building systems for rights that only 0.001% of our users cared to use.
If you look at the courts, the "damage" being prevented is equally vague. Since EU courts don't really do punitive damages, most awards are tiny unless there’s actual identity theft. Most of what GDPR protects is "mental distress" or "loss of control"-concepts so ambiguous that courts rarely award anything for them unless something else went wrong.
The result of all this "protection"? No FAANG-equivalent, no frontier AI leader, and no homegrown ad-tech. It turns out the most perfectly regulated company is the one that never exists in the first place.
I cannot stand reading these comments left by people clearly detached from reality.
I used to work in a medical AI company myself, over the years we had a few requests for deletion, all from some crazy old German people. Moreover, we couldn't train our models on European data, which is absurd.
Medical data is a domain that requires extremely careful consideration of privacy and implications of what you're collecting. Most engineers work in highly regulated fields, except for software engineers, because they're not engineers.
If you can't handle the heat, get out of the kitchen. The big picture is that medical AI is scary stuff that can ruin countless lives if done even slightly wrong.
Thanks for the comment. It actually perfectly illustrates my point. Most people equate GDPR with a "Delete My Account" button, but that’s just the tip of the iceberg.
We didn't spend thousands of hours on a deletion feature (or just development time). We spent them in total to be compliant in a healthcare environment. That time goes into:
Documenting the entire lifecycle (how, why, and where) of every single data point we process. Conducting and documenting formal risk assessments for every major processing activity (Privacy Impact Assessments (DPIA)). Drafting and negotiating data processing agreements (DPAs) with every single partner and vendor we use. Building strict role-based access and logging systems to track exactly who views and edits data and why. Implementing pseudonymization and logical data separation to ensure we meet "privacy by design" standards. Constantly coordinating between the product and dev team and the DPO to update policies and communicate changes to users.
The point I’m making is that the EU has built an incredibly expensive regulatory environment to support rights that, in practice, the vast majority of users don't seem to care about. We’re over-engineering for a "loss of control" that the average user hasn't shown much interest in reclaiming.
Those things are all necessary anyway, apart from the last one (communicate to users) which absent GDPR is a nice-to-have. If you don't do them, or something equivalent to them, then your processes will be wrong and you'll have breaches – and breaches of healthcare data are extremely bad. What GDPR gives you is the assurance that you won't be at a competitive disadvantage for doing the bare minimum due diligence, because your competitors are required to do so, too.
> We spent thousands of hours building systems for rights that only 0.001% of our users cared to use.
GDPR does not require that any of the data subject rights are automated, other than "right to be informed" (which it doesn't explicitly spell out has to be automated, but "put the information on the website" is the easiest way to comply if you're relying on the consent basis for anything). If you expect that under 200 people are ever going to exercise a particular right, and automation will take longer than manually fulfilling those requests, then don't automate them: just add it to your DPO's job description.
> that, in practice, the vast majority of users don't seem to care about.
You can't use "people are choosing not to waste the time of a healthcare provider" as an argument that people don't care. They may simply be being kind. I very rarely require GDPR data subject access requests, but when I do, it's very important that I can get them in a timely manner.
If I know what information is kept by the organisation (and therefore would be included in the GDPR request), and there are other ways of me accessing the information I care about having, I don't need to perform a GDPR request. It's organisations where there aren't where I'm most likely to need to make a GDPR request. If a company is actually complying with data minimisation and purpose limitation, I do not need to make a GDPR deletion request. etc etc. I think you're focusing on how annoying it is for you, and not thinking of the impact on your less-ethical competitors (who might otherwise be able to run you out of business – depending on the industry).
I think you’re conflating security with compliance.
If the goal is to stop breaches, we should mandate MFA and ban default-public cloud buckets. Those are technical solutions. GDPR, instead, mandates a massive administrative layer. No data breach has ever been stopped by a well-drafted Privacy Impact Assessment or a 50-page DPA. Those are legal shields, not security measures.
> then don't automate them: just add it to your DPO's job description.
The DPO isn't an engineer. To let them fulfill a request, I still have to build the internal tooling to query, redact, and export data from distributed production databases. Also, "I'll have my DPO do it manually" never sounds good when going through an audit.
> they may simply be being kind.
The simpler explanation is that the average person has no clue what these rights are because they’ve never had a reason to care. In healthcare, patients care that their data is secure and the service works. They aren't losing sleep over "data portability."
Ultimately, this "level playing field" only benefits incumbents. Unethical players ignore the rules until they’re caught, while legitimate startups are hit with a compliance tax that makes it nearly impossible to compete with US-based firms that can focus 100% of their energy on the product.
I have single-handedly stopped breaches-in-progress by going up to a company and saying "this practice of yours isn't GDPR-compliant: here's what you can do instead". I've heard from people who (self-admittedly) have no idea what they're doing, fixing breaches in their organisations that they didn't know about because, while they don't understand computer technology, they do understand their GDPR obligations. GDPR works.
> ban default-public cloud buckets
GDPR Article 5 1(f) already bans those. It doesn't mandate MFA in particular, but it does mandate "protection against unauthorised or unlawful processing […] using appropriate technical or organisational measures". There's a reason that GDPR doesn't get more specific than that. If you're at all familiar with the Microsoft stack, you'll know that mandated security checklists often come at the expense of actual security (see also: AViD's Rule of Usability). There's no real workaround for basic cybersecurity competence, at least at the moment.
> a well-drafted Privacy Impact Assessment
Are you saying you don't design your software systems before implementing them, nor document them before they go into production? It's the work of half an hour to reformat process documentation into a Privacy Impact Assessment report. And yes, as anyone who's worked on safety-critical infrastructure knows, process and documentation save lives. This is not burdensome.
> or a 50-page DPA
I don't think I've ever seen a DPA that long: they're usually under 10 pages, and boil down to "you are the controller, we are the processor, we're not responsible for the data, you're responsible for instructing us to fulfil any data subject requests, we won't fulfil them on our own, we won't peek at the data, here's how we're keeping the data safe". If your DPA is 50 pages long, then I'd warrant there's a bloody good reason for it to be that long. Are you saying you'd go into a complex business arrangement with a service provider without paperwork clearly setting out the expectations for each party to the contract?
(Note that Article 28 does not require the DPA to be a separate document: it's absolutely fine for it to be part of the main contract, so long as the necessary boxes are ticked. Afaik the phrase "data processing agreement" does not appear in the text of the GDPR. Splitting these contractual clauses out as a separate document is a decision made by companies for their own convenience – much like how programmers split programs up into libraries and modules.)
> The DPO isn't an engineer.
Let the DPO requisition an engineer. Running the appropriate queries against the database is a 2 minute job, so round up to half an hour. It's the way Stack Exchange did such things in their first few years of operation (admittedly, pre-GDPR, but that's besides the point). If the engineers are interrupted more than twice a week, then you can have one of them spend a couple of days throwing the tooling together to let the DPO field the requests alone.
> In healthcare, patients care that their data is secure and the service works. They aren't losing sleep over "data portability."
That's actually a major concern for anyone with complicated healthcare needs, who plans on moving to the catchment area of another practice. The amount of time wasted trying to persuade a new doctor that yes, I do need that medication, no I can't have the cheaper medication, I'm allergic — no, I do not want to "check" that I'm allergic, I nearly died the last time… no my prescription for this one needs to halve, not double, it's lower because I'm discontinuing it… all vastly simplified if they can just read up on your electronic health record, which data portability guarantees they're able to do.
> Those things are all necessary anyway
It's a bold statement. Have you ever actually been working on any compliance yourself? 80% of everything is just senseless bureaucracy. I've worked in a medical startup and we had it all: GDPR, HIPPA, FDA approvals etc. The requirements are completely detached from reality and are usually written for some X-Ray producing firms from 20th century, not an health-tech AI startup. And they're trying to regulate everything, even how your organizational structure should look like, how you should create tickets in Jira (or any other _compliant_ products). Developers had to take useless trainings on how a medical organization should operate, which were essentially the courses of Aesopian language of medical bureaucracy. And legal expenses, boy o boy, the company had to spend twice as much on compliance staff than it did on developers. And what was the result? Rich American competitors with a ton of VC money were getting approvals while our company was struggling with all this idiocy despite having a much more superior product.
I'm specifically criticising the claim that GDPR was among the most burdensome requirements. Very little of GDPR is additional to what you need to do anyway, apart from DSARs (which aren't burdensome: you may charge a fee if someone's abusing the process), appointing a DPO (optional for most organisations), and the third-country restrictions (which are partly necessary, and article 45 reduces the burden). I don't dispute that regulations can be silly and a waste of time (e.g. PCI compliance requiring the removal of effective security measures, as directed by incompetent auditors, because the legal requirement is "passes an audit"), but I do dispute the use of GDPR as an example.
I'll note that of the three regulatory acronyms you gave, two of them (HIPPA and FDA approvals) are American.
> two of them (HIPPA and FDA approvals) are American
I specified all three via comma to highlight that we had quite some history in compliance, in different jurisdictions.
HIPPA covers only medical devices, GDPR covers everything. FDA approval process is convoluted and expensive, especially for new types of devices, but it's still much easier than European MDR.
Also, I mentioned FDA because we didn't even try to get a proper compliance in the EU, because it's impossible for a startup without huge support.
No, the HIPAA Privacy Rule covers only medical information: see https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg.... Perhaps with your organisation, this was restricted to devices, but within a hospital environment there's a lot more covered by the HIPAA Privacy Rule than just medical devices. NB: the combined text of the applicable HIPAA rules (115 pages) are a lot longer than the entire text of the GDPR (88 pages, including recitals).
> The certificates shall be valid for the period they indicate, which shall not exceed five years. On application by the manufacturer, the validity of the certificate may be extended for further periods, each not exceeding five years, based on a re-assessment in accordance with the applicable conformity assessment procedures.
Other than that, it just seems like "do actual science to determine safety" and "if there's no 'intended medical purpose', also do actual science to demonstrate efficacy". The HMT Medizintechnik GmbH consultation feedback seems to say that a small company providing, say, basic sutures, is required to repeatedly prove the adequacy of those sutures, even though everybody knows that basically any sutures are adequate for those cases where sutures are adequate; but I don't think that's a correct reading of the law. (And this shouldn't affect a new device.) So I'm a bit confused. https://www.medtecheurope.org/wp-content/uploads/2025/03/250... clinical evaluation TOP 3 (on page 18) does not describe a problem with the text of MDR, but as a long-term mitigative measure they suggest:
> Possibly making this clearer in the text revision so Notified Bodies do not feel they must ask for PMCF clinical investigations as a default.
You never claimed that the text of the regulation was the issue; and I think I'm starting to see where the problem lies. While the rules are mostly sensible, they delegate to national bodies empowered to exercise discretion, and these bodies are (reportedly) erring on the side of excessive requirements. Was this the reason you gave up on EU certification without attempting it?
This is a great comment. At the same time GDPR and other standards do not address practical issues that (arguably) cause real harm like including features to generate undressed images of women and children.
It's the same dynamic that has warped the California housing market by adding a forest of regulations that make it almost impossible to build new housing. Those regulations for the most part add nothing but cost and time to projects. Meanwhile housing prices go through the roof.
i'd argue that, at least in my european country, there already more severe laws regulating such thing that might earn you jail time, while gdpr wasn't made with that in mind
The problem is enforcing those laws now the Trump administration is using X and other social networks as instruments of national policy and forcing others to use them, to the detriment (potentially considerable) of European societies.
We're repeating the same overengineering cycle we saw with early LangChain/RAG stacks. Just a couple of months ago the term agent was hard to define, but I've realized the best mental model is just a standard REPL:
Read: Gather context (user input + tool outputs).
Eval: LLM inference (decides: do I need a tool, or am I done?).
Print: Execute the tool (the side effect) or return the answer.
Loop: Feed the result back into the context window.
Rolling a lightweight implementation around this concept has been significantly more robust for me than fighting with the abstractions in the heavy-weight SDKs.
I don't think this has much to do with SDKs. I've developed my own agent code from scratch (starting from the simple loop) and eventually- unless your use case is really simple- you always have to deal with the need for subagents specialised for certain tasks, that share part of their data (but not all) with the main agent, with internal reasoning and reinforcement messages, etc.
Interestingly, sticking to the "Agent = REPL" mental model is actually what helped me solve those specific scaling problems (sub-agents and shared data) without the SDK bloat.
1. Sub-agents are just stack frames. When the main loop encounters a complex task, it "pushes" a new scope (a sub-agent with a fresh, empty context). That sub-agent runs its own REPL loop, returns only the clean result with out any context pollution and is then "popped".
2. Shared Data is the heap. Instead of stuffing "shared data" into the context window (which is expensive and confusing), I pass a shared state object by reference. Agents read/write to the heap via tools, but they only pass "pointers" in the conversation history. In the beginning this was just a Python dictionary and the "pointers" were keys.
My issue with the heavy SDKs isn't that they try to solve these problems, but that they often abstract away the state management. I’ve found that explicitly managing the "stack" (context) and "heap" (artifacts) makes the system much easier to debug.
Indeed. So in addition to your chat loop, you have built a way to spawn sub-agents, and to share memory objects between them (or tools) and the main agent; also (I suppose) a standard way to define tools and their actions; to define sub-agents with their separate tools and actions and (if needed) separate memory objects; to inject ephemeral context in the chat (the current state of the UI, or the last user action); to introduce reinforcement messages when needed; etc. Maybe context packing if/ when the context gets too big. Then you've probably have built something for evals, so that you can run batches of tasks and score the results. Etc.
So that's my point (and that of the article): it's not "just a loop", it quickly gets much more complicated than that. I haven't used any framework, so I can't tell if they're good or not; but for sure I ended up building my own. Calling tools in a loop is enough for a cool demo but doesn't work well enough for production.
It depends on how you define “safer.” Cities have a higher frequency of accidents, but with lower severity. Highways have a lower frequency of accidents, but with higher severity.
So in this case, you probably want to opt for accidents of lower severity. Metal undents more easily than flesh.
I agree, LLM translations are not only more convenient but also much more capable. I often find myself giving instructions on how to translate text, such as asking the LLM to use formal language in the target language or to apply specific gender-neutral wording. Additionally, it can translate text while preserving the structure (e.g. values in a JSON object) or even adapt to a new target structure. It's just so much more convenient.
Lemonsqueezy, Gumroad, and Paddle also act as the merchants of record, meaning they assume liability for every transaction. Their role extends beyond simply handling invoicing.
While I agree with your statement and recognize that, for now, Perplexity has only introduced a financial information platform comparable to Google Finance or Yahoo Finance, the true value of any forward-looking financial model is rooted in the depth of the qualitative research supporting it.
Building a useful forward looking financial model mostly involves qualitative analysis. This means thoroughly examining the company's and competitors' 10-Ks and 10-Qs, digesting industry reports, understanding the company’s business model, breaking down the underlying mechanics of the income statement, balance sheet, and cash flow statement, identifying the core processes driving value creation, forming solid hypotheses on how the business will evolve, etc.
I believe Perplexity, as an advanced answering engine, provides a strong foundation for supporting this kind of in-depth research and hope to see the platform evolve into this direction.
What’s wrong with Lufthansa? It’s the only international business class I’ve ever flown. Had good experiences compared most domestic airlines in the US.
The international business class is simply inferior to most of its competitors. Other airlines offer larger seats (4 seats per row vs. 6 seats per row). Their onboard entertainment systems use more modern hardware, provide a better selection of content, and sometimes even integrate better with personal devices. The culinary options are less refined. Additionally, Lufthansa still charges $27 for in-flight Wi-Fi. Their lounges are also subpar — smaller, more crowded, and with fewer culinary options. This is based on my personal experience flying with Lufthansa, Austrian, Swiss (all part of the same group), British Airways, Singapore Airlines, and Turkish Airlines. However, other business travelers echo these sentiments. It's noticeable that they enjoy a lack of competition in their home country of Germany, since some healthy competition would force them to actually improve their business class offering.
I flew with them a few times as well as KLM, Emirates, and Singapore. Lufthansa's customer service, on-board experience (i.e. food & entertainment), is not on par with the others. When a flight got canceled last minute, we were left hanging with a number to call and a long waiting line, and we are still waiting for our reimbursement. On the need to reschedule due to a positive coronavirus test, it took 16 minutes with KLM to reschedule and almost 3 hours with Lufthansa and a bunch of (online) paperwork.
On top of that, some strange management decisions like completely stopping pilot training and laying off the ones that started during Covid while getting financial assistance from the state and 2 years later struggling with a pilot shortage.
They canceled my flight to Dubai on the day of the flight with no alternatives offered/booked. I booked them because I thought they were reliable even if more expensive than alternatives. Never again.
> [...] Meta (or Facebook) democratises AI/ML much more than OpenAI, which was originally founded and primarily funded for this purpose. [...]
I believe this statement is accurate. Your comment does not alter this fact and merely imposes an arbitrary requirement instead of giving credit where credit is due.
If another company were to openly share alternatives to Meta's core assets, I would welcome that as well.
Facebook may be doing the right thing in this case, but for wrong reasons.
If a restaurant chain with deep pockets opens a restaurant in your area and starts selling food at a loss (because they can afford to do so, at least short term) in order to kill your beloved local mom and pop restaurants, should they be praised for it? This is how Walmart built their empire destroying countless small family owned businesses. The difference in the AI business is the scale of the fight. There are just no good guys in this, Facebook or OpenAI.
This is just a ruthless commercial move, not done out of the goodness of Mark's heart.
I read the Sam Walton autobiography and providing low cost goods with lots of options was one of the key benefits they provided smaller towns in Arkansas. The other chains couldn't operate at a profit due to the smaller customer base.
He was constantly trying to optimize his stores and dropping in on his locations daily. Because they were oroginally so far apart, in order to save driving time he learned to fly a plane and would just land in the field behind the store.
Constantly shopping competitors to see what they are doing better and how he could improve.
Originally store staff and towns welcomed the stores and him with open arms.
> If another company were to openly share alternatives to Meta's core assets, I would welcome that as well.
Metas core asset is human attention. "Sharing" it means selling ads. I don't think there is an open model to that — just giving away access to users is probably not it — but that's only one of many problems with "sharing" attention.
Like I said, it won't happen (for various reasons). So while it's cool that in theory we just want everything to be more open, and celebrate Meta for doing that where they do, and asking for more where they don't, my original point stands.
Taking the time to point a coding agent towards the public (or even private) API of a B2B SaaS app to generate a working (partial) clone is effectively "unblocking" the agent. I wouldn't be surprised if a "DTU-hub" eventually gains traction for publishing and sharing these digital twins.
I would love to hear more about your learnings from building these digital twins. How do you handle API drift? Also, how do you handle statefulness within the twins? Do you test for divergence? For example, do you compare responses from the live third-party service against the Digital Twin to check for parity?