How This Briefing Works
This report opens with key findings, then maps the gaps between what Adiant discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
disclosure_gap
adiant.com/privacy-policy returns 404. Policy only exists on adblade.com subdomain.
disclosure_gap
6-year-old policy predates current enforcement standards and contains zero GDPR/CCPA language
consent_gap
17 third-party tracking vendors fire immediately with no CMP, no cookie banner, no consent collection
Pre-Consent Activity
Adiant was observed loading and executing before user consent was obtained on 20% of sites where it was detected.
claims_gap
Policy admits collecting 'clicks, mouse movements' which constitutes behavioral profiling. Uses identity resolution vendors.
Claims vs. Observed Behavior
disclosure_gap
“No privacy policy exists on adiant.com main domain”
adiant.com/privacy-policy returns 404. Policy only exists on adblade.com subdomain.
Screenshot captured: no_privacy_policy_404.png
disclosure_gap
“Privacy policy last updated February 6, 2020”
6-year-old policy predates current enforcement standards and contains zero GDPR/CCPA language
Policy text states: Last updated: February 6, 2020
consent_gap
“No consent mechanism deployed”
17 third-party tracking vendors fire immediately with no CMP, no cookie banner, no consent collection
Runtime scan detected AdRoll (pre_consent:true), DoubleClick (pre_consent:true), GA4 (pre_consent:true), LinkedIn (pre_consent:true)
claims_gap
“'Adblade does not store any personally identifiable information'”
Policy admits collecting 'clicks, mouse movements' which constitutes behavioral profiling. Uses identity resolution vendors.
Privacy policy Ad Serving section + detected vendors AdRoll, DoubleClick, LinkedIn
subprocessor_gap
“No subprocessor list published”
17 data recipients observed, zero disclosed
Runtime detection of 17 vendors on adiant.com
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Adiant
- →IMMEDIATE: Audit your consent implementation — Adiant has no CMP on their own site, so their code likely does not respect your consent signals
- →Request in writing their current subprocessor list and data flow documentation — 17 vendors detected, zero disclosed
- →Request an updated privacy policy with GDPR/CCPA language — current policy is from February 2020 with no modern compliance references
- →Review your DPA to ensure it covers the 17+ third parties observed on their own site including AdRoll, DoubleClick, and Pubmatic
- →Consider immediate removal — a 6-year-old privacy policy with no consent mechanism suggests an abandoned compliance program
If You're Evaluating Adiant
- →Request current SOC2 report — expect to be told none exists given no visible security certifications
- →Request their subprocessor list — 17 vendors are detected at runtime but zero are disclosed anywhere
- →Factor in joint regulatory risk: using a vendor with 2020-era compliance exposes your organization to GDPR Art 28 liability
- →Require consent-gated deployment contractually — their code must load only after explicit consent on your property
- →Consider alternatives with modern compliance programs — multiple ad networks exist that maintain current privacy policies and consent mechanisms
Negotiation Leverage
- →Compliance modernization requirement: Adiant's privacy policy was last updated February 2020 with zero GDPR/CCPA language. Require updated privacy policy, DPA, and subprocessor list as contract preconditions — expect significant delays or inability to provide.
- →Consent architecture mandate: No CMP deployed on adiant.com means their code has no consent-awareness built in. Require contractual guarantee that their ad serving code respects your CMP signals and loads zero tracking before consent.
- →Subprocessor disclosure: 17 third-party vendors detected on adiant.com with zero disclosed. Require complete vendor enumeration with 30-day advance notice before additions and right to reject.
- →Security certification: No SOC2, ISO, or any security certification visible. Require SOC2 Type II as a contract condition or negotiate significant liability indemnification to offset risk.
- →Termination for compliance failure: Given 6-year compliance gap, include right to terminate without penalty if Adiant cannot demonstrate modern GDPR/CCPA compliance within 90 days of contract signing.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Full session replay
Ignoring CMP signals
Device identification
Long-lived identifiers
PII deanonymization
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
61 detection signatures across scripts, domains, cookies, and network endpoints