How This Briefing Works
This report opens with key findings, then maps the gaps between what Cohere discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
4 detections across 3 sites100% pre-consent activity2 critical disclosure gaps
CRITICAL
Subprocessor Disclosure
47 vendors detected on cohere.com, 33 undisclosed
GDPR Article 28CCPA 1798.140(w)
CRITICAL
Pre-Consent Tracking
100% pre-consent tracking rate, 17 vendors fire before any consent interaction
GDPR Article 7ePrivacy DirectiveCCPA opt-out rights
CRITICAL
Pre-Consent Activity
Cohere was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
GDPRePrivacy
HIGH
Data Anonymization Claims
Deploys 4 B2B deanonymization vendors whose purpose is visitor identification
GDPR Recital 26CCPA 1798.140(o)
HIGH
Undisclosed Party
Not in privacy policy
Disclosure Gaps
Claims vs. Observed Behavior
4 gaps
2 CRIT1 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X04BTI-X05BTI-X08BTI-X09
Subprocessor Disclosure
GDPR Article 28 · CCPA 1798.140(w)CRITICAL
They Claim
“Trust Center lists 14 subprocessors”
Observed Behavior
47 vendors detected on cohere.com, 33 undisclosed
Runtime scan shows 6sense, Demandbase, ZoomInfo, MetaPixel, GoogleAds, LinkedIn, Marketo, TrenDemon, HockeyStack and 24 others not in subprocessor list
Pre-Consent Tracking
GDPR Article 7 · ePrivacy Directive · CCPA opt-out rightsCRITICAL
They Claim
“Claims to honor GPC and obtain consent”
Observed Behavior
100% pre-consent tracking rate, 17 vendors fire before any consent interaction
6sense, Demandbase, MetaPixel, GoogleAds, DoubleClick all load pre-consent
Data Anonymization Claims
GDPR Recital 26 · CCPA 1798.140(o)HIGH
They Claim
“Privacy policy claims data is aggregated and de-identified”
Observed Behavior
Deploys 4 B2B deanonymization vendors whose purpose is visitor identification
6sense, Demandbase, ZoomInfo, RB2B all perform reverse IP lookup and identity resolution
Trust Center Accuracy
FTC Act Section 5 - Deceptive PracticesMEDIUM
They Claim
“Trust Center represents complete security posture”
Observed Behavior
Marketing website practices contradict Trust Center claims
SOC2/GDPR/CCPA badges displayed while violating consent requirements
Customer Impact
What This Means For You
YOUR AI infrastructure evaluation is tracked by deanonymization vendors 6sense, Demandbase, and ZoomInfo the moment YOUR team visits cohere.com — before consent. YOUR enterprise AI procurement signals flow to competitive intelligence platforms, potentially alerting competitors to YOUR AI strategy. YOUR DPA with Cohere references a Trust Center listing 14 subprocessors while 47 vendors operate at runtime — a 33-vendor gap that leaves YOUR compliance documentation materially incomplete. YOUR Privacy-by-Design trust in Cohere is undermined by runtime evidence showing the opposite.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use Cohere
- →Audit your Cohere contract against their actual website practices — Trust Center claims do not match runtime behavior
- →Verify their subprocessor list is complete before signing DPA — 33 vendors are missing from disclosures
- →Request explicit confirmation that your AI training data and API usage data are not shared with deanonymization vendors
- →Implement consent-first loading for any Cohere widgets or SDKs on your properties
If You're Evaluating Cohere
- →Be aware that visiting cohere.com exposes your evaluation activity to 6sense, Demandbase, and ZoomInfo before consent
- →Request the complete subprocessor list and compare against runtime detection data before signing
- →Verify Privacy-by-Design claims against BLACKOUT runtime evidence showing 17 pre-consent vendors
- →Negotiate contractual restrictions on competitive intelligence derived from your usage patterns
Negotiation Leverage
- →B2B deanonymization pre-consent: 6sense, Demandbase, and ZoomInfo fire before consent — YOUR AI evaluation activity is visible to competitors; use this to negotiate removal of deanonymization vendors or require consent-first architecture
- →Subprocessor undercount: 47 vendors detected vs. 14 disclosed — 33-vendor gap undermines Trust Center credibility; require complete disclosure as a contract condition
- →Privacy-by-Design contradiction: Marketing claims Privacy-by-Design while firing 17 vendors pre-consent — leverage for enhanced data protection guarantees
- →Enterprise AI sensitivity: AI infrastructure decisions are strategically sensitive — negotiate data isolation and competitive intelligence restrictions for your evaluation and usage data
Runtime Detections
Runtime Detections
6 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C08Cross-Domain Sync
Identity stitching
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
BTI-C15Tag Manager
Container/loader (neutral)
IOC Manifest
IOC Manifest
179 INDICATORS
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*cohere.com/_next/static/chunks/*-*.js*
Tracking script
TRACK
*cohere.com/_next/static/chunks/main-app-*.js*
Tracking script
TRACK
*cohere.com/_next/static/chunks/webpack-*.js*
Tracking script
TRACK
*cohere.com/_next/static/chunks/*.*.js*
Tracking script
TRACK
*cohere.com/_next/static/chunks/919-*.js*
Tracking script
TRACK
*cohere.com/_next/static/chunks/820.*.js*
Tracking script
TRACK
*cohere.com/_next/static/chunks/app/%5Blocale%5D/(site)/(content)/%5B%5B...slug%5D%5D/page-*.js*
Tracking script
TRACK
*cohere.com/_next/static/chunks/672-*.js*
Tracking script
TRACK
*cohere.com/_next/static/chunks/app/%5Blocale%5D/(site)/layout-*.js*
Tracking script
TRACK
*cohere.com/_next/static/chunks/600-*.js*
Tracking script
TRACK
*cohere.com/_vercel/insights/script.js*
Tracking script
TRACK
*cohere.com/_vercel/speed-insights/script.js*
Tracking script
TRACK
*go.cohere.com/js/forms2/js/forms2.js*
Tracking script
TRACK
*go.cohere.com/index.php/form/getForm*
Tracking script
TRACK
cohere.com/_next/static/chunks/webpack-1b121416c1131a7f.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/2526b07f-55ea6ad4fc5d8033.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/3372-d43a11ed3cf32462.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/main-app-8b6eb1be371aa1c4.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/606920bb-74ff1ac2c5881cb6.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/4740-21c21dff67848875.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/1158-9afd80f1f4784ca3.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/app/%5Blocale%5D/(site)/layout-f3d5f3fcd8dfe20b.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/35a9f203-8f15a8e7798acbe6.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/d27283b4-dd863a5a2974006c.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/1840ae80-0f7353558d92047f.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/d0df6d71-76860c10e162916f.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/ae3483c0-5d7c2651872ec8a2.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/89539cd1-aa925970cf1f1306.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/6989aa7f-79c56dc91ceccba2.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/79a5c8c7-8d2e1a2c5f91247c.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/56ad31fa-0b649efe885326be.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/2647-b349641ed7ba3575.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/6218-4b3a1ddc30c53153.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/1835-937fd8202c124764.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/1104-04a084c1f88a0830.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/600-4e1ab9ec0b13f1c0.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/6903-2feeb0101aa4353b.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/8942-ecd9e4f60edd266a.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/8404-6502e90e8613e39c.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/7116-201f94b78eb4f0a1.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/6815-980a790505f7a80c.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/9979-24400beca6c34fe1.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/672-8fed5b0c8238dbcd.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/1799-2368b9eb2e07e66f.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/9858-0f66c27758629c5d.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/919-6ac7e4329a96ad67.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/4847-0a97401e459a2bc1.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/app/%5Blocale%5D/(site)/(content)/%5B%5B...slug%5D%5D/page-511bb57ca3bf25c2.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/2388.2a603e67fc848c04.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/9918.b2e3a562c016fd6e.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/5375.afb7423d2b3b962d.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/7797.5ecba8a6f30b3f9c.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/820.2149ac7ebe295118.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/9620.141adfba362802a5.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/6813.608f60b47478c31a.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/8080.250eb887d1aac433.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/5495.24a33843eb28e141.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/4070.61206552de36ae74.js
Auto-extracted from scan
TRACK
go.cohere.com/js/forms2/js/forms2.min.js
Auto-extracted from scan
TRACK
cohere.com/_vercel/insights/script.js
Auto-extracted from scan
TRACK
cohere.com/_vercel/speed-insights/script.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/2d1400c4.33880f77071ba18f.js
Auto-extracted from scan
TRACK
cohere.com/_next/static/chunks/9852.c6f444af7053da83.js
Auto-extracted from scan
TRACK
go.cohere.com/index.php/form/getForm
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Cohere operates as an enterprise AI infrastructure provider, positioned as a privacy-first alternative for regulated industries (finance, healthcare, public sector). On their own website, they load Google Tag Manager which orchestrates 47+ vendors including advertising networks (MetaPixel, GoogleAds, DoubleClick, LinkedIn, Adform), B2B deanonymization (6sense, Demandbase, ZoomInfo, RB2B, TrenDemon, HockeyStack), and marketing automation (Marketo, Segment). Their disclosed subprocessor stack (Google Cloud, Stripe, Intercom) represents only the product infrastructure, omitting the aggressive marketing tech deployed on cohere.com. This creates a significant gap: enterprise buyers evaluating Cohere for privacy-sensitive AI deployments are themselves being deanonymized by vendors that would fail their own security reviews.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
191 detection signatures across scripts, domains, cookies, and network endpoints