How This Briefing Works
This report opens with key findings, then maps the gaps between what FlashRev discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
14+ third-party vendors including Google Analytics, Facebook Pixel, HubSpot, RB2B, LeadLander, Google Ads, Stripe, and Cloudflare all fire before any consent interaction. Complianz CMP banner is present but does not gate any scripts.
RB2B visitor identification script is obfuscated and served via CloudFront domain fronting (ddwl4m2hdecbv.cloudfront.net) to evade detection. This is an active evasion technique that contradicts secure development practices required by ISO 27001 Annex A.14 and SOC 2 Trust Services Criteria.
Facebook Pixel fires cmplz_event_marketing, cmplz_event_statistics, cmplz_event_preferences events all BEFORE consent. Data flows to Google (US), Facebook (US), RB2B (US), ip-api.com (geolocation service). No evidence of EU data residency for these flows.
No DNT check exists in any loaded script. All tracking fires unconditionally regardless of browser DNT setting. This is a false claim in the privacy policy.
Stripe JS loads on every page (not just checkout) and performs device fingerprinting via m.stripe.network. If any health-related data flows through the platform, the combination of visitor identification and fingerprinting creates PHI exposure risk.
Claims vs. Observed Behavior
Undisclosed Gap
“We first request your explicit consent to process your personal data in cases requiring your consent”
14+ third-party vendors including Google Analytics, Facebook Pixel, HubSpot, RB2B, LeadLander, Google Ads, Stripe, and Cloudflare all fire before any consent interaction. Complianz CMP banner is present but does not gate any scripts.
Undisclosed Gap
“ISO 27001 Certified, SOC 2 Type II Certified”
RB2B visitor identification script is obfuscated and served via CloudFront domain fronting (ddwl4m2hdecbv.cloudfront.net) to evade detection. This is an active evasion technique that contradicts secure development practices required by ISO 27001 Annex A.14 and SOC 2 Trust Services Criteria.
Undisclosed Gap
“GDPR Compliant with EU Data Residency”
Facebook Pixel fires cmplz_event_marketing, cmplz_event_statistics, cmplz_event_preferences events all BEFORE consent. Data flows to Google (US), Facebook (US), RB2B (US), ip-api.com (geolocation service). No evidence of EU data residency for these flows.
Undisclosed Gap
“Custom control to enable or disable privacy-impacting features”
Complianz CMP provides Accept/Close options but does not actually control any script loading. All 14+ third-party scripts fire regardless of consent state. The privacy controls are decorative.
Undisclosed Gap
“Privacy policy mentions only Google as data processor”
LeadLander (lltrck.com) intercepts all form inputs site-wide via focusout event listener, validates email addresses, and exfiltrates email domains (or full emails if formalyze enabled) to lltrck.com. This form interception is completely undisclosed.
Undisclosed Gap
“Our website responds to and supports the Do Not Track (DNT) header request field”
No DNT check exists in any loaded script. All tracking fires unconditionally regardless of browser DNT setting. This is a false claim in the privacy policy.
Undisclosed Gap
“HIPAA Certified”
Stripe JS loads on every page (not just checkout) and performs device fingerprinting via m.stripe.network. If any health-related data flows through the platform, the combination of visitor identification and fingerprinting creates PHI exposure risk.
Undisclosed Gap
“Integrity is our cornerstone (About Us page)”
Deploys an obfuscated RB2B script via CloudFront domain fronting specifically to avoid detection by ad blockers and privacy tools. The script includes bot detection to prevent analysis. This is deliberately deceptive infrastructure.
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use FlashRev
- →Demand disclosure of ALL third-party scripts deployed on sites where FlashRev is integrated, particularly the obfuscated RB2B script and LeadLander form interception
- →Require independent SOC 2 Type II and ISO 27001 report review before contract — reports are gated behind sales contact and cannot be independently verified
- →Audit your own consent mechanism to ensure FlashRev scripts are properly gated — their Complianz deployment proves they do not self-enforce consent
If You're Evaluating FlashRev
- →Request a live demonstration of their Complianz CMP actually blocking scripts before consent to verify consent enforcement works in their deployment model
- →Ask for their HIPAA compliance documentation and verify it covers the Stripe fingerprinting and visitor identification components on their marketing site
- →Require a data flow diagram showing all third-party data recipients, especially the RB2B integration, LeadLander email harvesting, and visitor-api.flashlabs.ai endpoint
Negotiation Leverage
- →FlashRev claims 5 compliance certifications (ISO 27001, SOC 2, HIPAA, GDPR, CCPA) but their own marketing site violates all of them with pre-consent tracking — use this as leverage to demand full audit transparency
- →The RB2B script is obfuscated and domain-fronted through CloudFront specifically to evade detection. Ask why a compliant vendor needs evasion infrastructure.
- →LeadLander form interception harvests emails without disclosure. This is a material omission from their privacy policy that creates GDPR Art. 13 liability.
- →All compliance documents are behind sales contact. Insist on direct access to SOC 2 Type II report and ISO 27001 certificate before any procurement commitment.
- →Their privacy policy claims DNT support but does not implement it. This is a provably false statement that creates FTC Section 5 deceptive practices exposure.
- →Singapore jurisdiction (FlashCloud Intelligence Group) means PDPA applies — but their EU GDPR compliance claims are contradicted by all tracking firing before consent.
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
149 detection signatures across scripts, domains, cookies, and network endpoints