How This Briefing Works
This report opens with key findings, then maps the gaps between what DemandScience discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Subprocessor Disclosure
Investigation detected 25+ third-party vendors loading pre-consent including Microsoft Clarity, Taboola, Warmly, CrazyEgg, LiveIntent, Facebook, LinkedIn, Google Analytics, Apollo.io, Terminus, The Trade Desk, Reddit, Twitter, Quora, Oktopost, Pardot, G2, Contanuity, InfiniGrow, GetSmartContent, and FingerprintJS
Consent Mechanism Failure
TrustArc CMP loads AFTER 25+ tracking scripts have already fired. notice_behavior cookie set to implied,eu indicating implied consent model rather than explicit opt-in. All tracking pixels, cookie syncs, and fingerprinting execute before any consent banner interaction.
Cookie Sync / Data Sharing
Active cookie sync chains detected with The Trade Desk, Contanuity, LiveIntent, Taboola, and Beeswax/bidr.io. LiveIntent sync iframe (liadm.com) loads identity resolution container. The Trade Desk insight iframe active. Contanuity cookie sync to bidr.io exchange confirmed.
Identity Resolution
Warmly visitor deanonymization (getwarmly.com) active with warmly_fingerprint UUID in localStorage. LiveIntent identity graph syncing. usbrowserspeed.com script exfiltrates email hashes to immagnify.com identity resolution API. Apollo.io sales intelligence tracker active with apolloAnonId in localStorage.
Do Not Track Rejection
Privacy policy explicitly states: our systems do not respond to browser do-not-track requests. This contradicts the positioning of TrustArc CMP as a comprehensive privacy management solution.
Claims vs. Observed Behavior
Subprocessor Disclosure
“Trust Center lists 4 subprocessors: Office 365, AWS, tray.io, Convertr”
Investigation detected 25+ third-party vendors loading pre-consent including Microsoft Clarity, Taboola, Warmly, CrazyEgg, LiveIntent, Facebook, LinkedIn, Google Analytics, Apollo.io, Terminus, The Trade Desk, Reddit, Twitter, Quora, Oktopost, Pardot, G2, Contanuity, InfiniGrow, GetSmartContent, and FingerprintJS
CDT MCP network analysis of demandscience.com homepage, 2026-02-22
Consent Mechanism Failure
“TrustArc CMP deployed for GDPR consent management”
TrustArc CMP loads AFTER 25+ tracking scripts have already fired. notice_behavior cookie set to implied,eu indicating implied consent model rather than explicit opt-in. All tracking pixels, cookie syncs, and fingerprinting execute before any consent banner interaction.
Network request timing analysis showing tracking scripts loaded before consent.trustarc.com, 2026-02-22
Undisclosed Fingerprinting
“No fingerprinting disclosure in privacy policy”
FingerprintJS v3 loaded from cdn.jsdelivr.net pre-consent. Browser fingerprinting library executes before any consent mechanism. Privacy policy section 11 discusses cookies and VID tags but makes no mention of browser fingerprinting.
External script inventory showing fingerprintjs@3/dist/fp.min.js loaded pre-consent, 2026-02-22
Identity Resolution
“Cookies on our Website don't store personal data like names, addresses, or phone numbers”
Warmly visitor deanonymization (getwarmly.com) active with warmly_fingerprint UUID in localStorage. LiveIntent identity graph syncing. usbrowserspeed.com script exfiltrates email hashes to immagnify.com identity resolution API. Apollo.io sales intelligence tracker active with apolloAnonId in localStorage.
localStorage dump showing warmly_fingerprint, apolloAnonId, li_adsId; network request to usbrowserspeed.com with immagnify.com webhook URL, 2026-02-22
Do Not Track Rejection
“Uses TrustArc CMP for privacy management”
Privacy policy explicitly states: our systems do not respond to browser do-not-track requests. This contradicts the positioning of TrustArc CMP as a comprehensive privacy management solution.
Privacy policy Section 11, verbatim quote, 2026-02-22
Data Breach History
“Security is at the core of everything we do. We follow a security-by-design approach.”
Pure Incubation subsidiary suffered a 122-million-record data breach confirmed by Troy Hunt / Have I Been Pwned in November 2024. Exposed data included corporate email addresses, physical addresses, phone numbers, employers, job titles, and LinkedIn profile links. Company initially denied the breach.
Have I Been Pwned breach entry, Troy Hunt investigation, BleepingComputer reporting, November 2024
Supply Chain Integrity
“Security-by-design approach with encryption, access control, and secure development practices”
Zero SRI (Subresource Integrity) hashes on any of 35+ external third-party scripts. Any CDN compromise silently injects malicious code. Three separate GTM containers loaded (GTM-5N8PMB36, GTM-5B649SN6, GTM-TCQ5BW3) expanding tag management attack surface.
External script inventory showing integrity=null on all 35+ third-party scripts, 2026-02-22
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use DemandScience
- →Audit your DPA with DemandScience to confirm the subprocessor list matches observed data sharing partners -- investigation found 25+ vendors against 4 disclosed subprocessors
- →Request written confirmation that lead data provided to you was not sourced from or contaminated by the 2024 Pure Incubation breach dataset (122M records)
- →Verify your legal basis for processing DemandScience-provided leads under GDPR Art 6 -- their Vermont data broker registration may reclassify received data as sold personal information under CCPA
- →Request current SOC2 Type II report (2024) and verify scope covers the specific data products and platforms you use, not just internal infrastructure
If You're Evaluating DemandScience
- →Require pre-contract runtime compliance audit of DemandScience properties to verify consent practices match claims
- →Demand full subprocessor disclosure including all cookie sync and identity resolution partners observed in runtime investigation
- →Compare DemandScience data quality and provenance against Bombora, TechTarget, or Aberdeen -- intent data providers without registered data broker status or recent 122M-record breaches
- →Negotiate right-to-audit clause with access to verify data sourcing practices and breach remediation status
- →Include contractual warranty that no data originates from decommissioned systems or breach-exposed databases
Negotiation Leverage
- →The subprocessor gap: Trust Center discloses 4 subprocessors but runtime investigation detected 25+ third-party vendors including cookie sync chains with ad exchanges. Request complete vendor disclosure within 10 business days as a condition of continued engagement.
- →The data provenance question: The 2024 Pure Incubation breach exposed 122 million records containing the same data categories (emails, phone numbers, job titles) DemandScience sells commercially. Require written warranty that no active datasets contain breach-exposed records, with liquidated damages for breach of warranty.
- →The consent architecture failure: TrustArc CMP loads after tracking scripts fire, FingerprintJS executes pre-consent, and privacy policy uses implied consent (notice_behavior=implied,eu). Request evidence that consent collection meets GDPR Art 7 standard for any EU-sourced data.
- →Compliance certification scope: SOC2 Type II report is gated behind access request and scope is unverifiable. Terminus operates under separate ISO 27001/27017 certifications. Require unified compliance documentation covering all entities handling your data.
- →Data broker liability transfer: DemandScience is a registered Vermont data broker. Any data you receive may constitute a sale of personal information under CCPA, shifting opt-out compliance obligations to you. Negotiate indemnification for any CCPA claims arising from DemandScience-sourced data.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
PII deanonymization
Container/loader (neutral)
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
166 detection signatures across scripts, domains, cookies, and network endpoints