How This Briefing Works
This report opens with key findings, then maps the gaps between what QuantumMetric discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
1 detection across 1 site100% pre-consent activity1 critical disclosure gap
CRITICAL
Consent Compliance
100% pre-consent tracking rate - 12 vendors including DoubleClick, MetaPixel, LinkedIn load before consent obtained
GDPR Article 6GDPR Article 7CCPA 1798.100ePrivacy Directive
CRITICAL
Pre-Consent Activity
QuantumMetric was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
GDPRePrivacy
HIGH
Subprocessor Disclosure
Only Google LLC disclosed as subprocessor; 27 vendors detected on own website including identity resolution and advertising platforms
GDPR Article 28GDPR Article 30
HIGH
Undisclosed Party
Not in privacy policy
HIGH
Undisclosed Sharing
Hidden data recipients
Disclosure Gaps
Claims vs. Observed Behavior
3 gaps
1 CRIT1 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X12
Consent Compliance
GDPR Article 6 · GDPR Article 7 · CCPA 1798.100 · ePrivacy DirectiveCRITICAL
They Claim
“GDPR and CCPA compliant with SOC2+HITRUST attestation”
Observed Behavior
100% pre-consent tracking rate - 12 vendors including DoubleClick, MetaPixel, LinkedIn load before consent obtained
Runtime scan 2026-01-23 shows pre_consent=true for Clay, Cloudflare Insights, CommonRoom, CookieYes, DoubleClick, G2, GoogleAnalytics4, HubSpot, LinkedIn, MetaPixel, Qualified, StackAdapt
Subprocessor Disclosure
GDPR Article 28 · GDPR Article 30HIGH
They Claim
“Transparent data processing with subprocessor notification”
Observed Behavior
Only Google LLC disclosed as subprocessor; 27 vendors detected on own website including identity resolution and advertising platforms
Privacy policy subprocessor section lists only Google; runtime detection shows ZoomInfo, Clay, HubSpot, LinkedIn, DoubleClick, StackAdapt and 21 others
Security Documentation
Vendor due diligence best practicesMEDIUM
They Claim
“SOC2+HITRUST attestation demonstrates security commitment”
Observed Behavior
SOC2 report not publicly downloadable; requires sales contact/NDA
Trust center at /platform/data-privacy-security does not provide direct access to attestation documents
Customer Impact
What This Means For You
If Quantum Metric captures session replays on your site, you are partnering with a vendor that achieves a 100% pre-consent rate on their own website — every single tracking vendor fires before consent. Under GDPR Art 7, this represents the most extreme consent compliance failure in our detection network. Quantum Metric discloses only Google LLC as a subprocessor while 27+ vendors are detected at runtime including ZoomInfo, Clay, and CommonRoom for identity resolution. Their SOC2+HITRUST and ISO 27001 certifications cover internal operations but do not extend to your deployment or explain why their own site runs 12 pre-consent vendors including DoubleClick, MetaPixel, and LinkedIn. Enterprise customers like Lululemon, Korean Air, and Western Union face reputational risk from partnering with a vendor whose compliance marketing directly contradicts observed behavior.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use QuantumMetric
- →Audit your consent implementation independently — Quantum Metric's 100% pre-consent rate on their own site means their compliance claims require independent verification
- →Request SOC2+HITRUST report directly and verify controls match your data protection requirements for session recording
- →Review all data flows to understand what behavioral data leaves your environment through Quantum Metric's platform
- →Verify session replay masking covers all PII fields in your application — test with synthetic data before production deployment
- →Document Quantum Metric in your GDPR Article 30 records as a processor with all 27+ detected subprocessors
If You're Evaluating QuantumMetric
- →Visit quantummetric.com with browser DevTools open to observe their 100% pre-consent tracking behavior firsthand
- →Note the gap between SOC2+HITRUST/ISO 27001 certifications and the worst pre-consent rate in our detection network
- →Request complete subprocessor list beyond Google LLC — 27+ vendors detected at runtime represents a massive disclosure gap
- →Ask for evidence of consent-gated data processing in their production environment before trusting compliance marketing
- →Evaluate alternative session replay vendors with demonstrable consent compliance (FullStory, self-hosted options)
Negotiation Leverage
- →Pre-consent SLA: 100% pre-consent rate on quantummetric.com — the worst score in our detection network. Require contractual guarantee of 0% pre-consent activity on your property with quarterly independent audit verification and liquidated damages per violation.
- →Subprocessor disclosure: Only Google LLC disclosed while 27+ vendors detected including ZoomInfo, Clay, and CommonRoom (identity resolution). Require complete subprocessor enumeration with 30-day advance notice before additions.
- →Session replay data scope: Quantum Metric captures detailed user interactions. Require contractual specification of exactly what data is recorded, with mandatory PII masking verified by independent audit before deployment.
- →Certification scope verification: Request SOC2+HITRUST report and ISO 27001 certificate — verify scope explicitly covers client-side session recording JavaScript, not just server-side infrastructure.
- →Identity resolution prohibition: ZoomInfo, Clay, and CommonRoom on their site deanonymize visitors. Require contractual guarantee that no identity resolution capabilities are embedded in their session replay product deployed on your property.
Runtime Detections
Runtime Detections
7 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C07Session Recording
Full session replay
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
BTI-C13Persistence Mechanisms
Long-lived identifiers
BTI-C14Identity Resolution
PII deanonymization
IOC Manifest
IOC Manifest
204 INDICATORS
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*www.quantummetric.com/_next/static/chunks/*-*.js*
Tracking script
TRACK
*www.quantummetric.com/_next/static/chunks/main-app-*.js*
Tracking script
TRACK
*www.quantummetric.com/_next/static/chunks/webpack-*.js*
Tracking script
TRACK
*www.quantummetric.com/_next/static/chunks/app/(site)/layout-*.js*
Tracking script
TRACK
*www.quantummetric.com/_next/static/chunks/app/(site)/error-*.js*
Tracking script
TRACK
*www.quantummetric.com/_next/static/chunks/app/(site)/page-*.js*
Tracking script
TRACK
*www.quantummetric.com/_next/static/chunks/831-*.js*
Tracking script
TRACK
*www.quantummetric.com/_next/static/chunks/app/(site)/template-*.js*
Tracking script
TRACK
*cdn.quantummetric.com/instrumentation/quantum-qtm.js*
Tracking script
TRACK
*www.quantummetric.com/_next/static/chunks/reactPlayerVimeo.*.js*
Tracking script
TRACK
*cdn.quantummetric.com/bootstrap/quantum-qtm.js*
Tracking script
TRACK
cdn.quantummetric.com
Tracking script
TRACK
www.quantummetric.com/_next/static/chunks/webpack-dfb5ff77489327c5.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/bf6a786c-dba738898fca892d.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/831-55d6af85548a504e.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/main-app-875083729025e230.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/add7a4cd-b092b076b8476f31.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/c15bf2b0-bcd2d0b7bb408c9a.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/6137-03d2cd0024eec2f8.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/7465-ce32fba363bf7b81.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/2957-6c251c341304c21c.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/6361-06001e2dbf06b57d.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/9590-48e34b14437ad633.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/3145-9a6f5a149859e6bb.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/6720-945573ae7c4ae98e.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/8667-31669e93da33ec6c.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/5151-254a54a31cb9395a.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/2475-b9c0a716c4ae45dc.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/1670-02d2e410447e9862.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/9162-56fbc43315c5a1b0.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/4681-8eeeb72a53859b8a.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/app/(site)/layout-b808a5b3762ee7f4.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/app/(site)/error-a4ac1941f89a5aad.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/app/(site)/template-23b6c3483f0598f5.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/c8aeaf1f-ab3e482ed7bd8764.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/00726f1e-54566d5dc1475e42.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/3f1bb7da-ea26aea87e50219a.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/29b981c0-31a8a772ee62dd6d.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/288943f3-ad209318d694bc88.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/c16f53c3-e5b04fdbee7eeeea.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/1846-828a92bde96cfb6c.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/7859-5c0308493d7194b9.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/3444-fcfc435cd5ad215d.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/1188-83d987d0a535595c.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/2335-989b03a50ccd9d4b.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/6979-c2b063aa0011e5cf.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/5493-dd6df39ed0258041.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/9654-fab1c03b1d666148.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/1843-448904d7fc3b5843.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/4308-49c547d0d50136b4.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/app/(site)/page-ac5276525d95f1ca.js
Auto-extracted from scan
TRACK
cdn.quantummetric.com/instrumentation/quantum-qtm.js
Auto-extracted from scan
TRACK
cdn.quantummetric.com/bootstrap/quantum-qtm.js
Auto-extracted from scan
TRACK
www.quantummetric.com/_next/static/chunks/reactPlayerVimeo.e6702119382fcf96.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Quantum Metric operates in the session replay and digital experience analytics space competing with FullStory, Heap, Amplitude, and Hotjar. They are loaded via GTM or direct script tag on enterprise websites to capture session replays, heatmaps, and journey analytics. On their own website, they load a substantial martech stack: identity resolution (ZoomInfo, Clay, CommonRoom), advertising (DoubleClick, MetaPixel, LinkedIn, StackAdapt), analytics (GA4, Cloudflare Insights), and sales engagement (HubSpot, Qualified, G2). This creates a supply chain where enterprises using Quantum Metric for privacy-respecting analytics may not realize the vendor itself operates with aggressive pre-consent tracking. Funded by Insight Partners ($250M total, $1B valuation), they serve major enterprises including Lululemon, Korean Air, Western Union, and BMO.
Loads (3)
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
206 detection signatures across scripts, domains, cookies, and network endpoints