How This Briefing Works
This report opens with key findings, then maps the gaps between what Spade discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Spade was observed loading and executing before user consent was obtained on 4% of sites where it was detected.
Compliance Claim Mismatch
False certification claims
Assurance Gap
Gated or missing due diligence docs
Claims vs. Observed Behavior
Self-Deployment Contradiction
“SOC2 compliance badge displayed on website”
Google Analytics fires pre-consent on spade.com, 73+ third-party vendors detected on their site
Runtime scan: GA4 pre_consent=true. Vendor count from intel_detections.
Transparency Gap
“Privacy policy exists at /privacy”
Privacy policy requires JavaScript rendering - claims not extractable for verification
WebFetch returns only GTM code, noscript message
Subprocessor Transparency
“OpenLI lists subprocessors reference”
No public subprocessor list accessible. OpenLI page returns 403.
WebFetch to explore.openli.com/privacy/spade/subprocessors returned 403
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Spade
- →Verify scope of SOC2 report — request the actual document and review controls covering your transaction data processing
- →Confirm data retention policies for your transaction enrichment data and ensure alignment with your requirements
- →Audit what third-party vendors Spade uses in their production API infrastructure versus their marketing site
- →Ensure your DPA covers the specific financial data types being enriched through their platform
- →Monitor for changes to their subprocessor list that could affect your transaction data processing
If You're Evaluating Spade
- →Request SOC2 Type II report — verify scope covers transaction enrichment APIs, not just corporate infrastructure
- →Distinguish between their marketing site (73+ vendors) and production infrastructure — request architecture documentation
- →Verify data residency and processing locations for financial transaction data
- →Assess whether their VC-backed growth stage ($21.1M) provides sufficient stability for handling your financial data
- →Compare security posture against established transaction enrichment alternatives with longer compliance track records
Negotiation Leverage
- →SOC2 scope verification: Request Spade's SOC2 report and verify scope covers their production transaction enrichment API, not just corporate infrastructure. Confirm controls address the 73+ vendors on their marketing site.
- →Data isolation: Require contractual guarantee that transaction enrichment data is processed in infrastructure completely isolated from their marketing technology stack with 73+ vendors.
- →Financial data protections: Transaction data reveals sensitive spending patterns. Require contractual data retention limits, encryption at rest, and deletion upon contract termination with written confirmation.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Ignoring CMP signals
Device identification
PII deanonymization
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
82 detection signatures across scripts, domains, cookies, and network endpoints