Modash | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Modash discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

1 detection across 1 site100% pre-consent activity

CRITICAL

Pre-Consent Activity

Modash was observed loading and executing before user consent was obtained on 100% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

disclosure

MEDIUM

They Claim

“Pending claims extraction”

Observed Behavior

Broker score (25) and Counselor score (55) indicate data sharing and consent violations. Privacy policy likely lacks specific disclosure of enrichment data sources and sharing practices.

Customer Impact

What This Means For You

Marketing loses visitor enrichment data for audience segmentation and campaign personalization. Analytics platforms lose demographic and firmographic context for visitor sessions. However, retention creates exposure: regulatory complaints for unlawful tracking, data subject access requests revealing extensive profiling, potential enforcement for consent violations.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Modash

→Implement consent gate before Modash scripts load
→Audit Data Processing Agreement for enrichment data sharing and retention terms
→Review privacy policy for adequate disclosure of visitor profiling practices
→Assess persistent identifier lifespan and renewal mechanisms

If You're Evaluating Modash

→Defer Modash scripts until post-consent confirmation
→Require vendor documentation on data source transparency and lawful collection basis
→Assess first-party enrichment alternatives using consented customer data only
→Implement visitor anonymization for non-consenting users

Negotiation Leverage

→Modash contract likely permits enrichment data resale or platform-wide sharing - demand customer data isolation
→Persistent identifiers may have indefinite lifespan - negotiate retention limits aligned to marketing campaign cycles
→Confirm Modash honors consent withdrawal and purges visitor records from enrichment databases
→Request disclosure of all third-party data sources used for visitor enrichment and their collection methods

Runtime Detections

2 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C13Persistence Mechanisms

Long-lived identifiers

IOC Manifest

107 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*modash.com/js/prototype.js*

Tracking script

TRACK

*modash.com/js/Clarity.js*

Tracking script

TRACK

*modash.com/ImageLoader.jsesp*

Tracking script

TRACK

*modash.com/locale/locale_en.json*

Tracking script

TRACK

modash.com/js/prototype.js

Auto-extracted from scan

TRACK

modash.com/js/Clarity.js

Auto-extracted from scan

TRACK

modash.com/ImageLoader.jsesp

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

Modash integrates with marketing automation platforms, CRM systems, and audience analytics tools. Enrichment data may flow to data management platforms (DMPs) for cross-site audience building. Often deployed with complementary tracking vendors that benefit from shared visitor identifiers.

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

109 detection signatures across scripts, domains, cookies, and network endpoints