All Vendors
deanon
CHEQ

CHEQ

Sells "Go-to-Market Security" while operating the exact surveillance infrastructure they market protection against. 88.3% pre-consent tracking rate with consent rejection ignored — 29 cookies persist after "Reject All." Undisclosed Clearbit deanonymization and Hotjar session recording alongside SOC2, ISO 27001, and GDPR compliance badges.

230 IOCs103 detections88% pre-consent86 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what CHEQ discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

103 detections across 86 sites88% pre-consent activity3 critical disclosure gaps
CRITICAL

Compliance Fraud

88.3% pre-consent tracking rate, consent rejection ignored, 29 cookies set before consent interaction

GDPR Article 6GDPR Article 7CCPA Section 1798.120ePrivacy Directive Article 5(3)
CRITICAL

Subprocessor Fraud

24+ vendors detected on cheq.ai including Clearbit, ZoomInfo, Hotjar, Meta, Google, LinkedIn, Bing, ChiliPiper, etc.

GDPR Article 28GDPR Article 30
CRITICAL

Consent Theater

All tracking cookies persist after Reject All. Clearbit shows isReadied: true post-rejection. DataLayer shows denied but scripts continue.

GDPR Article 7(3)ePrivacy DirectiveCCPA Opt-Out Rights
CRITICAL

Pre-Consent Activity

CHEQ was observed loading and executing before user consent was obtained on 88% of sites where it was detected.

GDPRePrivacy
HIGH

Undisclosed Surveillance

Clearbit actively de-anonymizes business visitors. ZoomInfo provides person-level identification. Hotjar records sessions.

GDPR Article 13GDPR Article 14CCPA Disclosure Requirements
Disclosure Gaps

Claims vs. Observed Behavior

5 gaps
3 CRIT2 HIGH
Classified:BTI-X01BTI-X02BTI-X04BTI-X05BTI-X07BTI-X08BTI-X10

Compliance Fraud

GDPR Article 6 · GDPR Article 7 · CCPA Section 1798.120 · ePrivacy Directive Article 5(3)CRITICAL
They Claim

SOC2 Type II, ISO 27001, GDPR, CCPA compliant

Observed Behavior

88.3% pre-consent tracking rate, consent rejection ignored, 29 cookies set before consent interaction

Runtime detection data shows 103 CHEQ detections with 88.3% pre-consent rate. Forensic analysis documents 29 cookies set while consent banner visible, all persist after Reject All.

Subprocessor Fraud

GDPR Article 28 · GDPR Article 30CRITICAL
They Claim

Subprocessor list: AWS, Microsoft Azure, Zendesk (3 vendors)

Observed Behavior

24+ vendors detected on cheq.ai including Clearbit, ZoomInfo, Hotjar, Meta, Google, LinkedIn, Bing, ChiliPiper, etc.

Runtime scan vs subprocessor list comparison. Cookie policy partially discloses some vendors but subprocessor list (GDPR Article 28 required) lists only 3.

Undisclosed Surveillance

GDPR Article 13 · GDPR Article 14 · CCPA Disclosure RequirementsHIGH
They Claim

Not disclosed: B2B de-anonymization, identity resolution

Observed Behavior

Clearbit actively de-anonymizes business visitors. ZoomInfo provides person-level identification. Hotjar records sessions.

Clearbit object in DOM shows persist:true, maxage:31536000000 (1 year). ZoomInfo detected in runtime scans.

Privacy Marketing Fraud

FTC Act Section 5 · Consumer Protection LawsHIGH
They Claim

Privacy is a top concern for us and is baked into everything we do

Observed Behavior

18 vendors fire pre-consent on own website. CNAME cloaking via takingbackjuly.com obfuscates tracking.

Trust Center quote vs runtime detection data. takingbackjuly.com DNS analysis shows CNAME to CHEQ infrastructure.

Customer Impact

What This Means For You

If CHEQ's "GTM Security" tools are deployed on your site, you are partnering with a vendor that operates the exact surveillance behaviors they claim to detect. Their 88.3% pre-consent rate and consent rejection bypass (29 cookies persist after "Reject All") mean CHEQ's own JavaScript may violate your consent architecture. Under GDPR Art 7, their tracking persists after consent denial, creating direct regulatory liability for you. CHEQ owns Deduce (identity resolution), ClickCease, and Ensighten (consent management) — creating a surveillance conglomerate with visibility across 15,000+ customer websites. Undisclosed Clearbit deanonymization on cheq.ai means prospects evaluating CHEQ are identified and targeted, a practice that may extend through their deployed JavaScript. The irony is structural: CHEQ sells bot detection while deploying undisclosed session recording and identity resolution against their own visitors.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use CHEQ

  • AUDIT IMMEDIATELY: Run a runtime scan on your properties to verify what CHEQ's JavaScript actually loads and whether it respects consent rejection
  • DEMAND DISCLOSURE: Request complete list of all subprocessors and CHEQ subsidiaries (Deduce, ClickCease, Ensighten) — not the 3-vendor facade
  • TEST CONSENT: Verify consent rejection actually stops CHEQ tracking on your site — it does not on theirs (29 cookies persist after Reject All)
  • REVIEW CONTRACTS: Check if CHEQ's DPA terms hold them liable for their own non-compliance and consent bypass behavior
  • DOCUMENT EVERYTHING: Preserve evidence of claims versus behavior gap before they remediate — this protects your organization

If You're Evaluating CHEQ

  • REQUEST SOC2 REPORT: Verify if pre-consent tracking and consent rejection bypass are addressed in the audit scope
  • TEST THEIR SITE: Visit cheq.ai and reject consent — observe cookie persistence yourself to understand their compliance posture
  • ASSESS THE IRONY: A GTM Security vendor operating undisclosed surveillance creates unique liability when cited in your vendor assessments
  • CONSIDER ALTERNATIVES: Evaluate bot detection vendors that do not operate identity resolution subsidiaries (Deduce) or consent management tools (Ensighten)
  • COMPARE COMPETITORS: PerimeterX, DataDome, and Akamai offer bot detection without the surveillance conglomerate structure

Negotiation Leverage

  • Consent architecture audit: CHEQ's own site ignores consent rejection — 29 cookies persist after Reject All. Require independent verification that CHEQ's JavaScript on your property respects your CMP signals, with documented test results before deployment.
  • Surveillance scope limitation: CHEQ owns Deduce (identity resolution), ClickCease, and Ensighten (consent management). Require contractual guarantee that data from your property does not flow to any CHEQ subsidiary or affiliate for cross-site intelligence.
  • Subprocessor disclosure: CHEQ discloses 3 subprocessors while operating extensive undisclosed tracking. Require complete enumeration of all CHEQ entities and third-party vendors that receive data from their JavaScript deployed on your property.
  • Compliance theater remediation: SOC2, ISO 27001, and GDPR badges alongside 88.3% pre-consent rate and consent bypass constitutes misrepresentation. Require SOC2 report access and verification that audit scope covers pre-consent behavior and consent rejection handling.
  • Evidence preservation: Document CHEQ's claims versus behavior gap before any remediation — this evidence protects your organization if regulatory action targets CHEQ's customer base.
Runtime Detections

Runtime Detections

9 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C13Persistence Mechanisms

Long-lived identifiers

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

214 INDICATORS

Indicators of compromise across 7 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*cheq.ai/wp-content/plugins/all-in-one-seo-pack/dist/Lite/assets/table-of-contents.*.js*
Tracking script
TRACK
*tms.cheq.ai/Cheq/prod/Bootstrap.js*
Tracking script
TRACK
*cheq.ai/wp-content/plugins/jquery-updater/js/jquery-3.7.1.js*
Tracking script
TRACK
*tms.cheq.ai/privacy/environments/Cheq/prod/Default/*.json*
Tracking script
TRACK
*cheq.ai/wp-content/themes/cheq/js/lg-hash.js*
Tracking script
TRACK
*cheq.ai/wp-content/plugins/faq-schema-for-pages-and-posts//js/frontend.js*
Tracking script
TRACK
*tms.cheq.ai/Cheq/prod/code/*.js*
Tracking script
TRACK
*cheq.ai/wp-content/themes/cheq/js/anim/anim_stroke1.js*
Tracking script
TRACK
*cheq.ai/wp-content/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js*
Tracking script
TRACK
*cheq.ai/wp-content/plugins/paradome-wp-plugin-main/includes/assets/js/front-end.js*
Tracking script
TRACK
*cheq.ai/wp-content/plugins/jquery-updater/js/jquery-migrate-3.5.2.js*
Tracking script
TRACK
*cheq.ai/wp-includes/js/jquery/ui/core.js*
Tracking script
TRACK
*cheq.ai/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-dropdown/script.js*
Tracking script
TRACK
*cheq.ai/wp-includes/js/jquery/ui/accordion.js*
Tracking script
TRACK
*cheq.ai/wp-content/themes/cheq/js/anim/anim_stroke2.js*
Tracking script
TRACK
*cheq.ai/wp-content/themes/cheq/js/video-script.js*
Tracking script
TRACK
*cheq.ai/wp-content/themes/cheq/js/main.js*
Tracking script
TRACK
*cheq.ai/wp-content/themes/cheq/js/redesign1.js*
Tracking script
TRACK
*cheq.ai/wp-content/plugins/rocket-lazy-load/assets/js/16.1/lazyload.js*
Tracking script
TRACK
*cheq.ai/wp-content/themes/cheq/js/vendor.js*
Tracking script
TRACK
takingbackjuly.com
Tracking script
TRACK
june.takingbackjuly.com
Tracking script
TRACK
august.takingbackjuly.com
Tracking script
TRACK
euaugust.takingbackjuly.com
Tracking script
TRACK
d.takingbackjuly.com
Tracking script
TRACK
tms.cheq.ai
Tracking script
TRACK
cheqzone.com
Tracking script
TRACK
obs.cheqzone.com
Tracking script
TRACK
ob.cheqzone.com
Tracking script
TRACK
thisgreencolumn.com
Tracking script
TRACK
obseu.thisgreencolumn.com
Tracking script
TRACK
euob.thisgreencolumn.com
Tracking script
TRACK
cheq-platform.com
Tracking script
TRACK
cq-logs.cheq-platform.com
Tracking script
TRACK
clicktrue_invocation.js
Tracking script
TRACK
tms.cheq.ai/Cheq/prod/Bootstrap.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/themes/cheq/js/anim/anim_stroke1.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/themes/cheq/js/anim/anim_stroke2.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/plugins/jquery-updater/js/jquery-3.7.1.min.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/plugins/jquery-updater/js/jquery-migrate-3.5.2.min.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/plugins/paradome-wp-plugin-main/includes/assets/js/front-end.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/plugins/all-in-one-seo-pack/dist/Lite/assets/table-of-contents.95d0dfce.js
Auto-extracted from scan
TRACK
cheq.ai/wp-includes/js/jquery/ui/core.min.js
Auto-extracted from scan
TRACK
cheq.ai/wp-includes/js/jquery/ui/accordion.min.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/plugins/faq-schema-for-pages-and-posts//js/frontend.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-dropdown/script.min.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/themes/cheq/js/vendor.min.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/themes/cheq/js/lg-hash.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/themes/cheq/js/main.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/themes/cheq/js/video-script.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/themes/cheq/js/redesign1.js
Auto-extracted from scan
TRACK
cheq.ai/wp-content/plugins/rocket-lazy-load/assets/js/16.1/lazyload.min.js
Auto-extracted from scan
TRACK
tms.cheq.ai/Cheq/prod/code/a7f60ddbb6945577a011edd665d08c6a.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

CHEQ operates as the center of a surveillance conglomerate through strategic acquisitions: ClickCease (click fraud, 2020-2021), Ensighten (consent management, 2022), and Deduce (identity resolution, Jan 2025). This creates vertically integrated surveillance capabilities: Ensighten provides consent theater, CHEQ core provides bot/traffic analysis, Deduce provides identity graph, and ClickCease serves SMB market. CHEQ is loaded indirectly via tag managers (88 sites detected), typically deployed by marketing teams without security review. Their JavaScript communicates with obfuscated domains (takingbackjuly.com) using CNAME cloaking. On their own site, they load Clearbit (B2B de-anonymization), ZoomInfo (person identification), HubSpot (CRM tracking), Google/Meta/LinkedIn (advertising), and Hotjar (session recording). Backed by Battery Ventures and Tiger Global with $1B valuation, CHEQ has significant resources to expand their surveillance footprint. The ecosystem position is unique: they sell protection against the exact behaviors they deploy.
Loads (12)
YoutubeClickceaseLinkedinShopping GoogleClearbitDoubleclickMetapixelHubspotGoogleanalytics4Chilipiper B2b Email IntelligenceZoominfoClarity
Loaded By (1)
Ensighten
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

230 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details