All Vendors
deanon
LeadRocket

LeadRocket

71.4% of session recording activity fires before consent, capturing DOM state, network requests, and user interactions without authorization. SOC2 report gated behind sales contact prevents independent compliance verification. Note: This entry tracks cdn.lgrckt-in.com — actually a LogRocket CDN domain.

2 IOCs7 detections71% pre-consent6 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what LeadRocket discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

7 detections across 6 sites71% pre-consent activity1 critical disclosure gap
CRITICAL

Vendor Attribution

cdn.lgrckt-in.com is a LogRocket CDN domain - LeadRocket does not exist as a separate entity

N/A - data quality issue
CRITICAL

Pre-Consent Activity

LeadRocket was observed loading and executing before user consent was obtained on 71% of sites where it was detected.

GDPRePrivacy
HIGH

Consent Compliance

71.4% of detections show pre-consent loading - session recording begins before user consent obtained

GDPR Art 7ePrivacy DirectiveCCPA
HIGH

Data Subject Rights

Explicitly does not honor Do Not Track browser signals

CCPA Do Not SellGPC compliance
HIGH

Compliance Claim Mismatch

False certification claims

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps
1 CRIT2 HIGH1 MED
Classified:BTI-X05BTI-X12

Vendor Attribution

N/A - data quality issueCRITICAL
They Claim

LeadRocket is a separate B2B lead generation vendor

Observed Behavior

cdn.lgrckt-in.com is a LogRocket CDN domain - LeadRocket does not exist as a separate entity

LogRocket CSP documentation lists cdn.lgrckt-in.com as official LogRocket CDN

Data Subject Rights

CCPA Do Not Sell · GPC complianceHIGH
They Claim

Privacy-respecting analytics

Observed Behavior

Explicitly does not honor Do Not Track browser signals

Privacy policy: Although our Site currently does not respond to do not track browser headers...

Transparency

Vendor due diligence best practicesMEDIUM
They Claim

SOC2 Type II certified

Observed Behavior

SOC2 report requires contacting sales - not publicly verifiable

Security documentation states: Please reach out to sales@logrocket.com for more information and our accreditation report

Customer Impact

What This Means For You

If LogRocket (detected as LeadRocket via cdn.lgrckt-in.com) is deployed on your site, 71.4% of sessions may be recorded before users consent. Session replay captures complete user journeys including form inputs, clicks, and page content. Under GDPR Art 7 and ePrivacy Directive Art 5(3), recording user sessions without prior consent creates direct regulatory liability for you as the site operator. LogRocket explicitly does not honor Do Not Track signals, meaning privacy-conscious users have no browser-level opt-out mechanism. Their SOC2 report is gated behind sales contact, preventing independent verification of their compliance claims.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use LeadRocket

  • URGENT: Verify consent implementation — 71.4% pre-consent rate indicates session recording likely begins before users consent on your site
  • Review LogRocket SDK initialization timing to ensure it fires AFTER consent is obtained, not on page load by default
  • Request their SOC2 Type II report from sales@logrocket.com and verify scope covers client-side session recording, not just internal operations
  • Update your privacy policy to explicitly disclose session recording functionality and what data types are captured
  • Implement LogRocket's GDPR/CCPA portal to honor deletion requests for recorded sessions containing user PII

If You're Evaluating LeadRocket

  • Note: LeadRocket detections (cdn.lgrckt-in.com) are actually LogRocket — same vendor, different CDN domain
  • Request SOC2 report before procurement decision — gating it behind sales contact is a transparency red flag
  • Verify your consent architecture can delay LogRocket SDK loading until after affirmative consent is obtained
  • Assess whether session replay data capture (DOM mutations, form inputs, network requests) aligns with your privacy posture
  • Evaluate alternatives with stronger consent-by-default behavior (FullStory, Hotjar) that do not require manual consent gating

Negotiation Leverage

  • Pre-consent session recording: 71.4% of LogRocket detections show pre-consent loading. Require contractual guarantee that session recording initializes only after affirmative consent, with automated consent gate in their SDK.
  • DNT/GPC compliance: LogRocket explicitly states they do not honor Do Not Track signals. Require contractual commitment to honor GPC signals under CCPA and to implement DNT support within 90 days of contract signing.
  • SOC2 transparency: LogRocket gates their SOC2 report behind sales contact. Require direct access to current SOC2 Type II report as a contract condition, with right to share with your auditors without restriction.
  • Session data scope: Session replay captures form inputs, DOM mutations, and network requests. Require contractual specification of exactly what data types are captured, with explicit exclusion of sensitive form fields and PII.
  • Consent-first SDK initialization: Require documented SDK configuration that prevents any data capture before consent banner interaction, with technical architecture review before deployment.
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

IOC Manifest

IOC Manifest

2 INDICATORS

Indicators of compromise across 2 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
cdn.lgrckt-in.com
Tracking script
Ecosystem

Ecosystem & Supply Chain

LogRocket (misattributed as LeadRocket) operates in the session replay and product analytics space alongside FullStory, Hotjar, and Heap. It is typically loaded directly via script tag or through tag managers (GTM). LogRocket integrates with error tracking tools (Sentry, Bugsnag), customer support platforms (Zendesk, Intercom), and data warehouses. The vendor uses 11+ CDN domains including cdn.logrocket.io, cdn.lr-ingest.io, and cdn.lgrckt-in.com (the misattributed "LeadRocket" domain). Detection shows it loading on sites including rb2b.com, chilipiper.com, contentsquare.com, and dstillery.com.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

2 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details