Appcues | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Appcues discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

4 detections across 2 sites50% pre-consent activity1 critical disclosure gap

CRITICAL

Consent Bypass

22 vendors loading pre-consent (50% rate)

GDPR Art. 6GDPR Art. 7CCPA 1798.100

CRITICAL

Pre-Consent Activity

Appcues was observed loading and executing before user consent was obtained on 50% of sites where it was detected.

GDPRePrivacy

HIGH

Undisclosed Processing

Identity resolution and advertising vendors not disclosed

GDPR Art. 13GDPR Art. 28

HIGH

Subprocessor Gap

Marketing and identity vendors not in subprocessor list

GDPR Art. 28Standard Contractual Clauses

HIGH

Undisclosed Party

Not in privacy policy

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps

1 CRIT2 HIGH

Classified:BTI-X01BTI-X02BTI-X05BTI-X08BTI-X10

Undisclosed Processing

GDPR Art. 13 · GDPR Art. 28HIGH

They Claim

“Privacy policy describes data processing scope”

Observed Behavior

Identity resolution and advertising vendors not disclosed

Clearbit, Leadfeeder, Dealfront, Criteo, MetaPixel, DoubleClick observed but not in policy

Subprocessor Gap

GDPR Art. 28 · Standard Contractual ClausesHIGH

They Claim

“Subprocessor list at trust.appcues.com”

Observed Behavior

Marketing and identity vendors not in subprocessor list

22 vendors detected vs limited subprocessor disclosure

Customer Impact

What This Means For You

YOUR product onboarding flows powered by Appcues may be loading third-party scripts before your users consent. YOUR user behavior data — which features they explore, where they drop off, what they click — flows through Appcues to analytics and identity resolution vendors. If you use Appcues alongside Segment or GTM, YOUR data pipeline includes undisclosed vendor connections that YOUR DPA with Appcues does not cover. Under SOC2 trust principles, YOUR audit trail has gaps that Appcues' own compliance certifications fail to address.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Appcues

→Audit your Appcues implementation for pre-consent script loading — if their own site has 50% pre-consent rate, verify your deployment is not inheriting the same behavior
→Review what user behavior data Appcues captures and map downstream flows to third parties
→Update your privacy policy and subprocessor list to account for Appcues' actual vendor dependencies
→Implement server-side consent gating for Appcues scripts rather than relying on client-side CMP

If You're Evaluating Appcues

→Request Appcues' SOC2 Type II report and verify third-party vendor management controls
→Compare with Pendo and WalkMe on pre-consent behavior and vendor disclosure practices
→Test Appcues in a staging environment and audit all network requests before deployment
→Require contractual guarantees on consent timing and third-party data sharing restrictions

Negotiation Leverage

→Pre-consent vendor count: 22 vendors fire before consent on appcues.com including Clearbit, Leadfeeder, and Dealfront — use this to negotiate consent timing guarantees for your implementation
→SOC2 compliance gap: Appcues claims SOC2 Type II yet loads identity resolution vendors pre-consent — request their latest SOC2 report and compare against runtime behavior
→Identity resolution exposure: Clearbit, Leadfeeder, and Dealfront on appcues.com mean visitor identification happens before consent — negotiate contractual restrictions on identity resolution in your deployment
→CookieYes CMP bypass: Despite deploying CookieYes, 50% of vendors fire pre-consent — leverage this to require server-side consent enforcement rather than client-side CMP

Runtime Detections

3 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

IOC Manifest

23 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*load.sgtm.appcues.com/emwjxhri.js*

Tracking script

TRACK

*load.sgtm.appcues.com/gpt_ads-public.js*

Tracking script

TRACK

*load.sgtm.appcues.com/gtag/js*

Tracking script

TRACK

fast.appcues.com

Tracking script

TRACK

load.sgtm.appcues.com/emwjxhri.js

Auto-extracted from scan

TRACK

load.sgtm.appcues.com/gpt_ads-public.js

Auto-extracted from scan

TRACK

load.sgtm.appcues.com/gtag/js

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

Appcues operates in the product-led growth ecosystem, commonly loaded via direct script tag or through tag managers (GTM, Segment). On customer sites, Appcues is detected loading via script (common_load_method). Their platform integrates with analytics tools and CDPs. Notably, on their own website they load identity resolution vendors (Clearbit, Leadfeeder, Dealfront) that can identify website visitors, plus advertising platforms (Criteo, MetaPixel, DoubleClick, Reddit) for retargeting. They use Segment as their CDP and HubSpot for marketing automation. The presence of Cheq (ad fraud detection) suggests awareness of bot/fraud issues.

Commonly Deployed With

Bing Ads Intercom Amplitude Clarity Rudderstack Metapixel Linkedinads Googletagmanager Googleanalytics4 Vwo

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

23 detection signatures across scripts, domains, cookies, and network endpoints