How This Briefing Works
This dossier opens with key findings, then maps the gap between what Userpilot discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
2 CRIT · 2 HIGH
Briefing
Userpilot is a product growth platform offering user onboarding, analytics, feedback collection, and session replay for SaaS companies. Despite marketing itself as a "privacy-first" solution and maintaining SOC2/GDPR compliance certifications, BLACKOUT runtime analysis reveals 22 undisclosed third-party vendors operating on their website, including identity resolution services (Clay, Vector) and data brokers (Brightdata, Dstillery, Intentdata). Seven vendors load pre-consent, creating a significant gap between their compliance posture and actual data practices. Their Trust Center (powered by Vanta) lists only AWS and Cloudflare as subprocessors, representing a material disclosure gap.
What This Means For You
If Userpilot's SDK is deployed in your application, their operational practices reveal how they handle data environments. Their own website runs 22 undisclosed vendors — 11x more than their Trust Center discloses. Under GDPR Art 28, you are required to verify subprocessor chains, but Userpilot's disclosure of only AWS and Cloudflare while running Clay, Vector, Brightdata, and Dstillery makes this impossible. Seven vendors loading pre-consent on their marketing site, including identity resolution tools that de-anonymize prospects during evaluation, suggests consent-first architecture is not a priority. The presence of known data brokers (Brightdata, Dstillery, Intentdata) on their site creates questions about where visitor data ultimately flows.
Risk Channel Breakdown
As a product analytics platform, Userpilot influences how customers measure user behavior. Their own use of 22 undisclosed tracking vendors while providing analytics services creates a conflict: they track their prospects with tools they help customers optimize, potentially gaining competitive intelligence on customer product decisions.
Identity resolution vendors Clay and Vector on Userpilot's site can identify prospects evaluating the platform, feeding that intent data to competing vendors or data brokers. Brightdata, Dstillery, and Intentdata presence suggests visitor data may flow to third-party data marketplaces.
22 third-party scripts create substantial attack surface. Each vendor is a potential supply chain compromise vector. Session replay capabilities on a site running this many trackers means recorded sessions could be exfiltrated through any compromised vendor.
SOC2 Type II and GDPR claims paired with 7 pre-consent vendors and undisclosed data brokers creates regulatory exposure. EU customers expecting GDPR compliance are unknowingly tracked by US data brokers before consent. The gap between 2 disclosed and 22 detected subprocessors violates GDPR Art 28 transparency requirements.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Device identification
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Behavior contradicts marketing
False certification claims
Security claims vs evidence
Gated or missing due diligence docs
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Userpilot's public claims against observed runtime behavior and identified 5 contradictions.
"Only AWS and Cloudflare listed as subprocessors"
22 additional vendors detected on userpilot.com including data brokers
4 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 2, observed 2
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →