How This Briefing Works
This dossier opens with key findings, then maps the gap between what Qualified discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 48 sites
vendor fires before consent
1 CRIT · 2 HIGH
Briefing
Qualified is an AI-powered SDR and pipeline generation platform, recently acquired by Salesforce (December 2025). The platform identifies anonymous website visitors through Clearbit integration and enables real-time engagement through chatbots, live chat, and automated meeting scheduling. Despite SOC2 Type II certification and GDPR/CCPA compliance claims, runtime analysis reveals a 75% pre-consent tracking rate and 12 undisclosed third-party vendors loading on their own website. The Salesforce acquisition significantly expands Qualified's data ecosystem reach, making disclosure gaps more consequential.
What This Means For You
If Qualified is deployed on your site, their platform identifies anonymous visitors through Clearbit integration and engages them via chatbots before they consent to tracking. Under GDPR Art 7, the 75% pre-consent rate means three-quarters of visitor identification occurs without valid consent. The December 2025 Salesforce acquisition significantly expands Qualified's data ecosystem — visitor identification data now feeds into the broader Salesforce ecosystem. Twelve undisclosed vendors on qualified.com including Criteo, Meta, and DoubleClick advertising pixels mean your prospects' intent signals may flow to ad networks. Under GDPR Art 28, you cannot verify Qualified's subprocessor chain when 12 vendors are undisclosed.
Risk Channel Breakdown
Qualified corrupts measurement by identifying visitors before consent, attributing engagement to their AI SDR while obscuring the tracking infrastructure. Pipeline metrics may reflect surveillance-assisted conversion rather than genuine buyer intent, distorting ROI calculations.
As a Salesforce-owned platform with Clearbit integration, Qualified feeds visitor identification data into the broader Salesforce ecosystem. Undisclosed ad network pixels (Criteo, Meta, DoubleClick) on their own site demonstrate demand signal leakage to competitors and ad platforms.
The platform creates significant attack surface through extensive third-party integrations (13+ subprocessors including multiple AI providers). Pre-consent tracking cookies and visitor identification expand data exposure beyond what users consent to.
75% pre-consent tracking rate directly contradicts GDPR compliance claims. The explicit statement that Qualified does not honor browser DNT signals, combined with undisclosed vendor relationships, creates material consent liability for customers deploying this platform.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
Collection exceeds disclosed scope
Gated or missing due diligence docs
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Qualified's public claims against observed runtime behavior and identified 4 contradictions.
"GDPR compliant, CCPA compliant, SOC2 Type II certified"
75% of detections show tracking firing before consent obtained
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 13, observed 14
googletagmanager, marketo, googleanalytics4…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →