QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
platform
Loom

Loom

77.5% pre-consent tracking rate across 62 sites. Atlassian-owned ($975M acquisition) with 34+ third-party vendors detected on loom.com while Atlassian discloses only 22 subprocessors. B2B identity resolution (Demandbase, Mutiny) and advertising pixels fire pre-consent — including on embedded videos hosted across third-party sites.

172 IOCs observed5 detections100% pre-consent4 sites
90
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what Loom discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
5

across 4 sites

Pre-Consent Rate
100%

vendor fires before consent

Disclosure Gaps
4

1 CRIT · 2 HIGH

Claims-vs-Reality Classified
BTI-X01BTI-X02BTI-X05BTI-X08
Summary

Briefing

Loom is an asynchronous video messaging platform acquired by Atlassian for $975M in October 2023. While positioned as a productivity tool for distributed teams, runtime analysis reveals a substantial GTM surveillance stack operating behind the scenes. With a 77.5% pre-consent tracking rate across 71 detections on 62 sites, Loom embeds extensive third-party tracking infrastructure including B2B identity resolution vendors (Demandbase, Mutiny), advertising pixels (Meta, Google, LinkedIn, Twitter, TikTok), and session replay tools (Clarity) - most of which are NOT disclosed in Atlassian's official subprocessor list. This creates a significant gap between Loom's enterprise compliance positioning (SOC2, ISO 27001, GDPR) and its actual data collection practices.

Customer Impact

What This Means For You

If Loom videos are embedded on your site, their player carries JavaScript and associated vendor scripts onto your property. Loom loads Demandbase and Mutiny (identity resolution platforms) pre-consent, meaning anyone viewing a Loom video on your site may be deanonymized without consent. Under GDPR Art 28, you are responsible for all data processing on your property — Loom embeds introduce 34+ undisclosed vendors into your compliance scope. Atlassian's official subprocessor list covers only 22 vendors while runtime detection shows 34+, making complete GDPR Art 30 documentation impossible. The 77.5% pre-consent rate means the majority of Loom interactions fire tracking before consent, creating near-certain violations for EU traffic.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
40

Loom embeds Google Analytics 4, Amplitude, and Dreamdata analytics alongside the video player, creating attribution blind spots. When users share Loom videos, they unknowingly spread tracking pixels that compete with their own analytics infrastructure, potentially double-counting conversions and polluting attribution data.

Broker
Control Collapse
100

Demandbase and Mutiny are identity resolution platforms that deanonymize website visitors for B2B sales intelligence. When Loom loads these vendors pre-consent on any site embedding their player, visitor identity data flows to third parties who compile and sell company intelligence. This means viewing a Loom video can expose your employees to competitor surveillance.

Reaper
Safety Collapse
0

The Loom embed script creates a significant attack surface through 34+ third-party vendor connections. Cheq, DoubleVerify, and ad verification scripts add additional JavaScript that can access the host page DOM. Any compromise of these vendor supply chains could potentially access the embedding site through Loom's integration.

Counselor
Legitimacy Collapse
100

Atlassian claims GDPR compliance and honors GPC signals, yet 19 vendors fire pre-consent on Loom properties including Meta Pixel, Google Ads, and LinkedIn. The 77.5% pre-consent rate directly contradicts the compliance posture marketed to enterprise customers. Organizations embedding Loom inherit this consent liability.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C01
Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06
Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07
Session Recording

Full session replay

BTI-C08
Cross-Domain Sync

Identity stitching

BTI-C09
Consent Bypass

Ignoring CMP signals

BTI-C10
Fingerprinting

Device identification

BTI-C14
Identity Resolution

PII deanonymization

Claims-vs-Reality (BTI-X)

BTI-X01
Undisclosed Party

Not in privacy policy

BTI-X02
Undisclosed Sharing

Hidden data recipients

BTI-X05
Compliance Claim Mismatch

False certification claims

BTI-X08
Scope Creep

Collection exceeds disclosed scope

4
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

4
Gaps Observed
1 CRITICAL2 HIGH1 MEDIUM

BLACKOUT analyzed Loom's public claims against observed runtime behavior and identified 4 contradictions.

BTI-X01BTI-X02BTI-X05BTI-X08
Featured Gap
Subprocessor Disclosure
CRITICAL
They Claim

"Atlassian discloses 22 subprocessors for Loom/Atlassian products"

BLACKOUT Observed

Runtime analysis detected 34+ distinct third-party vendors on loom.com, including Demandbase, Mutiny, Cheq, TrenDemon, Clarity, and major ad platforms

3 more gaps — with regulatory citations and evidence pointers — available with subscription.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
10

5 for current users · 5 for evaluators

Negotiation Leverage
5

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Subprocessor Disclosure Gap
4undisclosed

Claims 15, observed 19

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: loomFirst Seen: 2026-01-22Last Updated: 2026-02-24