How This Briefing Works
This report opens with key findings, then maps the gaps between what Salesloft discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Salesloft was observed loading and executing before user consent was obtained on 56% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Salesloft
- →Legal review of wiretap compliance - session recording requires two-party consent in CA/FL/PA and 9 other states
- →Audit cross-domain tracking scope - verify tracking does not extend beyond owned properties
- →Request model training opt-out - your pipeline data should not optimize competitor campaigns
- →Implement consent-first tracking architecture or accept strict liability for all historical data
If You're Evaluating Salesloft
- →Sales engagement platforms with data isolation (Apollo.io, Instantly.ai)
- →First-party email tracking with no cross-customer model training
- →On-premise sales automation with complete data sovereignty
Negotiation Leverage
- →Perfect CAC subsidization score (100) means your pipeline is training competitor models - demand data segregation guarantees
- →Perfect legal tail risk score (100) indicates multiple violation categories - DPA must include unlimited indemnification
- →Session recording creates wiretap liability beyond GDPR - verify compliance in all two-party consent states
- →Behavioral biometrics require Article 9 consent - audit existing consent mechanism for lawful basis
- →Platform value derives from cross-customer intelligence - pricing should reflect your contribution to shared models
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Impact: Typing patterns and interaction timing constitute biometric data under GDPR Article 9, requiring explicit consent and DPO notification.
Full session replay
Impact: Recording sales interactions without disclosure violates wiretap laws in 12 US states (two-party consent). Creates criminal liability beyond civil GDPR fines.
Identity stitching
Ignoring CMP signals
Impact: Tracking begins at page load before any consent mechanism. Every visitor interaction creates unlawful processing under GDPR Article 6.
Device identification
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
123 detection signatures across scripts, domains, cookies, and network endpoints