Executive Summary
FullStory is a behavioral data analytics platform offering session replay, product analytics, and AI-powered insights. While presenting itself as privacy-conscious with extensive compliance certifications (SOC2, ISO 27001/27701, GDPR, CCPA), runtime analysis reveals significant disclosure gaps. FullStory's own website deploys 22+ undisclosed third-party vendors pre-consent, including identity resolution tools (6sense, Demandbase, Qualified) not listed in their subprocessor documentation. This creates a credibility gap between their trust center messaging and actual runtime behavior.
Revenue Threat Profile
4 COLLAPSE VECTORSHow this vendor creates financial exposure. Each score (0-100) reflects observed runtime behavior and documented business practices.
CAC Subsidization
FullStory captures detailed behavioral data including mouse movements, clicks, page visits, and text entered. While positioned for UX optimization, this granular data combined with identity resolution vendors on their site suggests potential cross-site behavioral profiling that could corrupt independent measurement.
Signal Corruption
FullStory integrates with CRM platforms (Salesforce) and marketing tools (Marketo). Identity resolution vendors (6sense, Demandbase, Qualified) detected on their site enable B2B deanonymization, potentially leaking visitor intent signals and demand data to competitors through shared vendor networks.
Legal Tail Risk
Session replay technology records user interactions at high fidelity, creating significant attack surface if compromised. FullStory's script runs on customer sites with privileged access to DOM content. The presence of multiple undisclosed third-party scripts increases supply chain risk.
GTM Attack Surface
Despite extensive compliance certifications, 55.6% pre-consent tracking rate and undisclosed third-party vendors create consent divergence liability. Privacy policy acknowledges visitor data may be sold/shared while customer data is protected differently, creating consent complexity that could trigger regulatory scrutiny.