How This Briefing Works
This dossier opens with key findings, then maps the gap between what Loom discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 4 sites
vendor fires before consent
1 CRIT · 2 HIGH
Briefing
Loom is an asynchronous video messaging platform acquired by Atlassian for $975M in October 2023. While positioned as a productivity tool for distributed teams, runtime analysis reveals a substantial GTM surveillance stack operating behind the scenes. With a 77.5% pre-consent tracking rate across 71 detections on 62 sites, Loom embeds extensive third-party tracking infrastructure including B2B identity resolution vendors (Demandbase, Mutiny), advertising pixels (Meta, Google, LinkedIn, Twitter, TikTok), and session replay tools (Clarity) - most of which are NOT disclosed in Atlassian's official subprocessor list. This creates a significant gap between Loom's enterprise compliance positioning (SOC2, ISO 27001, GDPR) and its actual data collection practices.
What This Means For You
If Loom videos are embedded on your site, their player carries JavaScript and associated vendor scripts onto your property. Loom loads Demandbase and Mutiny (identity resolution platforms) pre-consent, meaning anyone viewing a Loom video on your site may be deanonymized without consent. Under GDPR Art 28, you are responsible for all data processing on your property — Loom embeds introduce 34+ undisclosed vendors into your compliance scope. Atlassian's official subprocessor list covers only 22 vendors while runtime detection shows 34+, making complete GDPR Art 30 documentation impossible. The 77.5% pre-consent rate means the majority of Loom interactions fire tracking before consent, creating near-certain violations for EU traffic.
Risk Channel Breakdown
Loom embeds Google Analytics 4, Amplitude, and Dreamdata analytics alongside the video player, creating attribution blind spots. When users share Loom videos, they unknowingly spread tracking pixels that compete with their own analytics infrastructure, potentially double-counting conversions and polluting attribution data.
Demandbase and Mutiny are identity resolution platforms that deanonymize website visitors for B2B sales intelligence. When Loom loads these vendors pre-consent on any site embedding their player, visitor identity data flows to third parties who compile and sell company intelligence. This means viewing a Loom video can expose your employees to competitor surveillance.
The Loom embed script creates a significant attack surface through 34+ third-party vendor connections. Cheq, DoubleVerify, and ad verification scripts add additional JavaScript that can access the host page DOM. Any compromise of these vendor supply chains could potentially access the embedding site through Loom's integration.
Atlassian claims GDPR compliance and honors GPC signals, yet 19 vendors fire pre-consent on Loom properties including Meta Pixel, Google Ads, and LinkedIn. The 77.5% pre-consent rate directly contradicts the compliance posture marketed to enterprise customers. Organizations embedding Loom inherit this consent liability.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
Collection exceeds disclosed scope
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Loom's public claims against observed runtime behavior and identified 4 contradictions.
"Atlassian discloses 22 subprocessors for Loom/Atlassian products"
Runtime analysis detected 34+ distinct third-party vendors on loom.com, including Demandbase, Mutiny, Cheq, TrenDemon, Clarity, and major ad platforms
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 15, observed 19
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →