All Vendors
session_replay
Datadog RUM

Datadog RUM

96% pre-consent tracking rate on datadoghq.com — 42+ third-party trackers fire before consent while disclosing only 12 infrastructure providers as subprocessors. Visitor identification platforms (Leadfeeder, Albacross, Dealfront, IDVisitors, Midbound, Vector) and ABM tools (Demandbase, Influ2) operate undisclosed.

97 IOCs25 detections96% pre-consent19 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Datadog RUM discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

25 detections across 19 sites96% pre-consent activity1 critical disclosure gap
CRITICAL

Consent Architecture

96% of detected trackers load before consent on datadoghq.com

GDPR Art 6GDPR Art 7ePrivacy Directive Art 5(3)
CRITICAL

Pre-Consent Activity

Datadog RUM was observed loading and executing before user consent was obtained on 96% of sites where it was detected.

GDPRePrivacy
HIGH

Subprocessor Disclosure

42+ third-party vendors detected on corporate website

GDPR Art 28CCPA 1798.110
HIGH

Data Sharing Transparency

Advertising networks (Criteo, Meta, Google, Reddit) receive pre-consent data

GDPR Art 13CCPA 1798.100
HIGH

Undisclosed Party

Not in privacy policy

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps
1 CRIT2 HIGH
Classified:BTI-X01BTI-X02BTI-X05

Subprocessor Disclosure

GDPR Art 28 · CCPA 1798.110HIGH
They Claim

12 subprocessors listed (infrastructure/support only)

Observed Behavior

42+ third-party vendors detected on corporate website

Subprocessor list at datadoghq.com/legal/subprocessors/ omits all advertising, analytics, and visitor identification vendors

Data Sharing Transparency

GDPR Art 13 · CCPA 1798.100HIGH
They Claim

Privacy policy references data sharing for business purposes

Observed Behavior

Advertising networks (Criteo, Meta, Google, Reddit) receive pre-consent data

Runtime detection of advertising pixels loading before consent interaction

Customer Impact

What This Means For You

If Datadog RUM monitors your application, you are trusting an observability platform whose own website fires 42+ trackers pre-consent at a 96% rate while disclosing only 12 infrastructure subprocessors. Under GDPR Art 28, this material disclosure gap means you cannot verify the full data processing chain. Visitor identification platforms (Leadfeeder, Albacross, Dealfront, IDVisitors, Midbound, Vector) and ABM tools (Demandbase, Influ2) operating undisclosed on datadoghq.com suggest aggressive visitor deanonymization practices. RUM session replay data captures detailed user interactions — combined with Datadog's other products, this creates potential for cross-correlation of identity and behavioral data. Their SOC2 Type II and ISO 27001 certifications cover infrastructure, not the marketing surveillance stack on their corporate site.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Datadog RUM

  • Audit your tag architecture — ensure Datadog RUM SDK loads only after valid consent, given their 96% pre-consent rate on their own site
  • Review data retention settings in your Datadog console — defaults may exceed your organization's data retention policy
  • Verify session replay is disabled or consent-gated if enabled — session data captures detailed user interactions
  • Check data residency configuration — Datadog processes data in the US by default, which may conflict with EU requirements
  • Assess whether RUM data could be correlated with identity resolution if you use other Datadog products

If You're Evaluating Datadog RUM

  • Request clarification on why 42+ trackers load pre-consent on datadoghq.com despite GDPR compliance claims
  • Ask for the complete list of marketing technology partners processing website visitor data beyond the 12 infrastructure providers
  • Verify data processing locations match your regulatory requirements before deployment
  • Assess whether a vendor whose own website contradicts stated compliance posture meets your vendor management criteria
  • Compare Datadog RUM consent architecture against alternatives like New Relic or Sentry for compliance guarantees

Negotiation Leverage

  • Subprocessor transparency: 42+ trackers detected versus 12 disclosed infrastructure providers. Require complete enumeration of all marketing technology partners processing visitor data on datadoghq.com and any data sharing relationships that could affect your RUM data.
  • Pre-consent SLA: 96% pre-consent rate on their own site. Require contractual guarantee that Datadog RUM SDK loads only after consent on your property with zero pre-consent data capture.
  • Data residency verification: Datadog processes data in the US by default. Require documented data residency options and verify session replay data stays within your specified region.
  • Session replay isolation: Verify session replay is disabled by default and consent-gated when enabled. Require contractual specification of what data types RUM captures and how they are isolated from Datadog's other products.
  • Identity correlation prohibition: With multiple visitor ID platforms on their site, require contractual guarantee that RUM data from your application is not correlated with identity resolution data from their corporate marketing stack.
Runtime Detections

Runtime Detections

8 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

97 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

EXFIL
*www.datadoghq.com/static/dd-libs.*.js*
Data collection endpoint
EXFIL
*www.datadoghq.com/assets/lang-redirects.min.*.js*
Data collection endpoint
EXFIL
*www.datadoghq.com/assets/dd-browser-logs-rum.min.*.js*
Data collection endpoint
EXFIL
*www.datadoghq.com/assets/utm-handler.min.*.js*
Data collection endpoint
EXFIL
*www.datadoghq.com/assets/signup-modal-demo.min.*.js*
Data collection endpoint
EXFIL
*www.datadoghq.com/assets/ane-popup-banner.js*
Data collection endpoint
EXFIL
*www.datadoghq.com/assets/alpine.min.*.js*
Data collection endpoint
EXFIL
*www.datadoghq.com/assets/home.min.*.js*
Data collection endpoint
EXFIL
*lp.datadoghq.com/js/forms2/js/forms2.js*
Data collection endpoint
EXFIL
*www.datadoghq.com/assets/search-bar.min.*.js*
Data collection endpoint
EXFIL
*lp.datadoghq.com/index.php/form/getForm*
Data collection endpoint
EXFIL
*tlzqr.datadoghq.com/load*
Data collection endpoint
EXFIL
www.datadoghq.com/assets/lang-redirects.min.c1ad237f9d953469286cce919fd714d9edf7ad193e6a60798192d8a8c69156a6.js
Auto-extracted from scan
EXFIL
www.datadoghq.com/static/dd-libs.cfc0fc7c8131c38b026e93f283148dccf754cd8d3e5ad027ef77c1b84c04d0a7265d7ca94b7475b930ba0e7e179b0ec3e1a73d10d09d79ca3cc6ed6971c09b95.js
Auto-extracted from scan
EXFIL
www.datadoghq.com/assets/dd-browser-logs-rum.min.e9378ba4bc4679890eeea1a1d9516082fd3b3a4ec54cdc1f9c340b670fcac57c.js
Auto-extracted from scan
EXFIL
www.datadoghq.com/assets/utm-handler.min.94d79fa3fc8f8c1ba1b075710e46a95a04a7849e179d21575f548515d9a976b5.js
Auto-extracted from scan
EXFIL
www.datadoghq.com/assets/search-bar.min.a3a8779499495c0f3d705e6f9c2efb48abdfb526b341b37172f02d64aa60a0f5.js
Auto-extracted from scan
EXFIL
lp.datadoghq.com/js/forms2/js/forms2.min.js
Auto-extracted from scan
EXFIL
www.datadoghq.com/assets/signup-modal-demo.min.8b8fd9550de9c89d01455cfbbaf2a873fc99bdd702583545576e7614ea7d2429.js
Auto-extracted from scan
EXFIL
www.datadoghq.com/assets/ane-popup-banner.js
Auto-extracted from scan
EXFIL
www.datadoghq.com/assets/alpine.min.9fb7fca9511674131f4a90d5aa06dbaf0fd1b7fdf5abc81053327ef29d736a0e.js
Auto-extracted from scan
EXFIL
www.datadoghq.com/assets/home.min.2ee029762738b035081ef26799965756c2fdaa2091381712f60e790b55c6decc.js
Auto-extracted from scan
EXFIL
lp.datadoghq.com/index.php/form/getForm
Auto-extracted from scan
EXFIL
tlzqr.datadoghq.com/load
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Datadog RUM operates within the broader Datadog observability platform ecosystem. It is typically loaded via tag managers (GTM detected as indirect load method in 96% of cases) or direct script integration. The RUM SDK captures session data, performance metrics, errors, and user interactions. On their own website, Datadog deploys alongside: (1) ABM platforms - Demandbase, Influ2, CaliberMind for account-based marketing; (2) Visitor identification - Leadfeeder, Albacross, Dealfront, IDVisitors, Midbound, Vector for B2B lead generation; (3) Advertising - Criteo, DoubleClick, Meta, Reddit, Twitter, LinkedIn for retargeting; (4) Analytics - GA4, Clarity for behavioral analytics; (5) Marketing automation - HubSpot, Marketo, Segment. This creates a dense tracking ecosystem where Datadog RUM data could be correlated with identity resolution and advertising data.
Loads (8)
Shopping GoogleRedditLinkedinMidboundDemandbaseVectorLiveintent Id ExchangeLiveintent Advertising
Loaded By (2)
Googleanalytics4Openai
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

97 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details