Snov | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Snov discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

3 detections across 3 sites100% pre-consent activity2 critical disclosure gaps

CRITICAL

Disclosure Gap

57 vendors detected on site, 18+ completely undisclosed

GDPR Art 13GDPR Art 28CCPA 1798.100

CRITICAL

Consent Violation

26 vendors load pre-consent including ad tech (Adroll, Basis, DoubleClick)

GDPR Art 6GDPR Art 7ePrivacy Art 5(3)CCPA 1798.120

CRITICAL

Pre-Consent Activity

Snov was observed loading and executing before user consent was obtained on 100% of sites where it was detected.

GDPRePrivacy

HIGH

Data Sale Misrepresentation

Multiple ad tech vendors (Adroll, Basis, TrafficJunky, DoubleClick) loading pre-consent enables behavioral advertising data flows that may constitute sale under CCPA

CCPA 1798.140(t)FTC Section 5

HIGH

Undisclosed Party

Not in privacy policy

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps

2 CRIT1 HIGH1 MED

Classified:BTI-X01BTI-X02BTI-X05BTI-X10

Disclosure Gap

GDPR Art 13 · GDPR Art 28 · CCPA 1798.100CRITICAL

They Claim

“Privacy policy lists ~25 subprocessors”

Observed Behavior

57 vendors detected on site, 18+ completely undisclosed

Runtime scan vs privacy policy comparison

Data Sale Misrepresentation

CCPA 1798.140(t) · FTC Section 5HIGH

They Claim

“We DO NOT sell your data”

Observed Behavior

Multiple ad tech vendors (Adroll, Basis, TrafficJunky, DoubleClick) loading pre-consent enables behavioral advertising data flows that may constitute sale under CCPA

Ad tech vendors detected in runtime scan

Scraping Infrastructure

CFAA considerations · ToS enforcementMEDIUM

They Claim

“Security-focused organization”

Observed Behavior

Brightdata, Zenrows, Scrapemagic scraping infrastructure vendors present on site

Runtime detection of scraping vendors

Customer Impact

What This Means For You

If Snov.io handles your sales automation and lead enrichment, your prospect data flows through a platform running 57 third-party vendors with 26 firing before consent — including BrightData (web scraping) and Leadfeeder (visitor identification). Under GDPR Art 28, you must verify subprocessor chains, but Snov's privacy policy lists ~25 vendors while 18+ are completely undisclosed at runtime. The presence of competitors like Contactout, Dealfront, and Leadfeeder on their own site suggests potential data arbitrage — your prospect intelligence may flow to parties who aggregate and resell to competitors. Snov.io holds no visible security certifications (no SOC2, no ISO) despite processing contact data for 185,000+ companies, leaving you without independent verification of how your prospect data is secured.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Snov

→Audit your privacy policy to ensure Snov.io and their undisclosed subprocessors are properly listed for GDPR Art 13 compliance
→Review consent mechanisms for any Snov tracking deployed on prospect sites — 26 pre-consent vendors on their own site is a red flag
→Request complete DPA and subprocessor list — compare against the 57 vendors detected at runtime to identify disclosure gaps
→Assess data minimization — evaluate which Snov features actually require deployment versus what creates unnecessary data exposure
→Document lawful basis for Snov's lead enrichment capabilities — legitimate interest claims may not cover the full scope of data processing

If You're Evaluating Snov

→Request SOC2 report — Snov claims security focus but displays no certification, which is a critical gap for enterprise procurement
→Conduct runtime audit of your test deployment to verify actual vendor footprint before production use
→Compare their ~25 disclosed subprocessors against 57 detected vendors — the 18+ undisclosed gap is material
→Assess whether competitors (Leadfeeder, Contactout, Dealfront) on snov.io create intelligence leakage risk for your prospect data
→Evaluate alternatives with better compliance posture — note that most sales automation vendors have similar issues, so focus on subprocessor transparency

Negotiation Leverage

→Subprocessor reconciliation: 57 vendors detected versus ~25 disclosed — 18+ completely undisclosed. Require complete enumeration of all third-party vendors and data recipients as a contract precondition.
→Security certification requirement: No SOC2, ISO, or any security certification visible despite handling prospect contact data for 185,000+ companies. Require SOC2 Type II as a contract condition or negotiate significant liability indemnification.
→Data arbitrage prohibition: Competitors Leadfeeder, Contactout, and Dealfront detected on snov.io suggest potential data flow overlap. Require contractual prohibition on sharing your prospect data with competing sales intelligence platforms.
→BrightData relationship: BrightData (web scraping service) loads on snov.io. Require written explanation of this relationship and contractual guarantee that BrightData does not receive data from your account.
→Pre-consent SLA: 26 vendors load before consent. Require contractual guarantee that Snov tracking deployed on prospect sites fires only after consent with zero pre-consent data collection.

Runtime Detections

7 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C13Persistence Mechanisms

Long-lived identifiers

BTI-C14Identity Resolution

PII deanonymization

IOC Manifest

117 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*ssgmanual.snov.io/s.js*

Tracking script

TRACK

*snov.io/js/index-*.js*

Tracking script

TRACK

*snov.io/js/vendor-swiper-*.js*

Tracking script

TRACK

*snov.io/js/main-*.js*

Tracking script

TRACK

*snov.io/js/runtime-*.js*

Tracking script

TRACK

*snov.io/js/vendor-gsap-*.js*

Tracking script

TRACK

*ssgmanual.snov.io/gtag/js*

Tracking script

TRACK

snov.io/js/runtime-f5eca04baf507a5e7cd3.min.js

Auto-extracted from scan

TRACK

snov.io/js/vendor-gsap-c27e26dee36329f3af02.min.js

Auto-extracted from scan

TRACK

snov.io/js/vendor-swiper-b9da5cad8f21ac1b105a.min.js

Auto-extracted from scan

TRACK

snov.io/js/main-ecb85a3371975520c3b9.min.js

Auto-extracted from scan

TRACK

snov.io/js/index-7fce6329c5647b957ae0.min.js

Auto-extracted from scan

TRACK

ssgmanual.snov.io/s.js

Auto-extracted from scan

TRACK

ssgmanual.snov.io/gtag/js

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

Snov.io operates in the sales intelligence and automation ecosystem alongside competitors like Apollo, ZoomInfo, Lusha, and Hunter. They integrate with major CRMs (HubSpot, Salesforce, Pipedrive) and automation platforms (Zapier). Their own site loads competitor intelligence tools (Leadfeeder, Dealfront, Contactout) suggesting either competitive monitoring or data partnership arrangements. The presence of scraping infrastructure vendors (Brightdata, Zenrows) indicates potential data sourcing relationships. Customers deploying Snov tracking inherit a complex supply chain that includes undisclosed ad tech and lead enrichment vendors.

Loads (4)

Youtube Shopping Google Linkedin Googleanalytics4

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

121 detection signatures across scripts, domains, cookies, and network endpoints