All Vendors
abm
Qualified

Qualified

75% pre-consent tracking rate while claiming SOC2 Type II and GDPR/CCPA compliance. Recently acquired by Salesforce (December 2025), expanding data ecosystem reach. 12 undisclosed third-party vendors on their website including Criteo, Meta, and DoubleClick advertising pixels alongside Clearbit identity resolution.

67 IOCs33 detections76% pre-consent28 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Qualified discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

33 detections across 28 sites76% pre-consent activity1 critical disclosure gap
CRITICAL

Pre-Consent Tracking

75% of detections show tracking firing before consent obtained

GDPR Art 7CCPA 1798.100ePrivacy Directive
CRITICAL

Pre-Consent Activity

Qualified was observed loading and executing before user consent was obtained on 76% of sites where it was detected.

GDPRePrivacy
HIGH

Undisclosed Vendors

45 third-party vendors detected on qualified.com, 12 completely undisclosed

GDPR Art 28CCPA 1798.140
HIGH

DNT Non-Compliance

Explicitly states: We do not recognize or respond to browser-initiated DNT signals

CCPA 1798.135
HIGH

Undisclosed Party

Not in privacy policy

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps
1 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X08BTI-X12

Undisclosed Vendors

GDPR Art 28 · CCPA 1798.140HIGH
They Claim

13 subprocessors disclosed

Observed Behavior

45 third-party vendors detected on qualified.com, 12 completely undisclosed

Runtime scan: Bytemine, Criteo, DoubleClick, G2, Google Ads, Lavender, Mapbox, Meta Pixel, Scoreplex, Scrapemagic, TrenDemon, Upcell

DNT Non-Compliance

CCPA 1798.135HIGH
They Claim

Honors opt-out preferences

Observed Behavior

Explicitly states: We do not recognize or respond to browser-initiated DNT signals

Privacy policy direct quote

Identity Resolution Disclosure

GDPR Art 13 · GDPR Art 14MEDIUM
They Claim

Clearbit provides firmographic data enrichment

Observed Behavior

Clearbit performs visitor-level identity resolution, not just company identification

Privacy policy mentions unique visitor IDs and returning visitor identification

Customer Impact

What This Means For You

If Qualified is deployed on your site, their platform identifies anonymous visitors through Clearbit integration and engages them via chatbots before they consent to tracking. Under GDPR Art 7, the 75% pre-consent rate means three-quarters of visitor identification occurs without valid consent. The December 2025 Salesforce acquisition significantly expands Qualified's data ecosystem — visitor identification data now feeds into the broader Salesforce ecosystem. Twelve undisclosed vendors on qualified.com including Criteo, Meta, and DoubleClick advertising pixels mean your prospects' intent signals may flow to ad networks. Under GDPR Art 28, you cannot verify Qualified's subprocessor chain when 12 vendors are undisclosed.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Qualified

  • Audit your CMP to ensure Qualified scripts are blocked until explicit consent is obtained — 75% pre-consent rate indicates likely consent violations
  • Update your privacy policy to disclose Clearbit identity resolution at the person level, not just company-level identification
  • Review undisclosed vendors loading via Qualified and add to your data processing disclosures under GDPR Art 30
  • Assess post-Salesforce acquisition data sharing implications — your visitor data now enters a significantly larger ecosystem
  • Implement server-side data flow controls to prevent unauthorized data sharing with advertising networks (Criteo, Meta, DoubleClick)

If You're Evaluating Qualified

  • Require pre-consent script blocking capabilities and test in sandbox with consent denied to verify tracking cessation
  • Demand complete vendor disclosure including all fourth parties beyond the 13 disclosed subprocessors
  • Evaluate post-Salesforce acquisition data sharing implications — visitor identification data feeds into the broader Salesforce ecosystem
  • Request contractual guarantees that DNT and GPC signals will be honored by Qualified's platform
  • Compare against ABM alternatives that do not integrate with advertising pixels or require person-level deanonymization

Negotiation Leverage

  • Pre-consent SLA: 75% pre-consent rate contradicts GDPR compliance claims. Require contractual guarantee that Qualified scripts fire only after consent on your property, with consent-denied testing verification before deployment.
  • Salesforce data isolation: Post-acquisition, your visitor identification data enters the Salesforce ecosystem. Require contractual commitment that data processed through Qualified is not shared with other Salesforce products, CRM enrichment, or advertising without explicit opt-in.
  • Undisclosed vendor disclosure: 12 vendors detected on qualified.com not in their 13-vendor subprocessor list, including Criteo, Meta, and DoubleClick. Require complete enumeration of all fourth-party data flows triggered by Qualified's JavaScript on your property.
  • Clearbit identity resolution scope: Qualified uses Clearbit for person-level identification, not just company-level. Require contractual specification of identification granularity and ensure your privacy policy discloses person-level deanonymization.
  • DNT/GPC compliance: Require contractual commitment that Qualified honors Do Not Track and Global Privacy Control signals, with documented implementation evidence.
Runtime Detections

Runtime Detections

8 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

65 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*js.qualified.com/qualified.js*
Tracking script
TRACK
*js.qualified.com/packs/js/analytics-*.js*
Tracking script
TRACK
*js.qualified.com/packs/js/multimodal_v2-*.js*
Tracking script
TRACK
*go.qualified.com/dcjs/*/162/dc.js*
Tracking script
TRACK
*js.qualified.com/packs/js/606-*.js*
Tracking script
TRACK
*js.qualified.com/packs/js/multimodal-*.js*
Tracking script
TRACK
*assets.qualified.com/packs/js/widget/sandboxed/messenger-*.js*
Tracking script
TRACK
*js.qualified.com/packs/js/dummyModule-*.js*
Tracking script
TRACK
*js.qualified.com/packs/js/offers-*.js*
Tracking script
TRACK
*js.qualified.com/packs/js/630-*.js*
Tracking script
TRACK
js.qualified.com
Tracking script
TRACK
js.qualified.com/qualified.js
Auto-extracted from scan
TRACK
go.qualified.com/dcjs/850883/162/dc.js
Auto-extracted from scan
TRACK
js.qualified.com/packs/js/analytics-56363379.js
Auto-extracted from scan
TRACK
js.qualified.com/packs/js/multimodal-3a79e511.js
Auto-extracted from scan
TRACK
js.qualified.com/packs/js/multimodal_v2-3d0efe2a.js
Auto-extracted from scan
TRACK
js.qualified.com/packs/js/606-29f5c8cc.js
Auto-extracted from scan
TRACK
assets.qualified.com/packs/js/widget/sandboxed/messenger-7900e054.js
Auto-extracted from scan
TRACK
js.qualified.com/packs/js/dummyModule-b5c84bca.js
Auto-extracted from scan
TRACK
js.qualified.com/packs/js/offers-bf9eb92a.js
Auto-extracted from scan
TRACK
js.qualified.com/packs/js/630-b50d39cb.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Qualified operates as a first-party script deployed by B2B marketing teams, primarily loaded via direct script inclusion or through tag managers (GTM). The platform integrates deeply with Salesforce CRM (now parent company), enabling bidirectional data flow between website visitor identification and CRM records. Clearbit provides the identity resolution backbone, connecting anonymous IP addresses to company and individual profiles. Post-Salesforce acquisition, Qualified data flows into the broader Salesforce ecosystem including Pardot, Marketing Cloud, and Einstein AI. Customers deploying Qualified inherit exposure to 13+ subprocessors and multiple undisclosed advertising pixels that fire on Qualified's own infrastructure.
Loads (1)
Cloudflare Insights
Loaded By (11)
6senseContentsquareAirtableGoogletagmanagerBrazeFullstoryOsanoKetchQuantummetricRudderstackMutiny
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

67 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details