How This Briefing Works
This report opens with key findings, then maps the gaps between what Matomo discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Analysis pending. Findings will appear here once intelligence collection is complete.
Disclosure Gaps
Claims vs. Observed Behavior
2 gaps
pending
LOW
They Claim
“Full data ownership via self-hosting”
Observed Behavior
Awaiting scanner verification to confirm runtime behavior matches documented privacy configuration options
pending
LOW
They Claim
“CNIL-approved for cookieless use”
Observed Behavior
Regulatory approval applies to specific configurations — scanner verification needed to confirm actual deployment settings
Customer Impact
What This Means For You
Matomo can significantly reduce an organization's analytics-related compliance burden. Self-hosted Matomo eliminates third-party data processing entirely, simplifying GDPR compliance and reducing the data processing inventory. Organizations in highly regulated industries (healthcare, finance, government) often select Matomo specifically because data never leaves their infrastructure. The tradeoff is operational overhead — self-hosted Matomo requires server infrastructure, maintenance, and security patching. Cloud-hosted Matomo reduces this burden but reintroduces third-party data processing. Either way, Matomo's transparent, auditable codebase provides strong defensibility in regulatory inquiries.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
Recommended Actions for Matomo
- →- If using Matomo cloud, review the Data Processing Agreement for jurisdictional coverage - If self-hosting, ensure the Matomo instance is patched and secured — it becomes part of your attack surface - Enable cookieless tracking mode and IP anonymization for maximum privacy posture - Configure automatic data purging schedules aligned with your data retention policy - Audit installed Matomo plugins for any that introduce third-party data sharing
Negotiation Leverage
- →Matomo's open-source model provides strong negotiation leverage — the self-hosted option is free, meaning cloud pricing negotiations have a credible walkaway alternative. Key questions: (1) For cloud-hosted: What infrastructure and jurisdictions process visitor data? (2) What is the data retention policy, and can it be customized? (3) Are there any analytics features that require data to leave the self-hosted environment? Matomo's open-source foundation means vendor lock-in risk is minimal — data and configuration can be migrated if needed. This is a rare and valuable characteristic in the analytics vendor landscape.
IOC Manifest
IOC Manifest
133 INDICATORS
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*matomo.org/wp-content/themes/website-child/assets/js/faq.js*
Tracking script
TRACK
*matomo.org/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*matomo.org/wp-content/themes/website-child/assets/js/faq_filter.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/elementor/assets/js/frontend.js*
Tracking script
TRACK
*matomo.org/wp-includes/js/jquery/ui/core.js*
Tracking script
TRACK
*matomo.org/wp-content/themes/website-child/assets/js/vendor/jquery.sticky.js*
Tracking script
TRACK
*matomo.org/wp-content/themes/website-child/assets/js/responsive-table.js*
Tracking script
TRACK
*matomo.org/wp-content/themes/generatepress/assets/js/menu.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/elementor/assets/js/webpack.runtime.js*
Tracking script
TRACK
*matomo.org/wp-includes/js/dist/hooks.js*
Tracking script
TRACK
*matomo.org/wp-content/themes/website-child/assets/js/validator.js*
Tracking script
TRACK
*matomo.org/wp-content/themes/website-child/assets/js/video.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/shortpixel-adaptive-images/assets/js/ai-2.0.js*
Tracking script
TRACK
*matomo.org/wp-content/themes/website-child/assets/js/_main.js*
Tracking script
TRACK
*matomo.org/wp-content/themes/website-child/assets/js/vendor/url_builder.js*
Tracking script
TRACK
*matomo.org/wp-includes/js/hoverIntent.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/elementor/assets/lib/swiper/v8/swiper.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/elementor-pro/assets/js/frontend.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/megamenu-pro/assets/public.js*
Tracking script
TRACK
*matomo.org/wp-content/themes/generatepress/assets/js/back-to-top.js*
Tracking script
TRACK
*matomo.org/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/elementor/assets/js/frontend-modules.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/megamenu/js/maxmegamenu.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/elementor-pro/assets/js/elements-handlers.js*
Tracking script
TRACK
*matomo.org/wp-includes/js/dist/i18n.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/elementor/assets/js/section-frontend-handlers.*.bundle.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.*.bundle.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/elementor/assets/js/text-editor.*.bundle.js*
Tracking script
TRACK
*matomo.org/wp-content/plugins/elementor-pro/assets/js/carousel.*.bundle.js*
Tracking script
TRACK
*matomo.org/wp-content/themes/website-child/assets/js/usercentrics.js*
Tracking script
TRACK
matomo.org/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-includes/js/jquery/jquery-migrate.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/themes/website-child/assets/js/faq.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/themes/website-child/assets/js/faq_filter.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/themes/website-child/assets/js/video.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/themes/generatepress/assets/js/menu.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/themes/generatepress/assets/js/back-to-top.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/shortpixel-adaptive-images/assets/js/ai-2.0.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/elementor/assets/js/frontend-modules.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-includes/js/jquery/ui/core.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/elementor/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/themes/website-child/assets/js/vendor/url_builder.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/themes/website-child/assets/js/vendor/jquery.sticky.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/themes/website-child/assets/js/validator.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/themes/website-child/assets/js/responsive-table.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/themes/website-child/assets/js/_main.js
Auto-extracted from scan
TRACK
matomo.org/wp-includes/js/hoverIntent.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/megamenu/js/maxmegamenu.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/megamenu-pro/assets/public.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/elementor/assets/lib/swiper/v8/swiper.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-includes/js/dist/hooks.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-includes/js/dist/i18n.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/elementor-pro/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/elementor-pro/assets/js/elements-handlers.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/elementor/assets/js/section-frontend-handlers.d85ab872da118940910d.bundle.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.03caa53373b56d3bab67.bundle.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/elementor/assets/js/text-editor.45609661e409413f1cef.bundle.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/plugins/elementor-pro/assets/js/carousel.3620fca501cb18163600.bundle.min.js
Auto-extracted from scan
TRACK
matomo.org/wp-content/themes/website-child/assets/js/usercentrics.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Matomo has a broad integration ecosystem including plugins for WordPress, Joomla, Drupal, and other CMS platforms. It offers APIs for data export and supports integration with tag managers. Critically, Matomo's self-hosted option means data can remain entirely within organizational infrastructure — no external data sharing required. The cloud-hosted version processes data on Matomo's infrastructure but does not share it with advertising networks or data brokers. Matomo's marketplace includes 100+ plugins for extended functionality, all installable on self-hosted instances. The open-source community actively maintains and audits the codebase.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
133 detection signatures across scripts, domains, cookies, and network endpoints