QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
data_enrichment
Clay

Clay

Clay aggregates 150+ data sources as a self-admitted $3.1B data broker, while running 44+ third-party vendors on its own site — 15+ of which are advertising and tracking tools absent from its subprocessor disclosure at trust.clay.com.

14 IOCs observed21 detections81% pre-consent17 sites
80
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what Clay discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
21

across 17 sites

Pre-Consent Rate
81%

vendor fires before consent

Disclosure Gaps
4

1 CRIT · 2 HIGH

Claims-vs-Reality Classified
BTI-X01BTI-X02BTI-X05BTI-X08BTI-X12
Summary

Briefing

Clay Labs is a $3.1B-valued GTM data enrichment platform that aggregates 150+ data providers and AI agents. As a self-admitted data broker, Clay sells professional contact information to customers. Key finding: Clay deploys 44+ third-party vendors on their own website including identity resolution (RB2B), advertising pixels (Meta, Google, LinkedIn), and intent vendors, yet their subprocessor list only discloses infrastructure providers. With 28.2% pre-consent tracking rate while claiming SOC2/GDPR/CCPA compliance, Clay exemplifies the gap between compliance theater and runtime behavior.

Customer Impact

What This Means For You

YOUR enrichment queries through Clay expose YOUR prospect lists to a platform aggregating data from 150+ sources — every query teaches Clay more about YOUR target accounts and ideal customer profile. YOUR compliance posture is directly affected: as a self-admitted data broker, Clay triggers additional regulatory obligations under CCPA that flow through to YOUR data processing agreements. If YOUR sales team uses Clay for contact enrichment, YOUR organization may be processing personal data without adequate legal basis, since Clay's subprocessor list at trust.clay.com undercounts actual vendors by 10+. YOUR competitive intelligence is at risk — enrichment queries reveal YOUR ICP to a platform serving YOUR competitors.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
55

Clay corrupts measurement by creating data asymmetry. Their 150+ enrichment providers enable customers to identify and profile prospects, while the same customers may appear in Clay databases without knowledge. Clay users gain visibility into their targets while contributing to a surveillance ecosystem.

Broker
Control Collapse
100

As a data broker with access to 150+ data sources, Clay is a demand signal aggregator. Intent data, job changes, and enrichment queries all flow through Clay, creating a comprehensive view of market activity that could advantage competitors or buyers of Clay data.

Reaper
Safety Collapse
0

Clay integrates with 150+ external APIs and data providers, creating significant third-party attack surface. Each integration is a potential data exfiltration vector. The RB2B identity resolution on their own site demonstrates willingness to deploy aggressive tracking technology.

Counselor
Legitimacy Collapse
100

Clay admits to being a data broker in their privacy policy. With 28.2% pre-consent tracking and undisclosed advertising vendors on their own site, organizations using Clay inherit consent liability. The gap between their disclosed subprocessors and actual site behavior creates audit exposure.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C01
Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06
Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07
Session Recording

Full session replay

BTI-C08
Cross-Domain Sync

Identity stitching

BTI-C09
Consent Bypass

Ignoring CMP signals

BTI-C10
Fingerprinting

Device identification

Claims-vs-Reality (BTI-X)

BTI-X01
Undisclosed Party

Not in privacy policy

BTI-X02
Undisclosed Sharing

Hidden data recipients

BTI-X05
Compliance Claim Mismatch

False certification claims

BTI-X08
Scope Creep

Collection exceeds disclosed scope

BTI-X12
Assurance Gap

Gated or missing due diligence docs

5
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

4
Gaps Observed
1 CRITICAL2 HIGH1 MEDIUM

BLACKOUT analyzed Clay's public claims against observed runtime behavior and identified 4 contradictions.

BTI-X01BTI-X02BTI-X05BTI-X08BTI-X12
Featured Gap
Undisclosed Data Recipients
CRITICAL
They Claim

"Subprocessor list at trust.clay.com discloses 34 vendors"

BLACKOUT Observed

44+ third-party vendors detected on clay.com, including 15+ advertising/tracking vendors completely absent from disclosures

3 more gaps — with regulatory citations and evidence pointers — available with subscription.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
8

4 for current users · 4 for evaluators

Negotiation Leverage
4

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Subprocessor Disclosure Gap
0undisclosed

Claims 34, observed 34

Commonly Paired With
9

googletagmanager, metapixel, googleanalytics4

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: clayFirst Seen: 2026-01-03Last Updated: 2026-02-28