QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
deanon
Userpilot

Userpilot

Trust Center lists 2 subprocessors (AWS, Cloudflare). Runtime scans detect 22 third-party vendors including data brokers Brightdata, Dstillery, and Intentdata. 7 vendors fire before consent despite SOC2/GDPR compliance claims.

95 IOCs observed1 detections1 sites
90
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what Userpilot discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
1

across 1 sites

Pre-Consent Rate
0%

vendor fires before consent

Disclosure Gaps
5

2 CRIT · 2 HIGH

Claims-vs-Reality Classified
BTI-X01BTI-X02BTI-X04BTI-X05BTI-X09BTI-X12
Summary

Briefing

Userpilot is a product growth platform offering user onboarding, analytics, feedback collection, and session replay for SaaS companies. Despite marketing itself as a "privacy-first" solution and maintaining SOC2/GDPR compliance certifications, BLACKOUT runtime analysis reveals 22 undisclosed third-party vendors operating on their website, including identity resolution services (Clay, Vector) and data brokers (Brightdata, Dstillery, Intentdata). Seven vendors load pre-consent, creating a significant gap between their compliance posture and actual data practices. Their Trust Center (powered by Vanta) lists only AWS and Cloudflare as subprocessors, representing a material disclosure gap.

Customer Impact

What This Means For You

If Userpilot's SDK is deployed in your application, their operational practices reveal how they handle data environments. Their own website runs 22 undisclosed vendors — 11x more than their Trust Center discloses. Under GDPR Art 28, you are required to verify subprocessor chains, but Userpilot's disclosure of only AWS and Cloudflare while running Clay, Vector, Brightdata, and Dstillery makes this impossible. Seven vendors loading pre-consent on their marketing site, including identity resolution tools that de-anonymize prospects during evaluation, suggests consent-first architecture is not a priority. The presence of known data brokers (Brightdata, Dstillery, Intentdata) on their site creates questions about where visitor data ultimately flows.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
40

As a product analytics platform, Userpilot influences how customers measure user behavior. Their own use of 22 undisclosed tracking vendors while providing analytics services creates a conflict: they track their prospects with tools they help customers optimize, potentially gaining competitive intelligence on customer product decisions.

Broker
Control Collapse
100

Identity resolution vendors Clay and Vector on Userpilot's site can identify prospects evaluating the platform, feeding that intent data to competing vendors or data brokers. Brightdata, Dstillery, and Intentdata presence suggests visitor data may flow to third-party data marketplaces.

Reaper
Safety Collapse
0

22 third-party scripts create substantial attack surface. Each vendor is a potential supply chain compromise vector. Session replay capabilities on a site running this many trackers means recorded sessions could be exfiltrated through any compromised vendor.

Counselor
Legitimacy Collapse
100

SOC2 Type II and GDPR claims paired with 7 pre-consent vendors and undisclosed data brokers creates regulatory exposure. EU customers expecting GDPR compliance are unknowingly tracked by US data brokers before consent. The gap between 2 disclosed and 22 detected subprocessors violates GDPR Art 28 transparency requirements.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C01
Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06
Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07
Session Recording

Full session replay

BTI-C10
Fingerprinting

Device identification

BTI-C14
Identity Resolution

PII deanonymization

BTI-C15
Tag Manager

Container/loader (neutral)

Claims-vs-Reality (BTI-X)

BTI-X01
Undisclosed Party

Not in privacy policy

BTI-X02
Undisclosed Sharing

Hidden data recipients

BTI-X04
Marketing Mismatch

Behavior contradicts marketing

BTI-X05
Compliance Claim Mismatch

False certification claims

BTI-X09
Data Security Discrepancy

Security claims vs evidence

BTI-X12
Assurance Gap

Gated or missing due diligence docs

6
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

5
Gaps Observed
2 CRITICAL2 HIGH1 MEDIUM

BLACKOUT analyzed Userpilot's public claims against observed runtime behavior and identified 5 contradictions.

BTI-X01BTI-X02BTI-X04BTI-X05BTI-X09BTI-X12
Featured Gap
Subprocessor Disclosure
CRITICAL
They Claim

"Only AWS and Cloudflare listed as subprocessors"

BLACKOUT Observed

22 additional vendors detected on userpilot.com including data brokers

4 more gaps — with regulatory citations and evidence pointers — available with subscription.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
10

5 for current users · 5 for evaluators

Negotiation Leverage
5

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Subprocessor Disclosure Gap
0undisclosed

Claims 2, observed 2

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: userpilotFirst Seen: 2026-01-22Last Updated: 2026-01-22