How This Briefing Works
This dossier opens with key findings, then maps the gap between what Datadog RUM discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 7 sites
vendor fires before consent
1 CRIT · 2 HIGH
Briefing
Datadog RUM is a Real User Monitoring product from Datadog, a publicly traded observability platform (NYSE: DDOG) headquartered in New York. While Datadog maintains extensive compliance certifications including SOC2 Type II, ISO 27001, GDPR, and CCPA, their own website demonstrates a significant gap between stated compliance posture and actual behavior. Runtime analysis detected 42+ third-party trackers loading pre-consent on datadoghq.com at a 96% rate, while their subprocessor disclosure lists only 12 infrastructure providers. This represents a material disclosure gap where advertising networks, visitor identification platforms, and marketing automation tools operate undisclosed on their corporate properties.
What This Means For You
If Datadog RUM monitors your application, you are trusting an observability platform whose own website fires 42+ trackers pre-consent at a 96% rate while disclosing only 12 infrastructure subprocessors. Under GDPR Art 28, this material disclosure gap means you cannot verify the full data processing chain. Visitor identification platforms (Leadfeeder, Albacross, Dealfront, IDVisitors, Midbound, Vector) and ABM tools (Demandbase, Influ2) operating undisclosed on datadoghq.com suggest aggressive visitor deanonymization practices. RUM session replay data captures detailed user interactions — combined with Datadog's other products, this creates potential for cross-correlation of identity and behavioral data. Their SOC2 Type II and ISO 27001 certifications cover infrastructure, not the marketing surveillance stack on their corporate site.
Risk Channel Breakdown
Datadog RUM captures detailed session data including user interactions, page performance, and errors. When combined with the 42+ undisclosed third-party trackers on their own site, measurement integrity is compromised - the same data may be simultaneously flowing to advertising networks (Criteo, DoubleClick, Meta) and visitor identification platforms (Demandbase, Leadfeeder, Albacross) that Datadog does not disclose.
The presence of ABM platforms (Demandbase, Influ2, CaliberMind), visitor identification vendors (Leadfeeder, Albacross, Dealfront, IDVisitors, Midbound, Vector), and advertising networks pre-consent means visitor demand signals are being shared with competitors or third parties who could exploit this intelligence.
Datadog RUM itself is a legitimate monitoring tool, but the corporate website attack surface is substantial - 42+ third-party scripts loading pre-consent creates significant supply chain risk. Any compromise of these vendors could affect Datadog site visitors.
The 96% pre-consent tracking rate directly contradicts GDPR Article 6 (lawful basis) and ePrivacy Directive requirements. Claims of GDPR/CCPA compliance on the Trust Center while operating this pre-consent tracking regime creates regulatory exposure and consent validity questions for enterprises using Datadog.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Datadog RUM's public claims against observed runtime behavior and identified 3 contradictions.
"GDPR compliant per Trust Center"
96% of detected trackers load before consent on datadoghq.com
2 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 12, observed 14
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →
