QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
cdp
RudderStack

RudderStack

Markets as the "privacy and security focused" alternative to Segment while deploying advertising pixels from DoubleClick, BingAds, LinkedIn, and Reddit pre-consent on their own website. 28.6% pre-consent rate. SOC2 Type II certified. Claims customer data never leaves your infrastructure — but their corporate site tells a different privacy story.

36 IOCs observed15 detections33% pre-consent9 sites
85
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what RudderStack discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
15

across 9 sites

Pre-Consent Rate
33%

vendor fires before consent

Disclosure Gaps
3

Claims-vs-Reality Classified
BTI-X02BTI-X04BTI-X05
Summary

Briefing

RudderStack is a warehouse-native Customer Data Platform (CDP) founded in 2019, headquartered in San Francisco with $82M in VC funding. They position themselves as the "privacy and security focused" alternative to Segment, emphasizing that customer data never leaves your infrastructure. However, runtime analysis of their own website reveals 28.6% pre-consent tracking with advertising pixels from DoubleClick, BingAds, LinkedInAds, and Reddit loading before user consent. They hold SOC2 Type II certification and claim GDPR/CCPA compliance, creating a notable gap between their privacy-first marketing and actual implementation on their own properties.

Customer Impact

What This Means For You

If RudderStack routes your customer data, their "data never leaves your infrastructure" positioning is a meaningful differentiator — but their own website tells a contradictory story. RudderStack deploys DoubleClick, BingAds, LinkedInAds, and Reddit advertising pixels pre-consent on rudderstack.com at a 28.6% rate, suggesting privacy-first principles are not consistently applied. Under GDPR Art 28, 12+ marketing vendors on their site are not in their public subprocessor documentation. While their warehouse-native architecture provides genuine data control benefits, the gap between privacy-first marketing and corporate site behavior warrants scrutiny. Their SOC2 Type II certification is a positive signal but does not explain the pre-consent advertising pixels.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
25

As a CDP that routes customer data to analytics and marketing tools, RudderStack occupies a critical position in measurement infrastructure. Their warehouse-native approach theoretically provides cleaner attribution than cloud-hosted alternatives. However, their own site demonstrates consent framework gaps that could propagate through the data they help customers collect.

Broker
Control Collapse
100

RudderStack integrates with 200+ destinations including competitors marketing tools. While they claim data never leaves customer infrastructure, the routing decisions and destination configurations create demand signal exposure. The presence of advertising pixels (DoubleClick, LinkedInAds) on their own site suggests potential data sharing with ad networks.

Reaper
Safety Collapse
0

As open-source software with self-hosted options, RudderStack theoretically reduces attack surface versus cloud CDPs. However, their SOC2 Type II certification covers their hosted solution, not self-hosted deployments. The pre-consent tracking on their website indicates potential misconfiguration risks that could affect customers.

Counselor
Legitimacy Collapse
100

RudderStack claims GDPR and CCPA compliance while their website loads advertising trackers before consent. This creates consent divergence that could expose customers who trust RudderStack vendor profile as a compliance benchmark. The 28.6% pre-consent rate contradicts their privacy-first positioning.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C01
Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06
Behavioral Biometrics

Keystroke/mouse tracking

BTI-C09
Consent Bypass

Ignoring CMP signals

BTI-C10
Fingerprinting

Device identification

BTI-C14
Identity Resolution

PII deanonymization

BTI-C15
Tag Manager

Container/loader (neutral)

Claims-vs-Reality (BTI-X)

BTI-X02
Undisclosed Sharing

Hidden data recipients

BTI-X04
Marketing Mismatch

Behavior contradicts marketing

BTI-X05
Compliance Claim Mismatch

False certification claims

3
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

3
Gaps Observed
2 MEDIUM1 LOW

BLACKOUT analyzed RudderStack's public claims against observed runtime behavior and identified 3 contradictions.

BTI-X02BTI-X04BTI-X05
Featured Gap
Subprocessor Disclosure
MEDIUM
They Claim

"Subprocessor list available in DPA"

BLACKOUT Observed

12+ marketing vendors (BingAds, DoubleClick, Clarity, Hotjar, etc.) active on website but not in public documentation

2 more gaps — with regulatory citations and evidence pointers — available with subscription.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
10

5 for current users · 5 for evaluators

Negotiation Leverage
4

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Subprocessor Disclosure Gap
0undisclosed

Claims 2, observed 2

Commonly Paired With
10

googletagmanager, perimeterx, cheq

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: rudderstackFirst Seen: 2025-12-28Last Updated: 2026-05-28