All Vendors
platform
Deepl

Deepl

DeepL maintains strong compliance certifications including SOC2 Type II, ISO 27001, and C5 — but gates its security documentation behind NDA access and runs pre-consent tracking on its own site, creating a transparency gap for enterprise procurement.

331 IOCs23 detections83% pre-consent21 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Deepl discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

23 detections across 21 sites83% pre-consent activity
CRITICAL

Pre-Consent Activity

Deepl was observed loading and executing before user consent was obtained on 83% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

Documentation

LOW
They Claim

SOC2 Type II certified

Observed Behavior

Report requires NDA access through Trust Center

trust.deepl.com requires Get access button click for sensitive documents

Customer Impact

What This Means For You

YOUR translation data processed through DeepL is handled by a company with strong certifications but opaque documentation access. YOUR security team cannot independently verify SOC2 or ISO 27001 scope without requesting NDA access through their Trust Center — adding procurement friction. While DeepL's risk profile is LOW compared to surveillance vendors, YOUR pre-consent tracking exposure exists if YOUR team uses DeepL widgets on client-facing properties. YOUR compliance documentation should note that DeepL is fundamentally a translation service, not a tracking vendor — but consent requirements still apply for their web components.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Deepl

  • Review your implementation to ensure consent is obtained before loading DeepL widgets if required by your jurisdiction
  • Consider using DeepL API instead of client-side widgets for better consent control
  • Add DeepL to your subprocessor list even though risk is low — completeness matters for GDPR Article 30
  • Request SOC2 report through Trust Center NDA process to verify certification scope

If You're Evaluating Deepl

  • Request SOC2 and ISO reports through their Trust Center NDA process before signing
  • Evaluate whether API integration vs. client-side widgets better fits your consent architecture
  • Compare with Google Translate and AWS Translate on certification coverage and data handling
  • Verify data processing locations and retention policies for your specific translation use case

Negotiation Leverage

  • Documentation access: SOC2 and ISO reports require NDA access — negotiate streamlined access for your security team as part of the contract
  • Pre-consent widgets: DeepL web components may load before consent — use this to negotiate server-side API integration rather than client-side widgets
  • Strong baseline: SOC2, ISO 27001, and C5 certifications provide a strong compliance foundation — leverage for competitive pricing given lower negotiation complexity
  • Translation data sensitivity: Depending on content translated, data may be highly sensitive — negotiate data retention limits and processing location guarantees
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C13Persistence Mechanisms

Long-lived identifiers

IOC Manifest

IOC Manifest

316 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.deepl.com/_next/static/chunks/*-*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/app/global-error-*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/webpack-*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/main-app-*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/app/%5Blang%5D/layout-*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/app/%5Blang%5D/(translator)/translator/page-*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/772-*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/app/%5Blang%5D/(translator)/translator/layout-*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/app/%5Blang%5D/(translator)/translator/error-*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/*.*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/late-dtextarea-webcomponent.*.js*
Tracking script
EXFIL
*www.deepl.com/locales/en/pro-api.json*
Data collection endpoint
TRACK
*www.deepl.com/_next/static/chunks/late-cookieBannerLax.*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/late-productupdates.*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/late-texttranslator-desktop.*.js*
Tracking script
TRACK
*www.deepl.com/locales/en/account.json*
Tracking script
TRACK
*www.deepl.com/locales/en/custom-banner.json*
Tracking script
TRACK
*www.deepl.com/locales/en/app_translator.json*
Tracking script
TRACK
*www.deepl.com/locales/en/clarify.json*
Tracking script
TRACK
*www.deepl.com/locales/en/write.json*
Tracking script
TRACK
*www.deepl.com/locales/en/customer-story.json*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/late-research.*.js*
Tracking script
TRACK
*www.deepl.com/product-updates/updates_en.*.json*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/560.*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/late-texttranslator-desktop-features-ita.*.js*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/late-texttranslator-base-features-ita.*.js*
Tracking script
TRACK
*www.deepl.com/dl_webroot.json*
Tracking script
TRACK
*www.deepl.com/_next/static/chunks/tracing.*.js*
Tracking script
TRACK
*gtm.deepl.com/gtm.js*
Tracking script
TRACK
www.deepl.com/_next/static/chunks/webpack-6e4995980b0ef63c.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/1dd3208c-2cab1e2fe6de1f63.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/98534-1dd2a34a3c342c08.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/main-app-a91e4ff9982b72c3.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/app/global-error-9fe30de6ce64a6a3.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/98505-08c453fff103ba4a.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/89427-b77eadd5b2c44342.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/88146-30ce54f9cda655ba.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/3799-177591e502e2ce64.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/22147-feaaf827791ef63b.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/86707-f109820fb1567f60.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/8070-1d339b2264e652f7.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/app/%5Blang%5D/layout-eb8f5d7cbed28dba.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/1d93c7b4-e267d6b083272d5d.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/8b806e8a-9fe7b370b9ae8157.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/ef9e47d8-b6ac4a323cdb5ef8.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/45386-fd95fa7c34477ca7.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/22138-ab6ff0b3a05cc82e.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/58416-c29bc4334eabe843.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/44647-1e5c5ce62e344f07.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/72821-3eef239d5d19f29b.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/20108-a0ab2370dd0779e3.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/36355-915be3db1ddfa467.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/49002-d89c068419647104.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/39304-3553c4a867d73fe8.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/27014-f768349e31e61925.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/66906-be5fcca18649698b.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/70162-09c53c723ceb3c44.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/92100-b210137b46c81624.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/21438-eb670de3eea9aaeb.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/18335-3f66385bc3fc863f.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/59068-d377c656c5259728.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/14935-cb4d8393c11251f3.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/92925-da1ae571a0d5cd0e.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/82707-f8872e1b970ef927.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/68042-59757f3da8ff876f.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/45810-d7de56ce3691fe4c.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/61166-2b3d99b8ad054603.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/31284-e7137e1101b019b5.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/51030-7e182e54ed99496b.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/48518-85938585ad00e5aa.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/28958-fb60d006d096723e.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/87952-e6db5ec4ccea412d.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/app/%5Blang%5D/(translator)/translator/page-09a1e0870f7d1824.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/772-701c3ea5d58f4844.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/app/%5Blang%5D/(translator)/translator/layout-778cbcd5cb2b73f0.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/app/%5Blang%5D/(translator)/translator/error-4a44d903ac8487ea.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/4023.7be0946acf04c284.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/7089.074f2a38ab95c9ac.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/20519-82c4eda3dd7bba86.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/late-dtextarea-webcomponent.2d8f8612f5b9cbd9.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/78253.fafbe19f8d3e604b.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/70538.650c6080303ac585.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/late-cookieBannerLax.d9568827a68fd6a9.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/3307.e36a666b3cf16123.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/2302.6e88c928cc015927.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/7013.4c34ddc7ca174814.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/late-productupdates.120503d405b93a18.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/d6bae39d.2d1648182f1bb3f3.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/aad4249a.8482558cb6f53a1d.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/60566-ff20fb7804cb92b6.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/87376-cd3b3393b273af79.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/43724-c575d11ee0f922af.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/76499-4f3a67e1f40835c5.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/58084.2c448c727a4d136c.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/19358.4ed317ed7ac4bf53.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/29062-2cfcaf2d46f4ad5a.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/19235.5c9700573b5dcf65.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/65240.d358c0ff03ef90f3.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/60731.e3d59c6ed2b09b31.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/late-texttranslator-desktop.8688d6d3139e6be6.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/50320.fac85364ba5f0f0f.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/78061.78a457072b3c481c.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/92680.fc41877307de4c0d.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/26359.3e8103b3d2335f02.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/96817.81e1571844da248c.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/81303.3ecd76ca0e1915a3.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/late-research.6fa95adc9fab4532.js
Auto-extracted from scan
TRACK
gtm.deepl.com/gtm.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/80487abd-015a74dbf3349203.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/9019-fd269579392cd094.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/88089-ac99be5ac6b86b1d.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/77080.16e7e1469839ba8c.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/98573.65c0945f533e40a8.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/18136.72bac3305ca62a2b.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/78001.8ebb0c1e8c551672.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/560.1446ac7e85a49ff7.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/75887.40bea459583cd317.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/36800.31d8554527795140.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/late-texttranslator-base-features-ita.1379a882a3da9310.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/25042.31df9b2aaa0c4866.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/late-texttranslator-desktop-features-ita.ff5d144648424786.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/78489.f4f77fe6f668351b.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/12122.efffbcead2e3758d.js
Auto-extracted from scan
TRACK
www.deepl.com/_next/static/chunks/tracing.df46b70c9f730a3e.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

DeepL operates as a standalone language AI platform. It is typically loaded via direct script integration, browser extensions, or API calls. On scanned sites, DeepL is detected 23 times across 21 unique hostnames, primarily loaded indirectly (likely via translation widgets or integrations). DeepL's own website uses Google Analytics 4, Google Ads, and Google Tag Manager - all disclosed in their privacy policy. The company does not appear to load or be loaded by surveillance/identity resolution vendors.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

331 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details