Executive Summary
Loom is an asynchronous video messaging platform acquired by Atlassian for $975M in October 2023. While positioned as a productivity tool for distributed teams, runtime analysis reveals a substantial GTM surveillance stack operating behind the scenes. With a 77.5% pre-consent tracking rate across 71 detections on 62 sites, Loom embeds extensive third-party tracking infrastructure including B2B identity resolution vendors (Demandbase, Mutiny), advertising pixels (Meta, Google, LinkedIn, Twitter, TikTok), and session replay tools (Clarity) - most of which are NOT disclosed in Atlassian's official subprocessor list. This creates a significant gap between Loom's enterprise compliance positioning (SOC2, ISO 27001, GDPR) and its actual data collection practices.
Revenue Threat Profile
4 COLLAPSE VECTORSHow this vendor creates financial exposure. Each score (0-100) reflects observed runtime behavior and documented business practices.
CAC Subsidization
Loom embeds Google Analytics 4, Amplitude, and Dreamdata analytics alongside the video player, creating attribution blind spots. When users share Loom videos, they unknowingly spread tracking pixels that compete with their own analytics infrastructure, potentially double-counting conversions and polluting attribution data.
Signal Corruption
Demandbase and Mutiny are identity resolution platforms that deanonymize website visitors for B2B sales intelligence. When Loom loads these vendors pre-consent on any site embedding their player, visitor identity data flows to third parties who compile and sell company intelligence. This means viewing a Loom video can expose your employees to competitor surveillance.
Legal Tail Risk
The Loom embed script creates a significant attack surface through 34+ third-party vendor connections. Cheq, DoubleVerify, and ad verification scripts add additional JavaScript that can access the host page DOM. Any compromise of these vendor supply chains could potentially access the embedding site through Loom's integration.
GTM Attack Surface
Atlassian claims GDPR compliance and honors GPC signals, yet 19 vendors fire pre-consent on Loom properties including Meta Pixel, Google Ads, and LinkedIn. The 77.5% pre-consent rate directly contradicts the compliance posture marketed to enterprise customers. Organizations embedding Loom inherit this consent liability.