All Vendors
platform
Loom

Loom

77.5% pre-consent tracking rate across 62 sites. Atlassian-owned ($975M acquisition) with 34+ third-party vendors detected on loom.com while Atlassian discloses only 22 subprocessors. B2B identity resolution (Demandbase, Mutiny) and advertising pixels fire pre-consent — including on embedded videos hosted across third-party sites.

287 IOCs72 detections78% pre-consent63 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Loom discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

72 detections across 63 sites78% pre-consent activity1 critical disclosure gap
CRITICAL

Subprocessor Disclosure

Runtime analysis detected 34+ distinct third-party vendors on loom.com, including Demandbase, Mutiny, Cheq, TrenDemon, Clarity, and major ad platforms

GDPR Article 28CCPA Section 1798.140
CRITICAL

Pre-Consent Activity

Loom was observed loading and executing before user consent was obtained on 78% of sites where it was detected.

GDPRePrivacy
HIGH

Pre-Consent Tracking

77.5% pre-consent tracking rate across 71 detections; 19 vendors fire before any consent interaction

GDPR Article 7ePrivacy DirectiveCCPA opt-out rights
HIGH

Identity Resolution

Demandbase and Mutiny are B2B identity resolution platforms that explicitly re-identify visitors by company and individual

GDPR Article 6CCPA Do Not Sell provisions
HIGH

Undisclosed Party

Not in privacy policy

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps
1 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X08

Subprocessor Disclosure

GDPR Article 28 · CCPA Section 1798.140CRITICAL
They Claim

Atlassian discloses 22 subprocessors for Loom/Atlassian products

Observed Behavior

Runtime analysis detected 34+ distinct third-party vendors on loom.com, including Demandbase, Mutiny, Cheq, TrenDemon, Clarity, and major ad platforms

Scan data shows vendor_slug count of 34+ unique vendors with pre_consent=true for 19 of them

Identity Resolution

GDPR Article 6 · CCPA Do Not Sell provisionsHIGH
They Claim

May aggregate or de-identify information per privacy policy

Observed Behavior

Demandbase and Mutiny are B2B identity resolution platforms that explicitly re-identify visitors by company and individual

Both vendors detected with pre_consent=true on loom.com

Advertising Stack Transparency

GDPR transparency requirements · CCPA notice requirementsMEDIUM
They Claim

Data sale disclosed to Third Party Advertising Providers

Observed Behavior

Extensive ad platform presence (Meta, Google, LinkedIn, Twitter, TikTok, Reddit, Bing) but specific platforms not itemized

All major ad platforms detected firing pre-consent

Customer Impact

What This Means For You

If Loom videos are embedded on your site, their player carries JavaScript and associated vendor scripts onto your property. Loom loads Demandbase and Mutiny (identity resolution platforms) pre-consent, meaning anyone viewing a Loom video on your site may be deanonymized without consent. Under GDPR Art 28, you are responsible for all data processing on your property — Loom embeds introduce 34+ undisclosed vendors into your compliance scope. Atlassian's official subprocessor list covers only 22 vendors while runtime detection shows 34+, making complete GDPR Art 30 documentation impossible. The 77.5% pre-consent rate means the majority of Loom interactions fire tracking before consent, creating near-certain violations for EU traffic.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Loom

  • Audit your CMP configuration — ensure all 34+ vendors detected on Loom properties are declared in your consent management
  • Implement Loom embeds through a consent-gated loader to prevent pre-consent tracking on your site from Loom's vendor stack
  • Review GDPR Article 28 documentation — add undisclosed Loom subprocessors (Demandbase, Mutiny, Cheq, TrenDemon, Clarity) to your records
  • Consider Loom Enterprise with custom data retention and privacy settings to control the tracking footprint
  • Monitor for Loom SDK updates that may introduce new tracking vendors onto your property without notice

If You're Evaluating Loom

  • Request Atlassian's current SOC2 Type II report and compare controls against the 34+ vendors observed at runtime on loom.com
  • Perform runtime scan of any loom.com page to verify the current vendor footprint before procurement decision
  • Evaluate alternative video messaging tools with simpler tracking profiles (Tella, Sendspark) if embed privacy is critical
  • Negotiate DPA terms that explicitly address the subprocessor disclosure gap between Atlassian's list and runtime reality
  • Implement technical controls to sandbox Loom embeds from your main analytics and prevent cross-contamination of tracking data

Negotiation Leverage

  • Embed isolation: Loom videos carry identity resolution (Demandbase, Mutiny) and advertising pixels onto host sites. Require contractual guarantee that Loom embeds load zero third-party vendors on your property, or implement consent-gated embed loader.
  • Subprocessor reconciliation: 34+ vendors detected versus 22 Atlassian-disclosed subprocessors. Require Atlassian to provide complete subprocessor list specific to Loom product, covering all runtime JavaScript dependencies.
  • Pre-consent SLA: 77.5% pre-consent rate across 62 sites. Require contractual guarantee that Loom embeds and direct usage load zero tracking before consent, with liquidated damages per violation.
  • Data flow transparency: Demandbase and Mutiny deanonymize visitors to Loom-embedded pages. Require written documentation of all data flows triggered by Loom embeds on third-party sites versus direct loom.com usage.
  • Enterprise privacy configuration: Negotiate Loom Enterprise plan with custom data retention, disabled advertising pixels, and sandboxed embed mode that prevents third-party vendor loading on your property.
Runtime Detections

Runtime Detections

7 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

IOC Manifest

IOC Manifest

262 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.loom.com/_next/static/chunks/*-*.js*
Tracking script
TRACK
*www.loom.com/_next/static/chunks/webpack-*.js*
Tracking script
TRACK
*www.loom.com/_next/static/chunks/main-*.js*
Tracking script
TRACK
*www.loom.com/_next/static/chunks/*.*.js*
Tracking script
TRACK
*www.loom.com/_next/static/_34B6TaVH-pLoDZU3p6H8/_buildManifest.js*
Tracking script
TRACK
*www.loom.com/_next/static/_34B6TaVH-pLoDZU3p6H8/_ssgManifest.js*
Tracking script
TRACK
*www.loom.com/_next/static/chunks/290-*.js*
Tracking script
TRACK
*www.loom.com/_next/static/chunks/framework-*.js*
Tracking script
TRACK
*www.loom.com/_next/static/chunks/pages/index-*.js*
Tracking script
TRACK
*www.loom.com/_next/static/chunks/pages/_app-*.js*
Tracking script
EXFIL
*www.loom.com/_next/data/_34B6TaVH-pLoDZU3p6H8/index.json*
Data collection endpoint
EXFIL
*www.loom.com/_next/data/_34B6TaVH-pLoDZU3p6H8/connect/enterprise.json*
Data collection endpoint
TRACK
*www.loom.com/_next/static/chunks/pages/pricing-*.js*
Tracking script
EXFIL
*www.loom.com/_next/data/_34B6TaVH-pLoDZU3p6H8/enterprise.json*
Data collection endpoint
TRACK
*www.loom.com/_next/static/chunks/pages/enterprise-*.js*
Tracking script
EXFIL
*www.loom.com/_next/data/_34B6TaVH-pLoDZU3p6H8/pricing.json*
Data collection endpoint
TRACK
*www.loom.com/_next/static/chunks/pages/connect/%5Bslug%5D-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/0runtime-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-3-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-2-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-0-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-1-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-4-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-9-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-7-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-6-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-5-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-10-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-12-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-13-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-17-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-11-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-14-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-18-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-15-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-8-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-20-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-19-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-16-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-23-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-24-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-26-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-25-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-27-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-*-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-28-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-36-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-31-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-29-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-33-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-37-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-30-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-40-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-38-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-34-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-35-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-39-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-32-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-41-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/vendor-42-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/embed-video-*.js*
Tracking script
TRACK
*cdn.loom.com/assets/js/*-*.js*
Tracking script
EXFIL
*cdn.loom.com/mediametadata/transcription/*-1.json*
Data collection endpoint
EXFIL
*www.loom.com/_next/data/_34B6TaVH-pLoDZU3p6H8/screen-recorder.json*
Data collection endpoint
TRACK
*www.loom.com/_next/static/chunks/pages/screen-recorder-*.js*
Tracking script
TRACK
www.loom.com/_next/static/chunks/3315.8a1ba28982ad5030.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/webpack-1ff7b7967c0c8a56.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/framework-94bcf14506ace93a.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/main-b7b1ed066cd6fa77.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/pages/_app-525c472e2fd8bca3.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/3050-ea51d6ce5631bb7f.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/7017-37aa0b517ac7a685.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/4582-a2b5ac0573dba7dc.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/6189-2fcc4e3bcd05e053.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/5675-3d3f2d6e11336b04.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/9426-8210e8620d909376.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/7979-6a4f1cc15ad5d140.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/8037-a60246c4e5198262.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/7404-65d9f77ac53afb02.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/8913-29389d99003ddffd.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/5223-ad7bb431773ae660.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/290-2232666c3d051bf5.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/3926-1e04736a8281ed47.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/7379-1b19f759cabf5d96.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/pages/index-9c4a1205ca370f3f.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/_34B6TaVH-pLoDZU3p6H8/_buildManifest.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/_34B6TaVH-pLoDZU3p6H8/_ssgManifest.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/7717-f49e9f10c9297212.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/2572-447def0dafe233e1.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/4711-d47527bdadc19407.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/pages/pricing-c8fa574cc2773d38.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/pages/enterprise-9b881c663b4edb71.js
Auto-extracted from scan
TRACK
www.loom.com/_next/static/chunks/pages/connect/%5Bslug%5D-5aab491381cde91f.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/0runtime-369f5e38c44683d0.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-0-4cd7d42816ee6072.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-1-14d67f24aac13091.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-2-20f0757465a7ffd2.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-3-dc0f13e30709840c.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-4-9b2cfcdc60e95574.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-5-5991a74b521cd969.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-6-d9878c754cf733b8.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-7-cd0712224f6268fc.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-8-948af93da5899ea3.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-9-8a325dd62b6f77a6.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-10-9782311bd4d4452f.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-11-d62f59ea595c8cf4.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-12-84c7ebfc61cff46a.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-13-72265480163a2dd7.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-14-23d961543b301ec8.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-15-5f5c353d3104ec62.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-16-d332f1e13f094289.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-17-fcc1f7ff5b13b40f.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-18-6e14d65f5a607214.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-19-948e9eccc71576bb.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-20-d2e0484173c5186e.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-9264a70b-3c30c9e8d7e2b46c.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-619f19a7-f4387aebdc9c2aa3.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-23-6dec3dfb936bf1a4.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-24-dab33981064f0d0d.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-25-79708c116d2e9355.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-26-8a31ba7e37c045fe.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-27-3be04ffdfc383139.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-28-c023af607193ec30.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-29-d79a7bd9d68c2b11.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-30-cc1a5cfeebed39e3.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-31-a3a70b6a8f03e961.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-32-678de0e1c5984ce5.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-33-2fdd4c83b9cddcea.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-34-0ca8955daac25d21.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-35-f776f36d33fbab6e.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-36-5dd3904bee921c66.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-37-b33b2200c24898e5.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-38-bffaddd9080eef8f.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-39-c7dcd5186d4e4b56.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-40-d8bca237c190e084.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-41-5a16a4da2ed2f29b.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/vendor-42-a92481c4661c414b.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/embed-video-b7ad34ff9cda34d7.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/7563-aa9598eed02ec2c9.js
Auto-extracted from scan
TRACK
cdn.loom.com/assets/js/5420-18987ada54be1f66.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Loom sits in a unique position as both a SaaS product AND a website embed. As a standalone product, users interact directly with loom.com and its tracking stack. As an embed, Loom videos are shared across thousands of websites, carrying Loom's JavaScript and associated vendor scripts to those host pages. This creates a distribution multiplier effect where Loom's tracking infrastructure propagates across the web via video shares. Loom is loaded by sites using it for customer support videos, product demos, and internal communication. Our detection data shows Loom appearing on 62 distinct hostnames. The indirect load pattern (77.5% of detections load Loom indirectly) suggests Loom scripts are frequently bundled through tag managers or loaded by other marketing automation tools. Key upstream loaders: Google Tag Manager, Segment. Key downstream data recipients: Demandbase, Mutiny, Google Ads, Meta Pixel, LinkedIn, Segment.
Loads (5)
OnetrustSegmentShopping GoogleGoogleanalytics4Linkedin
Loaded By (1)
Upvert
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

287 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details