How This Briefing Works
This report opens with key findings, then maps the gaps between what Demandbase discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Tracking
92.2% of page loads fire tracking before consent collection
Pre-Consent Activity
Demandbase was observed loading and executing before user consent was obtained on 92% of sites where it was detected.
Subprocessor Disclosure Gap
30+ additional vendors detected at runtime on demandbase.com
DNT Non-Compliance
Confirmed - no DNT respect while claiming compliance certifications
Undisclosed Party
Not in privacy policy
Claims vs. Observed Behavior
Pre-Consent Tracking
“SOC2 Type II certified, ISO 27001 certified, GDPR referenced”
92.2% of page loads fire tracking before consent collection
Runtime scan of demandbase.com shows 27 vendors with pre_consent=true
Subprocessor Disclosure Gap
“18 subprocessors disclosed on official list”
30+ additional vendors detected at runtime on demandbase.com
Undisclosed: Adroll, Criteo, MetaPixel, RubiconProject, Reddit, HockeyStack, RB2B, etc.
DNT Non-Compliance
“Privacy notice explicitly states does not honor DNT”
Confirmed - no DNT respect while claiming compliance certifications
Privacy policy quote: Demandbase does not respond to DNT signals
Ad Tech Scope Creep
“ABM Platform for B2B”
Deploys consumer ad tech (MetaPixel, Criteo, Reddit) for retargeting
Runtime detection of programmatic advertising vendors beyond B2B scope
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Demandbase
- →Audit your CMP configuration — ensure Demandbase tag fires only after consent, given 92.2% pre-consent rate across the industry
- →Review your privacy policy to disclose all vendors Demandbase loads downstream, including undisclosed ad networks (Criteo, MetaPixel, RubiconProject)
- →Request current subprocessor list and compare to runtime scan of your own site to identify undisclosed data flows
- →Consider tag containment — load Demandbase in an isolated iframe to limit the scope of their JavaScript execution
- →Evaluate LiveRamp data flows to understand where your intent signals surface in the programmatic advertising ecosystem
If You're Evaluating Demandbase
- →Request evidence of consent-first implementation from reference customers — 92.2% pre-consent rate suggests this is not the default
- →Ask for complete list of downstream data recipients beyond the 18 disclosed subprocessors — 30+ detected at runtime
- →Clarify the scope of identity resolution capabilities — does it extend beyond company-level to individual identification?
- →Run a runtime scan on reference customer sites to verify claimed consent behavior before procurement
- →Compare the disclosed subprocessor list against actual runtime behavior on demandbase.com before signing
Negotiation Leverage
- →Pre-consent SLA: 92.2% pre-consent rate — one of the highest in our detection network. Require contractual guarantee of 0% pre-consent activity with tag containment via isolated iframe or server-side implementation.
- →Subprocessor reconciliation: 30+ vendors detected versus 18 disclosed, including undisclosed ad networks (Criteo, MetaPixel, RubiconProject). Require complete enumeration of all downstream data recipients with 30-day advance notice before additions.
- →Intent signal isolation: Demandbase aggregates demand signals across customer websites. Require contractual commitment that your account intent data is not used for programmatic advertising or shared with ad networks detected on their site.
- →LiveRamp data flow restriction: LiveRamp (disclosed) enables cross-site identity resolution. Require contractual specification of exactly what visitor data flows to LiveRamp and right to opt out of this data partnership.
- →Consent signal enforcement: Require contractual guarantee that Demandbase's tag respects your CMP signals and ceases all processing when consent is denied, verified by independent audit.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Form data interception
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
IOC Manifest
Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
101 detection signatures across scripts, domains, cookies, and network endpoints