How This Briefing Works
This report opens with key findings, then maps the gaps between what Mouseflow discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Undisclosed Vendors
Scanner detected 36 third-party vendors on mouseflow.com including HubSpot, Meta Pixel, DoubleClick, Google Ads, GA4, LinkedIn, Leadfeeder/Dealfront, G2, Wistia, Serpstat, Match2one, Basis, and others
Pre-Consent Activity
44% of third-party vendors on mouseflow.com fire before any consent mechanism. 16 of 36 detected vendors load pre-consent including Meta Pixel, DoubleClick, LinkedIn, and Mouseflow itself
Privacy Marketing vs Reality
Scanner detected identity resolution (C14), browser fingerprinting (C10), behavioral biometrics (C06), and cross-domain sync (C08) on mouseflow.com
Pre-Consent Activity
Mouseflow was observed loading and executing before user consent was obtained on 75% of sites where it was detected.
Certification Scope Gap
Certifications apply to data center infrastructure, not client-side JavaScript execution. Session replay script operates in visitor browser context outside any certification scope.
Claims vs. Observed Behavior
Undisclosed Vendors
“Subprocessor list discloses 7 entities (Mouseflow ApS, Mouseflow Inc, Google Cloud, Leaseweb x2, DoiT, Oddeye)”
Scanner detected 36 third-party vendors on mouseflow.com including HubSpot, Meta Pixel, DoubleClick, Google Ads, GA4, LinkedIn, Leadfeeder/Dealfront, G2, Wistia, Serpstat, Match2one, Basis, and others
SCAN-1769100558331: 36 vendors detected, 16 pre-consent
Pre-Consent Activity
“Claims GDPR compliance with comprehensive legal hub including DPA, DPF, and subprocessor pages”
44% of third-party vendors on mouseflow.com fire before any consent mechanism. 16 of 36 detected vendors load pre-consent including Meta Pixel, DoubleClick, LinkedIn, and Mouseflow itself
SCAN-1769100558331: pre_consent=true for 16 vendors including mouseflow own script
Privacy Marketing vs Reality
“Homepage: We do not sell data. We do not track personal information. Enterprise-grade anonymization.”
Scanner detected identity resolution (C14), browser fingerprinting (C10), behavioral biometrics (C06), and cross-domain sync (C08) on mouseflow.com
SCAN-1769100558331: bti_c14, bti_c10, bti_c06, bti_c08 all detected
Certification Scope Gap
“ISO 27001, SOC 1 Type II, PCI compliance claimed for data centers”
Certifications apply to data center infrastructure, not client-side JavaScript execution. Session replay script operates in visitor browser context outside any certification scope.
Compliance page: Our data centers maintain ISO27001, SOC 1 Type II, and PCI compliance
Undisclosed Data Recipients
“We do not sell your personal data to third parties”
Cookie sync (C08) detected sharing data with Meta, LinkedIn, DoubleClick, and advertising networks. While technically not a sale, data flows to advertising platforms without disclosure.
SCAN-1769100558331: cookie sync chains to advertising platforms
Security Documentation Access
“SOC 1 Type II and ISO 27001 certifications available”
Security kit requires form submission with personal information. No public access to audit reports or certificates.
Compliance page: Request the Mouseflow Security Kit form
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Mouseflow
- →Audit your consent implementation to confirm Mouseflow script loads only after affirmative consent - 75% of observed deployments fire pre-consent
- →Request Mouseflow's SOC 1 Type II report and verify the certification scope includes client-side JavaScript execution (currently covers data centers only)
- →Review your DPA to confirm the 7 disclosed subprocessors match your data processing records - scanner detected 36 third-party vendors on mouseflow.com
- →Configure Mouseflow's privacy settings to enable keystroke masking, form field exclusion, and IP anonymization per their help documentation
- →Add contract clause requiring 30-day notice before new subprocessor additions with right to object
If You're Evaluating Mouseflow
- →Request the Security Kit and independently verify ISO 27001 and SOC 1 scope before signing
- →Compare Mouseflow privacy claims against runtime behavior - ask vendor to explain identity resolution (C14) and fingerprinting (C10) detected on their own site
- →Require contractual indemnification for pre-consent tracking liability under GDPR Art 5(3)
- →Negotiate right-to-audit clause allowing independent verification of consent compliance on your live deployment
- →Evaluate privacy-focused alternatives like Plausible or Simple Analytics if session replay is not a core requirement
Negotiation Leverage
- →Subprocessor disclosure gap: Scanner detected 36 third-party vendors on mouseflow.com while subprocessor list discloses only 7 entities. Request full accounting of all data recipients and updated DPA reflecting actual data flows.
- →Privacy marketing contradiction: Homepage states we do not track personal information while runtime analysis confirms identity resolution and fingerprinting on their own site. Use this gap to negotiate liability indemnification for any undisclosed tracking on your deployment.
- →Certification scope limitation: ISO 27001 and SOC 1 Type II certifications cover data center infrastructure, not client-side JavaScript. Require vendor to either extend certification scope or provide separate assurance for client-side code execution.
- →Pre-consent exposure: 75% pre-consent rate across BLACKOUT detection network. Negotiate a consent-gate SLA guaranteeing 0% pre-consent activity with liquidated damages per violation detected by independent audit.
- →Security documentation access: Compliance reports are gated behind a form requiring PII submission. Negotiate direct access to audit reports as a contract term, not a marketing lead generation exercise.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
Long-lived identifiers
PII deanonymization
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
255 detection signatures across scripts, domains, cookies, and network endpoints