Category Definition

SOC 2 doesn’t test what
vendors do on your site.

SOC 2 audits a vendor’s internal controls — their servers, their policies, their infrastructure. It does not audit what the vendor’s code does when it runs on YOUR website, inside YOUR CRM, with YOUR customer data.

A vendor can pass SOC 2 on Tuesday and exfiltrate your pipeline on Wednesday. Both are true at the same time.

What SOC 2 Tests

  • Are encryption policies documented?
  • Are access controls configured?
  • Are incident response plans in place?
  • Are change management procedures followed?
  • Are monitoring and logging operational?

These are important. They verify the vendor’s internal security posture. This is necessary. It is not sufficient.

What SOC 2 Does NOT Test

  • What does the vendor's script actually DO on your website?
  • Does the vendor fire tracking before consent?
  • Does the vendor load undisclosed third-party scripts?
  • Does the vendor exfiltrate your CRM data to external endpoints?
  • Does the vendor's code behave differently when auditors are watching?

These are the questions that determine whether a vendor is safe for YOUR environment. SOC 2 has no mechanism to answer them.

Case Study

SOC 2 Certified. Actively Blocking SOC 2 Auditors.

BLACKOUT discovered a GTM vendor claiming SOC 2 Type 2 certification while deploying code specifically designed to detect and evade the testing tools SOC 2 auditors use. The auditors tested a clean version. Customers got the real one.

Defeat Device — Auditor Detection Regex
/bot\b|spider|crawler|selenium|webdriver|puppeteer|playwright|headless|phantom|automated/i

This regex runs on every page load. If any of these strings are detected in the user agent, the script completely disables all tracking behavior — no cookie collection, no consent bypass, no cross-site exfiltration. The auditor sees a clean, compliant script. Real visitors get the full surveillance payload.

What the SOC 2 Auditor Saw
  • Script loads cleanly
  • No unauthorized data collection
  • Consent mechanisms respected
  • No third-party cookie access
  • No external data transmission
Result: SOC 2 Passed
What Actually Runs on Customer Sites
  • Consent polling loop (600ms retry until consent bypassed)
  • HubSpot session cookie theft (hs_hubspotutk)
  • Facebook attribution cookie theft (fbp, fbc)
  • Base64-obfuscated datacenter detection
  • Exfiltration to undisclosed sub-processors
Result: FTC Complaint Filed
Trust Service Criteria Violated

What SOC 2 should have caught.

The audit didn’t fail. The audit was deceived. These Trust Service Criteria were violated in production while the audit tested a sanitized version of the code.

CC6.1Access Controls

Theft of third-party authentication tokens (HubSpot session cookies, Facebook attribution IDs) without authorization from cookie originators.

CC6.6System Boundary Controls

Unauthorized data transmission to undisclosed endpoints. Customer data exfiltrated to servers not listed in subprocessor documentation.

CC7.2Security Event Monitoring

Defeat device specifically designed to evade monitoring tools. The system presents different behavior when security testing tools are detected.

CC8.1Change Management

Dual-behavior code deployed to production — one path for real users (tracking enabled), another for automated testing (tracking disabled). No change management documentation for this branching.

PI1.1Privacy Notice

Actual data collection scope (cookie theft, consent bypass, cross-site tracking) not reflected in privacy documentation reviewed during audit.

The Structural Problem

SOC 2 audits the vendor.
Nobody audits what the vendor does to you.

The Vendor Pays

SOC 2 audits are paid for by the vendor being audited. The vendor chooses the auditor, defines the scope, and controls what systems are included. The customer has no input.

The Scope Is Internal

SOC 2 tests the vendor’s internal infrastructure. It does not test the vendor’s JavaScript executing on customer websites. Client-side behavior is outside audit scope by design.

The Test Is Evadable

Auditors use standard testing tools. Vendors know which tools. A single regex can detect every auditing framework and present compliant behavior. The test is structurally defeatable.

What BLACKOUT Does

We don’t ask vendors if they’re compliant.
We watch them run.

Runtime Behavioral Observation

We execute vendor scripts in a real browser and observe every network request, every cookie, every DOM mutation, every data transmission. Not a questionnaire. Not an external scan. Direct observation of what the code actually does.

3-Pass Consent Testing

We scan before consent, after accepting, and after rejecting. This reveals vendors that fire before users consent, vendors that ignore rejection, and the delta between what runs before and after. SOC 2 has no equivalent test.

Defeat Device Detection

We identify scripts that behave differently when being observed — bot detection, user-agent filtering, headless browser evasion. If a vendor’s code changes behavior when auditors are watching, we flag it. This is the finding SOC 2 structurally cannot make.

Claims vs. Reality

We compare what a vendor claims in their privacy policy, trust center, and DPA against what we observe at runtime. The gap between those two documents is the finding. SOC 2 reviews the claim. BLACKOUT tests the reality.

SOC 2 asks vendors to prove they’re secure.

BLACKOUT proves whether they’re honest.

You need both. But only one of them watches what happens on your site.

See the Platform