All Vendors
advertising
Mountain

Mountain

CTV advertising platform with $226M revenue deploying 52 third-party vendors on mountain.com — 23 fire pre-consent including identity resolution (Demandbase, LiveRamp, Contactout) and advertising pixels (Criteo, Meta, LinkedIn, Reddit). Discloses 22 subprocessors while significantly more operate at runtime. No SOC2 certification.

94 IOCs22 detections15 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Mountain discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

22 detections across 15 sites
HIGH

Pre-Consent Tracking

23 tracking vendors load pre-consent on mountain.com including identity resolution (Demandbase, Contactout) and advertising pixels (MetaPixel, LinkedIn, Criteo)

GDPR Art 6CCPA 1798.100ePrivacy Directive
HIGH

Undisclosed Party

Not in privacy policy

HIGH

Undisclosed Sharing

Hidden data recipients

HIGH

Compliance Claim Mismatch

False certification claims

HIGH

Scope Creep

Collection exceeds disclosed scope

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps
1 HIGH2 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X08

Subprocessor Disclosure

GDPR Art 28 · CCPA 1798.140MEDIUM
They Claim

Information Sharing Partners page lists data recipients

Observed Behavior

12 advertising vendors observed but not disclosed: Criteo, Demandbase, DoubleClick, Doubleverify, LinkedIn, MetaPixel, Reddit, TwitterPixel, CrazyEgg, Contactout, Bizible, Qualified

Comparison of disclosed subprocessors (22) vs observed vendors (52)

Privacy Signal Support

CCPA 1798.135 · Colorado Privacy ActMEDIUM
They Claim

Opt-out mechanisms available via NAI/DAA

Observed Behavior

No Global Privacy Control (GPC) support acknowledged. Browser Do Not Track mentioned but not GPC.

Privacy policy and opt-out page do not mention GPC

Security Certification

LOW
They Claim

Working toward SOC2 compliance

Observed Behavior

SOC2 Type I not yet achieved as of January 2025. Security documentation available upon request but not publicly accessible.

Security page states working on SOC2 Type I by end of January 2025

Customer Impact

What This Means For You

If MNTN (formerly SteelHouse) handles your CTV advertising, their platform connects advertiser audience data to a programmatic ecosystem where 52 third-party vendors operate on their corporate site — 23 firing before consent. Under GDPR Art 28, you must verify subprocessor chains, but MNTN discloses 22 partners while significantly more are detected at runtime. Identity resolution vendors (Demandbase, LiveRamp, Contactout) on mountain.com mean your advertiser data and campaign strategies flow through infrastructure shared with deanonymization services. MNTN does not hold SOC2 certification, leaving you without independent verification of security controls for a platform handling campaign data and creative assets through their QuickFrame acquisition.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Mountain

  • Review your Data Processing Agreement to ensure it covers all observed third-party data flows, particularly to identity resolution providers (Demandbase, LiveRamp, Contactout)
  • Audit what visitor data from your campaigns is being enriched through LiveRamp and Demandbase integrations on MNTN infrastructure
  • Request security documentation (pentest results, security policies) given SOC2 is not yet achieved for a platform handling campaign data
  • Ensure your consent management covers the tracking vendors MNTN loads on conversion tracking pages on your property
  • Monitor CTV campaign data flows to verify your audience intelligence is not shared through undisclosed vendor relationships

If You're Evaluating Mountain

  • Note the absence of SOC2 certification — significant gap for a platform handling advertiser data and campaign strategies
  • Request complete subprocessor list and compare against 52 vendors detected at runtime on mountain.com
  • Assess pre-consent behavior (23 vendors) as an indicator of MNTN's operational privacy maturity before trusting compliance claims
  • Evaluate whether LiveRamp and Demandbase integrations create competitive intelligence exposure for your campaign data
  • Compare MNTN's vendor density and compliance posture against alternative CTV platforms before committing

Negotiation Leverage

  • Security certification: MNTN does not hold SOC2 certification despite handling advertiser campaign data and creative assets. Require SOC2 Type II as a contract condition or negotiate significant liability indemnification.
  • Subprocessor reconciliation: 52 vendors detected versus 22 disclosed. Require complete enumeration of all third-party vendors processing advertiser data, with right to audit quarterly.
  • Pre-consent SLA: 23 vendors fire pre-consent on mountain.com. Require contractual guarantee that MNTN conversion tracking on your property loads only after consent.
  • Campaign data isolation: As a CTV platform with LiveRamp and Demandbase integrations, advertiser audience data and campaign performance signals flow through their infrastructure. Require contractual data isolation for your campaign intelligence.
  • Creative asset protection: QuickFrame acquisition means campaign creative assets flow through their platform. Require contractual protections for creative IP and limits on data derived from your campaigns.
Runtime Detections

Runtime Detections

9 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C13Persistence Mechanisms

Long-lived identifiers

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

94 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*mountain.com/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*mountain.com/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*pages.mountain.com/js/forms2/js/forms2.js*
Tracking script
TRACK
*pages.mountain.com/rs/214-UVX-377/images/teknkl-formsplus-tag-0.2.4.js*
Tracking script
TRACK
*mountain.com/wp-content/themes/mntn-base/build/index.js*
Tracking script
TRACK
*mountain.com/wp-content/themes/mountain/build/index.js*
Tracking script
TRACK
*mountain.com/cdn-cgi/challenge-platform/scripts/jsd/main.js*
Tracking script
TRACK
*dx.mountain.com/spx*
Tracking script
TRACK
*mountain.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/*/main.js*
Tracking script
TRACK
*mountain.com/wp-includes/js/wp-emoji-release.js*
Tracking script
TRACK
*px.mountain.com/st*
Tracking script
TRACK
*gs.mountain.com/gs*
Tracking script
TRACK
mountain.com/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
mountain.com/wp-includes/js/jquery/jquery-migrate.min.js
Auto-extracted from scan
TRACK
mountain.com/wp-content/themes/mntn-base/build/index.js
Auto-extracted from scan
TRACK
mountain.com/wp-content/themes/mountain/build/index.js
Auto-extracted from scan
TRACK
pages.mountain.com/js/forms2/js/forms2.min.js
Auto-extracted from scan
TRACK
pages.mountain.com/rs/214-UVX-377/images/teknkl-formsplus-tag-0.2.4.js
Auto-extracted from scan
TRACK
dx.mountain.com/spx
Auto-extracted from scan
TRACK
mountain.com/cdn-cgi/challenge-platform/scripts/jsd/main.js
Auto-extracted from scan
TRACK
mountain.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/d251aa49a8a3/main.js
Auto-extracted from scan
TRACK
mountain.com/wp-includes/js/wp-emoji-release.min.js
Auto-extracted from scan
TRACK
px.mountain.com/st
Auto-extracted from scan
TRACK
gs.mountain.com/gs
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

MNTN operates as a Connected TV advertising platform in the programmatic advertising supply chain. They are loaded BY advertisers and agencies deploying CTV campaigns. MNTN LOADS numerous advertising technology vendors including LiveRamp (identity resolution), Demandbase (B2B identification), Google Analytics/DoubleClick (measurement/ads), and major social advertising platforms (Meta, LinkedIn, Reddit, Twitter, TikTok). Their acquired property QuickFrame provides video creation services. Key ecosystem relationships: LiveRamp for identity graphs, Experian for audience data, programmatic exchanges (Beeswax, Scaylr) for CTV inventory. As a CTV platform, MNTN has visibility into advertiser campaign performance across streaming television networks.
Loaded By (2)
GoogletagmanagerOsano
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

94 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details