Vector

Vector corrupts attribution by inserting itself into the measurement chain. Their contact-level targeting creates attribution loops where Vector-identified contacts are served ads, then Vector claims conversion credit. This pollutes marketing analytics with circular attribution that cannot be independently verified.

Vector explicitly collects demand signals (which contacts are visiting which pages) and uses them for competitive advertising. When a prospect visits your site, Vector can identify them and help competitors target them. Their 'identity waterfall' creates a shared pool of visitor intelligence that benefits all Vector customers, including your competitors.

The Q4 2025 Oneleet pentest revealed critical security vulnerabilities: mass assignment allowing cross-customer webhook hijacking (VCTR-001), subscription bypass (VCTR-002), and exposed API keys (VCTR-003). Their pixel shares visitor IP addresses with third-party ip-api.com without disclosure. The 5,413-line pixel.js introduces significant attack surface to any site deploying it.

Vector claims GDPR and CCPA compliance while exhibiting 62.3% pre-consent tracking. They claim to be 'SOC2 ready' but have not completed audit. Their privacy policy mentions only 3 vendors while they deploy 21 pre-consent on their own site. The identity waterfall performs aggressive visitor identification that likely requires explicit consent under GDPR Article 6.