All Vendors
session_replay

Decibel

Decibel (now Medallia Digital Experience Analytics) is a session replay vendor that captures complete user interactions including mouse movements, clicks, scrolls, and form inputs to reconstruct full browsing sessions for behavioral analysis.

3 IOCs
0
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Decibel discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

MEDIUM
They Claim

Requires scanner verification of runtime behavior

Observed Behavior

Analysis based on public documentation, Medallia acquisition disclosures, and court filings

Customer Impact

What This Means For You

Organizations deploying Decibel face several revenue-relevant risks. PII exposure in session recordings creates regulatory liability under GDPR (up to 4% of global revenue) and state privacy laws. The wiretapping lawsuit precedent means organizations may face vicarious liability for Decibel's data collection practices on their properties. The Medallia acquisition means session data is now part of a larger platform ecosystem, requiring evaluation of Medallia's entire data governance posture. If Decibel's JavaScript is compromised via a supply chain attack, every user session on deployed properties would be exposed, creating massive breach notification obligations.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for Decibel

  • - Audit all Decibel masking rules to verify PII fields (passwords, payment data, personal information) are properly excluded from recordings. - Review Medallia's data processing agreement for session replay data retention, access controls, and cross-platform data sharing provisions. - Implement Content Security Policy headers to detect unauthorized modifications to Decibel's JavaScript. - Evaluate consent mechanisms to ensure users are informed that their sessions are being recorded, particularly in jurisdictions with wiretapping statutes. - Monitor for Subresource Integrity (SRI) hash changes on Decibel's script tags to detect supply chain modifications.

Negotiation Leverage

  • Leverage: The GM/Decibel wiretapping lawsuit, while dismissed, established that session replay data collection is legally contested territory. Use this to negotiate stronger data processing terms. Key questions for procurement: What data from session recordings is accessible within the broader Medallia platform? What is the data retention policy for raw session recordings? Who within Medallia can access recordings from your properties? What happens to session recording data if you terminate the contract? Protections to require: Explicit contractual limits on cross-platform data sharing within Medallia. Right to audit masking effectiveness. Breach notification SLA specific to session recording data. Data deletion certification upon contract termination. Indemnification for privacy claims arising from Decibel's collection methodology.
IOC Manifest

IOC Manifest

3 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

No indicators in this category

Ecosystem

Ecosystem & Supply Chain

Decibel operates within the Medallia ecosystem following the 2021 acquisition. Session replay data can be combined with Medallia's survey, contact center, and social signal data, creating a unified customer experience platform. Decibel integrates with tag managers (Google Tag Manager, Tealium), A/B testing tools, analytics platforms, and customer feedback systems. The platform's API allows session data to be exported to data warehouses and business intelligence tools. Within Medallia, session recordings are accessible to experience management teams spanning marketing, product, customer success, and operations functions.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

3 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details