How This Briefing Works
This report opens with key findings, then maps the gaps between what Crisp discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
13 detections across 8 sites54% pre-consent activity1 critical disclosure gap
CRITICAL
Consent Compliance
53.8% pre-consent tracking rate with 6 ad/tracking vendors loading before consent
GDPR Art 6GDPR Art 7ePrivacy Directive
CRITICAL
Pre-Consent Activity
Crisp was observed loading and executing before user consent was obtained on 54% of sites where it was detected.
GDPRePrivacy
HIGH
Transparency
30 third-party vendors detected, zero named in privacy policy
GDPR Art 13GDPR Art 14
HIGH
Subprocessor Disclosure
GDPR Article 28 requires controllers to disclose processors
GDPR Art 28
HIGH
Undisclosed Party
Not in privacy policy
Disclosure Gaps
Claims vs. Observed Behavior
4 gaps
1 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X06
Consent Compliance
GDPR Art 6 · GDPR Art 7 · ePrivacy DirectiveCRITICAL
They Claim
“Crisp strictly implements the GDPR regulation”
Observed Behavior
53.8% pre-consent tracking rate with 6 ad/tracking vendors loading before consent
Runtime scan data from intel_detections showing pre_consent=true for DoubleClick, GoogleAds, LinkedIn, MetaPixel, PostHog, TwitterPixel
Transparency
GDPR Art 13 · GDPR Art 14HIGH
They Claim
“Privacy policy references external partners”
Observed Behavior
30 third-party vendors detected, zero named in privacy policy
Scan detected vendors including identity resolution (RB2B, Usergems), ad platforms (Google, Meta, LinkedIn), and analytics (PostHog, GA4, HockeyStack)
Subprocessor Disclosure
GDPR Art 28HIGH
They Claim
“No subprocessor list published”
Observed Behavior
GDPR Article 28 requires controllers to disclose processors
No subprocessor_list_url found on crisp.chat or docs.crisp.chat
Data Localization
GDPR Art 44-49 · Schrems IIMEDIUM
They Claim
“Data hosted in Netherlands and Germany”
Observed Behavior
Runtime shows data transmission to US-based platforms (Google, Meta, LinkedIn, Twitter)
Network requests to doubleclick.net, facebook.com, linkedin.com detected in scans
Customer Impact
What This Means For You
If Crisp's chat widget is deployed on your site, you inherit a vendor that claims strict GDPR compliance while running 30 undisclosed third-party vendors on their own site at a 53.8% pre-consent rate. Under GDPR Art 28, Crisp is required to provide a subprocessor list — they do not publish one. Six vendors fire before consent on crisp.chat including DoubleClick, MetaPixel, LinkedIn, and PostHog, suggesting their JavaScript may not respect your CMP signals. The presence of B2B deanonymization vendors (RB2B, HockeyStack, Usergems, Hunter, Pitchbook) on their site means visitors evaluating Crisp are being identified for sales targeting — a practice that may extend to sites embedding their chat widget. You cannot verify Crisp's compliance claims without a published subprocessor list.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use Crisp
- →Audit your CMP to ensure the Crisp chat widget script loads only after consent — their 53.8% pre-consent rate suggests their code may not respect CMP signals
- →Request Crisp's DPA and subprocessor list in writing — they do not publish one despite GDPR Art 28 requirements
- →Review your privacy policy to ensure Crisp and their undisclosed third-party vendors are properly disclosed to your users
- →Monitor network requests from the Crisp widget for unexpected third-party calls to deanonymization or advertising services
- →Consider whether Crisp's own compliance gaps create vicarious GDPR liability for your organization under Art 28
If You're Evaluating Crisp
- →Request complete subprocessor list before signing — Crisp's refusal to publish one is itself a GDPR Art 28 violation
- →Ask for evidence of consent mechanism implementation on their own properties — 53.8% pre-consent rate contradicts GDPR claims
- →Conduct runtime scan of crisp.chat to verify current vendor footprint before procurement decision
- →Negotiate contractual protections against their compliance gaps including pre-consent tracking indemnification
- →Consider EU-headquartered alternatives with published subprocessor lists and demonstrable consent compliance (Intercom, Zendesk)
Negotiation Leverage
- →Subprocessor list requirement: Crisp publishes no subprocessor list despite GDPR Article 28 mandate. Require complete subprocessor enumeration as a contract precondition — their refusal to publish one is itself a compliance violation.
- →Pre-consent SLA: 53.8% pre-consent rate on crisp.chat with 6 ad/tracking vendors loading before consent. Require contractual guarantee that the Crisp chat widget loads zero third-party vendors before consent on your property.
- →Deanonymization disclosure: RB2B, HockeyStack, Usergems, Hunter, and Pitchbook on crisp.chat identify visitors for sales targeting. Require written confirmation of whether these deanonymization capabilities extend to sites embedding the Crisp widget.
- →Widget data isolation: Require contractual guarantee that data collected through the Crisp chat widget on your site is not shared with any third-party vendor detected on crisp.chat or used for Crisp's own sales intelligence.
- →EU-headquartered accountability: As a French company, Crisp is directly subject to GDPR. Their non-compliance on their own site (no subprocessor list, pre-consent tracking) creates vicarious liability for customers who trust their GDPR claims.
Runtime Detections
Runtime Detections
7 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C07Session Recording
Full session replay
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
BTI-C14Identity Resolution
PII deanonymization
BTI-C15Tag Manager
Container/loader (neutral)
IOC Manifest
IOC Manifest
222 INDICATORS
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*crisp.chat/en/_payload.js*
Tracking script
TRACK
*crisp.chat/_crisp/eRXfZD9r.js*
Tracking script
TRACK
*crisp.chat/_crisp/builds/meta/*-99e8-4d23-9d09-*.json*
Tracking script
TRACK
*crisp.chat/_crisp/BSirUD1C.js*
Tracking script
TRACK
*crisp.chat/_crisp/C4mEjam5.js*
Tracking script
TRACK
*crisp.chat/_crisp/ClE_3brw.js*
Tracking script
TRACK
*crisp.chat/_crisp/CfqF91ST.js*
Tracking script
TRACK
*crisp.chat/_crisp/DFm7JYti.js*
Tracking script
TRACK
*crisp.chat/_crisp/tE9SMxyv.js*
Tracking script
TRACK
*crisp.chat/_crisp/Gkex8GD8.js*
Tracking script
TRACK
*crisp.chat/_crisp/1glIJ3tv.js*
Tracking script
TRACK
*crisp.chat/_crisp/DPSR79tC.js*
Tracking script
TRACK
*crisp.chat/_crisp/BdQ304JP.js*
Tracking script
TRACK
*crisp.chat/_crisp/BjLWERxX.js*
Tracking script
TRACK
*crisp.chat/_crisp/*.js*
Tracking script
TRACK
*crisp.chat/_i18n/en/messages.json*
Tracking script
TRACK
*crisp.chat/_crisp/PmQ8uGaA.js*
Tracking script
TRACK
*crisp.chat/_crisp/BlyGwy8v.js*
Tracking script
TRACK
*crisp.chat/_crisp/B8d_FVNK.js*
Tracking script
TRACK
*crisp.chat/_crisp/Clqt0r0J.js*
Tracking script
TRACK
*crisp.chat/_crisp/F7FeY7T9.js*
Tracking script
TRACK
*crisp.chat/_crisp/CJidv5xk.js*
Tracking script
TRACK
*crisp.chat/_crisp/DVOchax-.js*
Tracking script
TRACK
*crisp.chat/_crisp/vckhrRuI.js*
Tracking script
TRACK
*crisp.chat/_crisp/DNy_p22y.js*
Tracking script
TRACK
*crisp.chat/_crisp/BXDRNihq.js*
Tracking script
TRACK
*crisp.chat/_crisp/Cw3enydD.js*
Tracking script
TRACK
*crisp.chat/_crisp/BFyOnPLf.js*
Tracking script
TRACK
*crisp.chat/_crisp/CR-CzmXm.js*
Tracking script
TRACK
*crisp.chat/_crisp/Cl4zZjmD.js*
Tracking script
TRACK
*crisp.chat/_crisp/CSImKAAF.js*
Tracking script
TRACK
*crisp.chat/_crisp/BRk_8Crt.js*
Tracking script
TRACK
*crisp.chat/_crisp/DslXTKlg.js*
Tracking script
TRACK
*crisp.chat/_crisp/EXK-dWZe.js*
Tracking script
TRACK
*crisp.chat/_crisp/CbeRI4-d.js*
Tracking script
TRACK
*crisp.chat/_crisp/L4OBtOLh.js*
Tracking script
TRACK
*crisp.chat/_crisp/CO66rb5a.js*
Tracking script
TRACK
*crisp.chat/_crisp/DgW-_MGR.js*
Tracking script
TRACK
*crisp.chat/_crisp/QgGBnmwS.js*
Tracking script
TRACK
*crisp.chat/_crisp/DXnQjXPY.js*
Tracking script
TRACK
*client.crisp.chat/l.js*
Tracking script
TRACK
*client.crisp.chat/static/javascripts/client_default_e0e2da7.js*
Tracking script
TRACK
*client.crisp.chat/static/locales/en.json*
Tracking script
TRACK
client.crisp.chat
Tracking script
TRACK
crisp.chat/en/_payload.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/eRXfZD9r.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/BSirUD1C.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/C4mEjam5.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/ClE_3brw.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/CfqF91ST.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/Gkex8GD8.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/DFm7JYti.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/BdQ304JP.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/tE9SMxyv.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/1glIJ3tv.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/DPSR79tC.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/BjLWERxX.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/bC257e71.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/PmQ8uGaA.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/B8d_FVNK.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/Clqt0r0J.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/F7FeY7T9.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/Cw3enydD.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/BlyGwy8v.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/BXDRNihq.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/CJidv5xk.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/vckhrRuI.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/BFyOnPLf.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/DVOchax-.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/CR-CzmXm.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/DNy_p22y.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/CSImKAAF.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/Cl4zZjmD.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/BRk_8Crt.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/DslXTKlg.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/CbeRI4-d.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/L4OBtOLh.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/CO66rb5a.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/EXK-dWZe.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/DgW-_MGR.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/DXnQjXPY.js
Auto-extracted from scan
TRACK
crisp.chat/_crisp/QgGBnmwS.js
Auto-extracted from scan
TRACK
client.crisp.chat/l.js
Auto-extracted from scan
TRACK
client.crisp.chat/static/javascripts/client_default_e0e2da7.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Crisp operates as a customer messaging platform (chat widget, helpdesk, CRM). Sites embed Crisp JavaScript to enable live chat. Crisp loads via direct script tag. On their own marketing site, Crisp deploys an extensive martech stack: GoogleTagManager orchestrates loading of ad pixels (DoubleClick, GoogleAds, LinkedInAds, MetaPixel, TwitterPixel), analytics (GoogleAnalytics4, PostHog, HockeyStack), and B2B identification vendors (RB2B, Usergems, Hunter, Pitchbook, Fullenrich, Breakcold). This suggests Crisp prioritizes aggressive lead generation over privacy practices. The presence of 30 vendors on a company claiming GDPR compliance indicates a significant gap between stated values and operational reality.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
224 detection signatures across scripts, domains, cookies, and network endpoints