QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
session_replay
FullStory

FullStory

55.6% pre-consent session recording rate despite SOC2, ISO 27001/27701, and GDPR/CCPA certifications. Discloses 6 subprocessors while 22+ vendors operate pre-consent on fullstory.com — including identity resolution tools (6sense, Demandbase, Qualified) and advertising pixels not in their subprocessor documentation.

112 IOCs observed15 detections60% pre-consent10 sites
90
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what FullStory discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
15

across 10 sites

Pre-Consent Rate
60%

vendor fires before consent

Disclosure Gaps
3

1 CRIT · 1 HIGH

Claims-vs-Reality Classified
BTI-X02BTI-X05BTI-X08
Summary

Briefing

FullStory is a behavioral data analytics platform offering session replay, product analytics, and AI-powered insights. While presenting itself as privacy-conscious with extensive compliance certifications (SOC2, ISO 27001/27701, GDPR, CCPA), runtime analysis reveals significant disclosure gaps. FullStory's own website deploys 22+ undisclosed third-party vendors pre-consent, including identity resolution tools (6sense, Demandbase, Qualified) not listed in their subprocessor documentation. This creates a credibility gap between their trust center messaging and actual runtime behavior.

Customer Impact

What This Means For You

If FullStory captures session replays on your site, 55.6% of observed implementations record sessions before users consent. Under GDPR Art 7 and ePrivacy Art 5(3), recording detailed user interactions — clicks, scrolls, form inputs, and page content — without prior consent creates direct regulatory liability. FullStory discloses 6 subprocessors while 22+ vendors operate pre-consent on their own site, including 6sense, Demandbase, and Qualified for identity resolution. These undisclosed vendors can identify your prospects visiting FullStory for competitive evaluation, and similar data flows may exist through their deployed JavaScript. FullStory integrates with Salesforce and Marketo, meaning session replay data connects to your CRM and marketing automation.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
25

FullStory captures detailed behavioral data including mouse movements, clicks, page visits, and text entered. While positioned for UX optimization, this granular data combined with identity resolution vendors on their site suggests potential cross-site behavioral profiling that could corrupt independent measurement.

Broker
Control Collapse
100

FullStory integrates with CRM platforms (Salesforce) and marketing tools (Marketo). Identity resolution vendors (6sense, Demandbase, Qualified) detected on their site enable B2B deanonymization, potentially leaking visitor intent signals and demand data to competitors through shared vendor networks.

Reaper
Safety Collapse
0

Session replay technology records user interactions at high fidelity, creating significant attack surface if compromised. FullStory's script runs on customer sites with privileged access to DOM content. The presence of multiple undisclosed third-party scripts increases supply chain risk.

Counselor
Legitimacy Collapse
100

Despite extensive compliance certifications, 55.6% pre-consent tracking rate and undisclosed third-party vendors create consent divergence liability. Privacy policy acknowledges visitor data may be sold/shared while customer data is protected differently, creating consent complexity that could trigger regulatory scrutiny.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C01
Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06
Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07
Session Recording

Full session replay

BTI-C09
Consent Bypass

Ignoring CMP signals

BTI-C10
Fingerprinting

Device identification

BTI-C14
Identity Resolution

PII deanonymization

Claims-vs-Reality (BTI-X)

BTI-X02
Undisclosed Sharing

Hidden data recipients

BTI-X05
Compliance Claim Mismatch

False certification claims

BTI-X08
Scope Creep

Collection exceeds disclosed scope

3
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

3
Gaps Observed
1 CRITICAL1 HIGH1 MEDIUM

BLACKOUT analyzed FullStory's public claims against observed runtime behavior and identified 3 contradictions.

BTI-X02BTI-X05BTI-X08
Featured Gap
Subprocessor Disclosure
CRITICAL
They Claim

"Subprocessor list discloses 6 vendors (Google, Fastly, Salesforce, Zendesk, Marketo, OpenAI)"

BLACKOUT Observed

22+ third-party vendors detected on fullstory.com operating pre-consent including 6sense, Demandbase, Criteo, Qualified, Contactout, G2, LinkedIn, Google Ads

2 more gaps — with regulatory citations and evidence pointers — available with subscription.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
10

5 for current users · 5 for evaluators

Negotiation Leverage
5

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Subprocessor Disclosure Gap
2undisclosed

Claims 6, observed 8

Commonly Paired With
2

googletagmanager, googleanalytics4

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: fullstoryFirst Seen: 2025-12-12Last Updated: 2026-02-28