How This Briefing Works
This dossier opens with key findings, then maps the gap between what Deepl discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
Briefing
DeepL SE is a German AI-powered language translation company founded in 2017 and headquartered in Cologne. As a translation service provider (not a surveillance/tracking vendor), DeepL maintains a strong compliance posture with SOC2 Type II, ISO 27001:2022, GDPR, HIPAA, and C5 certifications. The company transparently discloses 20+ subprocessors in its privacy policy and operates a comprehensive Trust Center. No BTI-X violations were detected - DeepL represents a low-risk vendor for translation and language AI services.
What This Means For You
YOUR translation data processed through DeepL is handled by a company with strong certifications but opaque documentation access. YOUR security team cannot independently verify SOC2 or ISO 27001 scope without requesting NDA access through their Trust Center — adding procurement friction. While DeepL's risk profile is LOW compared to surveillance vendors, YOUR pre-consent tracking exposure exists if YOUR team uses DeepL widgets on client-facing properties. YOUR compliance documentation should note that DeepL is fundamentally a translation service, not a tracking vendor — but consent requirements still apply for their web components.
Risk Channel Breakdown
LOW RISK: DeepL is a translation tool, not an analytics or attribution platform. It does not corrupt measurement systems. When embedded on sites, it processes text for translation purposes only.
LOW RISK: DeepL processes language content for translation, not demand signals or intent data. No evidence of data brokerage or competitive intelligence leakage. Translation requests are not shared for marketing purposes.
LOW RISK: DeepL maintains enterprise-grade security (SOC2, ISO 27001, HIPAA). Regular penetration testing, BYOK encryption options, and SSO/SAML support. Minimal attack surface expansion when deployed.
LOW RISK: Comprehensive GDPR compliance, transparent cookie policy, clear consent mechanisms on their own properties. 82.6% pre-consent detection rate on third-party sites reflects implementer behavior (how sites deploy widgets), not DeepL non-compliance.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
Long-lived identifiers
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Deepl's public claims against observed runtime behavior and identified 1 contradiction.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 20, observed 21
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →