How This Briefing Works
This dossier opens with key findings, then maps the gap between what Cohere discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
2 CRIT · 1 HIGH
Briefing
Cohere is a Canadian AI company providing enterprise LLM infrastructure, claiming SOC2 Type II, GDPR, and CCPA compliance with "Privacy-by-Design" principles. However, BLACKOUT runtime scans of cohere.com reveal 47 third-party vendors firing, with 17 loading PRE-CONSENT including B2B deanonymization platforms (6sense, Demandbase, ZoomInfo, RB2B) that identify anonymous visitors. Only 14 vendors appear in their Trust Center subprocessor list. This represents a fundamental gap between Cohere's enterprise security posture and their actual website practices - the AI vendor selling privacy-first solutions deploys aggressive visitor identification before consent.
What This Means For You
YOUR AI infrastructure evaluation is tracked by deanonymization vendors 6sense, Demandbase, and ZoomInfo the moment YOUR team visits cohere.com — before consent. YOUR enterprise AI procurement signals flow to competitive intelligence platforms, potentially alerting competitors to YOUR AI strategy. YOUR DPA with Cohere references a Trust Center listing 14 subprocessors while 47 vendors operate at runtime — a 33-vendor gap that leaves YOUR compliance documentation materially incomplete. YOUR Privacy-by-Design trust in Cohere is undermined by runtime evidence showing the opposite.
Risk Channel Breakdown
Cohere's deployment of 6sense, Demandbase, and HockeyStack creates attribution pollution where visitor intent signals are captured and potentially shared before consent, corrupting the measurement integrity that enterprise AI buyers expect from a privacy-first vendor.
B2B deanonymization vendors (6sense, Demandbase, ZoomInfo) receive visitor identity and behavioral signals that can be used to identify which companies are evaluating AI solutions, creating competitive intelligence leakage for prospects visiting cohere.com.
47 third-party JavaScript libraries create a substantial attack surface. MetaPixel, GoogleAds, DoubleClick, and multiple advertising networks increase exposure to supply-chain attacks while expanding the blast radius of any vendor compromise.
Claims to honor GPC and comply with GDPR/CCPA, but 100% of detected vendors fire pre-consent. The gap between Trust Center claims and runtime behavior creates regulatory exposure under GDPR Articles 7 and 28, plus CCPA opt-out requirements.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Identity stitching
Ignoring CMP signals
Device identification
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Behavior contradicts marketing
False certification claims
Collection exceeds disclosed scope
Security claims vs evidence
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Cohere's public claims against observed runtime behavior and identified 4 contradictions.
"Trust Center lists 14 subprocessors"
47 vendors detected on cohere.com, 33 undisclosed
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 14, observed 14
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →