All Vendors
platform

Mistral

Platform vendor with aggressive session recording, behavioral biometrics, and persistent tracking capabilities deployed pre-consent.

57 IOCs16 detections75% pre-consent14 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Mistral discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

16 detections across 14 sites75% pre-consent activity
CRITICAL

Pre-Consent Activity

Mistral was observed loading and executing before user consent was obtained on 75% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

disclosure

CRITICAL
They Claim

Pending claims extraction

Observed Behavior

High Broker (50) and Counselor (70) scores indicate extensive undisclosed data sharing and consent violations. Session recording and behavioral biometrics likely absent from privacy policy.

Customer Impact

What This Means For You

Product and UX teams lose session replay insights if Mistral is removed. Fraud detection systems may degrade without behavioral biometric signals. However, retention creates severe liability: GDPR Article 9 violations for biometric processing without explicit consent, potential BIPA class actions for keystroke dynamics collection, data breach exposure if session recordings leak containing PII.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Mistral

  • Immediate consent gate implementation before any Mistral script loads
  • GDPR Article 9 compliance audit for behavioral biometric lawful basis
  • Session recording disclosure in privacy policy with explicit opt-in mechanism
  • Data Processing Agreement review for session data retention and third-party access
  • PII redaction audit for session recordings

If You're Evaluating Mistral

  • Defer all Mistral scripts until post-consent confirmation with granular biometric consent
  • Require vendor attestation on GDPR Article 9 lawful basis documentation
  • Assess privacy-respecting session replay alternatives with automatic PII masking
  • Implement behavioral fraud detection without persistent biometric profiling

Negotiation Leverage

  • Mistral contract likely permits platform-wide behavioral model training on your visitor data - demand opt-out and model deletion rights
  • Session recordings may be retained for extended periods for "quality assurance" - negotiate 30-day maximum retention
  • Confirm whether behavioral biometric data is sold or shared with third-party fraud detection platforms
  • Request evidence of GDPR Article 9 compliance documentation and BIPA compliance for US visitors
  • Demand technical controls for PII redaction in session recordings before storage
Runtime Detections

Runtime Detections

4 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

52 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.mistral.com/static/version*/frontend/Mistral/default/en_GB/Smile_ElasticsuiteTracker/js/tracking.js*
Tracking script
TRACK
*www.mistral.com/static/version*/frontend/Mistral/default/en_GB/Hyva_Theme/js/alpine3.js*
Tracking script
TRACK
*www.mistral.com/static/version*/frontend/Mistral/default/en_GB/MageOS_MaxMindGeoipRedirect/js/hyva/popup.js*
Tracking script
TRACK
*www.mistral.com/static/version*/frontend/Mistral/default/en_GB/Magento_PageBuilder/js/glider.js*
Tracking script
TRACK
www.mistral.com/static/version1768835464/frontend/Mistral/default/en_GB/Smile_ElasticsuiteTracker/js/tracking.js
Auto-extracted from scan
TRACK
www.mistral.com/static/version1768835464/frontend/Mistral/default/en_GB/MageOS_MaxMindGeoipRedirect/js/hyva/popup.js
Auto-extracted from scan
TRACK
www.mistral.com/static/version1768835464/frontend/Mistral/default/en_GB/Hyva_Theme/js/alpine3.min.js
Auto-extracted from scan
TRACK
www.mistral.com/static/version1768835464/frontend/Mistral/default/en_GB/Magento_PageBuilder/js/glider.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Mistral integrates with analytics platforms, marketing automation systems, and fraud detection tools. Session replay data often flows to customer experience platforms. Behavioral biometric models may be shared across Mistral customer base for benchmarking or fraud scoring.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

57 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details