audit report
Okta
Okta loaded 7 third-party domain(s), of which 3 are privacy-sensitive. 1 warn finding(s): Observed vendors not named in policy. Privacy-sensitive vendors observed: Cloudflare Web Analytics, Google Tag Manager, OneTrust.
claim vs. reality
“We collect contact information (such as your first and last name, email address, and phone number), professional information, or other types of information that a customer chooses to submit.”
observed · html
Cloudflare Web Analyticsfindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Cloudflare Web Analytics.
Cloudflare Web Analytics - note
Cloudflare Web Analytics loaded (analytics)
Observed 1 time(s) on the page.
script src: https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015 - note
OneTrust loaded (tag_manager)
Observed 1 time(s) on the page.
script src: https://cdn.cookielaw.org/scripttemplates/otSDKStub.js - note
Google Tag Manager loaded (tag_manager)
Observed 1 time(s) on the page.
<iframe> src: https://www.googletagmanager.com/ns.html?id=GTM-KXMLV58 - note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - info
OneTrust: disclosed in policy
The policy names this vendor explicitly, matching what was observed.
how we detected this → - info
Google Tag Manager: disclosed in policy
The policy names this vendor explicitly, matching what was observed.
how we detected this →
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Cloudflare Web Analytics | cloudflareinsights.com | analytics | 1 | not named |
| Google Tag Manager | googletagmanager.com | tag_manager | 1 | not named |
| OneTrust | cookielaw.org | tag_manager | 1 | named |
| Adobe Experience Cloud | hlx.page | hosting | 1 | not named |
| Adobe Typekit | typekit.net | fonts | 1 | not named |
| Google APIs | googleapis.com | api | 2 | not named |
| Google Static | gstatic.com | cdn | 1 | not named |
policy claims
source · https://www.okta.com/privacy-policy/
- collects pii
- yes
- shares 3p
- yes
- sells data
- yes
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (9)
Google Analytics, Google, Marketo, Facebook, Twitter, OneTrust, BBB National Programs, Digital Advertising Alliance, Network Advertising Initiative
retention
Okta retains Personal Data for a period consistent with the original purpose of collection or as necessary to comply with legal obligations, resolve disputes, and enforce agreements. Retention periods vary based on business, legal and regulatory needs, with data request records retained for at least 24 months as required by CCPA.
user rights
Users have rights including: access, rectification, erasure/deletion, restrict processing, data portability, object to processing, opt-out of sale/sharing of data, and non-discrimination. California residents also have rights to know, delete, opt-out of sale/sharing, limit use of sensitive data, and correct inaccurate data. Users can request these through online forms or contact methods provided.
response headers
- hsts
- yes
- csp
- no
- server
- cloudflare
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://okta.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://okta.comprovenance
This audit was generated by running
stackpeek
against https://okta.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.