Flowla | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Flowla discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

89 detections across 86 sites2% pre-consent activity

MEDIUM

Pre-Consent Activity

Flowla was observed loading and executing before user consent was obtained on 2% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

Customer Impact

What This Means For You

Sales teams gain buyer intent signals but inherit biometric data processing liability. Legal teams face dual violation: consent bypass PLUS special category data processing without legal basis. Compliance teams must defend behavioral profiling to privacy regulators without clear business necessity.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Flowla

→Disable all behavioral tracking features in Flowla admin panel
→Configure analytics-free mode if available (document sharing only)
→Audit current data retention: request deletion of all historical behavioral data

If You're Evaluating Flowla

→Require vendor to demonstrate consent-first architecture before contract
→Demand removal of behavioral biometrics capability or 100% liability assumption
→Evaluate alternatives: Docsend (analytics-free mode), Notion (no tracking), Google Drive (basic sharing)

Negotiation Leverage

→Flowla combines two high-risk behaviors: consent bypass + behavioral biometrics, creating compounded liability
→Vendor must eliminate biometric capture AND implement consent-first loading, or assume full regulatory penalty liability
→Document sharing works without behavioral surveillance - request feature removal or migrate to privacy-safe alternative
→Current architecture violates GDPR Article 9 (special category data) with no clear legal basis for processing

Runtime Detections

2 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Scroll depth, mouse movements, and timing patterns create behavioral fingerprints usable for identification. GDPR Article 9 classifies biometric data as special category, requiring explicit consent and heightened protection.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Tracking initialization before consent creates strict liability under GDPR Article 7 and ePrivacy Directive. Combined with biometric capture, elevates to special category data violation with increased penalty exposure.

IOC Manifest

4 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

No indicators in this category

Ecosystem

Ecosystem & Supply Chain

Flowla competes with Docsend, Notion sharing, and traditional sales content platforms. Distinguishes through behavioral analytics - tracking WHO engages WHEN with WHAT content. Higher risk than document-only alternatives (Docsend without analytics mode) due to biometric profiling layer.

Loads (6)

Vector Apollo Io Linkedin Rb2b Metapixel Warmly

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

6 detection signatures across scripts, domains, cookies, and network endpoints