All Vendors
platform

Finch

Finch is a platform vendor with a VRS of 80, combining Oracle (25), Broker (65), and high Counselor (85) threats. The platform employs defeat devices, session recording, consent bypass, and fingerprinting to enable HR data integration and employment verification services.

93 IOCs28 detections14% pre-consent26 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Finch discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

28 detections across 26 sites14% pre-consent activity
MEDIUM

Pre-Consent Activity

Finch was observed loading and executing before user consent was obtained on 14% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Unknown

Observed Behavior

Requires claims extraction via CDT

Customer Impact

What This Means For You

HR and finance teams using Finch gain unified access to employment data but inherit three critical liabilities: (1) Worker privacy violations as consent bypass enables data collection without explicit notification, (2) Competitive intelligence leakage as compensation and headcount data feeds platform analytics shared across customers, (3) Special category data exposure from benefits and health information creating GDPR Article 9 liability. The platform's aggregation model makes it impossible to audit which external parties access your employment records.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Finch

  • Demand contractual transparency on employment data retention and access controls
  • Require data processing agreement explicitly prohibiting workforce data sharing for competitive benchmarking
  • Implement worker notification process for all Finch data processing activities
  • Configure HRIS integration to log all external API calls for GDPR Article 30 compliance

If You're Evaluating Finch

  • Request third-party audit of consent bypass mechanisms and session recording practices
  • Evaluate alternative HR data integration tools with documented worker consent flows
  • Consider direct HRIS API integrations to eliminate third-party data aggregation risk
  • Assess whether unified API access justifies worker privacy violation and competitive intelligence leakage

Negotiation Leverage

  • Finch VRS 80 = Broker (65) + Counselor (85) threat. Employment data aggregation = competitive intelligence leakage. Demand data minimization commitments.
  • Session recording (BTI-C07) of HRIS interactions = special category data processing. Require explicit legal basis documentation and worker notification.
  • Consent bypass (BTI-C09) violates GDPR controller transparency. Workers must be notified of all data processing; request technical remediation plan.
  • Employment data sharing across customers for benchmarking = competitive intelligence. Negotiate exclusive data processing or seek alternatives.
  • Ask: What employment data is retained after API call completion? How are worker privacy rights (access, deletion) handled? What is the data breach notification history?
  • Integration convenience must be weighed against worker privacy violations and competitive intelligence risk. Demand legal review before renewal.
Runtime Detections

Runtime Detections

4 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Tag-level deception allows Finch to present different data collection behavior to privacy tools versus actual employment data processing, defeating consent mechanisms.

BTI-C07Session Recording

Full session replay

Impact: Full capture of HRIS interactions including benefits enrollment, compensation adjustments, and performance data creates extreme PII exposure risk.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Employment data collection continues without explicit worker consent, violating GDPR controller transparency requirements and creating per-worker violation liability.

BTI-C10Fingerprinting

Device identification

Impact: Worker identification across multiple employer systems enables employment history tracking that individuals cannot detect or control, violating privacy expectations.

IOC Manifest

IOC Manifest

87 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*finch.com/wp-content/plugins/elementor/assets/js/webpack.runtime.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor/assets/js/frontend.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/essential-addons-for-elementor-lite/assets/front-end/js/view/general.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/real-time-auto-find-and-replace/assets/js/rtafar.local.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor/assets/js/frontend-modules.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/real-time-auto-find-and-replace/assets/js/rtafar.app.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor-pro/assets/js/frontend.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor-pro/assets/js/elements-handlers.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor/assets/lib/swiper/v8/swiper.js*
Tracking script
TRACK
*finch.com/cdn-cgi/challenge-platform/scripts/jsd/main.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor/assets/js/nested-tabs.*.bundle.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor-pro/assets/js/animated-headline.*.bundle.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.*.bundle.js*
Tracking script
TRACK
*finch.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/*/main.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor-pro/assets/js/nav-menu.*.bundle.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor/assets/js/text-editor.*.bundle.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor-pro/assets/js/carousel.*.bundle.js*
Tracking script
TRACK
*finch.com/wp-content/plugins/elementor/assets/js/nested-title-keyboard-handler.*.bundle.js*
Tracking script
TRACK
finch.com/wp-content/plugins/real-time-auto-find-and-replace/assets/js/rtafar.local.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor/assets/lib/swiper/v8/swiper.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/real-time-auto-find-and-replace/assets/js/rtafar.app.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/essential-addons-for-elementor-lite/assets/front-end/js/view/general.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor-pro/assets/js/elements-handlers.min.js
Auto-extracted from scan
TRACK
finch.com/cdn-cgi/challenge-platform/scripts/jsd/main.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.03caa53373b56d3bab67.bundle.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor-pro/assets/js/nav-menu.8521a0597c50611efdc6.bundle.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor/assets/js/text-editor.45609661e409413f1cef.bundle.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor/assets/js/nested-tabs.a2401356d329f179475e.bundle.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor-pro/assets/js/carousel.3620fca501cb18163600.bundle.min.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor-pro/assets/js/animated-headline.c009d6fa482515df23f8.bundle.min.js
Auto-extracted from scan
TRACK
finch.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/d251aa49a8a3/main.js
Auto-extracted from scan
TRACK
finch.com/wp-content/plugins/elementor/assets/js/nested-title-keyboard-handler.2a67d3cc630e11815acc.bundle.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Finch operates within the HR tech ecosystem alongside competitors like Workday, ADP, and Rippling. The platform aggregates employment data across hundreds of HRIS systems, creating a centralized repository of workforce intelligence. Integration with lending platforms, background check services, and employment verification systems creates bidirectional data flow where worker records are enriched with external data sources.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

93 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details