stackpeek
← back to leaderboard

audit report

WorkOS

https://workos.com · identity

mismatch
scanned 2026-04-16 23:36:25 utc permalink · /audit/workos

WorkOS's privacy policy claims to use Google Analytics, Segment, Mixpanel, Heap, and Amplitude for analytics, yet the observed tech stack contains only Clearbit (for analytics) and Intercom (for chat support)—none of the named services appear in actual network traffic. The policy also explicitly prohibits selling data and permits only employee access, service providers, and trusted third parties, consistent with the lean third-party footprint observed. Cookie usage is claimed and theoretically enabled, but no cookies were actually set during the page load. The stated retention policy acknowledges residual data remaining after account closure, matching transparency standards. Overall, the gap between named analytics vendors and actual implementations suggests either outdated policy documentation or selective loading of analytics scripts.

claim vs. reality

“"Personal data" means any data that enables a person to be identified, e.g. your family name, given name, photograph, or email address”

— WorkOS privacy policy

observed · html 

Policy claims: 'Google Analytics, Segment, Mixpanel, Heap, Amplitude' in named_third_parties

findings

  1. mismatch

    Named analytics vendors absent from observed tech stack

    The privacy policy explicitly lists Google Analytics, Segment, Mixpanel, Heap, and Amplitude as analytics services used by WorkOS. However, the actual page load reveals only Clearbit (analytics) and no traces of the five named vendors. This represents a significant gap: either these scripts are loaded conditionally (e.g., only for certain user cohorts or after consent), are loaded asynchronously outside the initial page load window, or the policy documentation is stale and no longer reflects current practice.

    
            Policy claims: 'Google Analytics, Segment, Mixpanel, Heap, Amplitude' in named_third_parties
Observed: clearbitscripts.com (category: analytics) only; no GA, Segment, Mixpanel, Heap, or Amplitude domains detected
    how we detected this →
  2. warn

    No HSTS header

    The response did not include a Strict-Transport-Security header. Users on a compromised network could be downgraded to plaintext HTTP.

    how we detected this →
  3. warn

    Observed vendors not named in policy

    The policy names some third parties but omits these observed vendors. Undeclared: Clearbit.

    
            Clearbit
    how we detected this →
  4. note

    Clearbit loaded (analytics)

    Observed 1 time(s) on the page.

    
            script src: https://tag.clearbitscripts.com/v1/pk_b2a761cf26e5e5bdf5b98c8f3122ed06/tags.js
    how we detected this →
  5. note

    Cookie policy claim not corroborated by observed cookies

    The policy states WorkOS 'uses cookies to record log data' and mentions both session-based and persistent cookies for login maintenance and analytics. However, the page load shows 'cookies_set: []'—no cookies were actually set. This could indicate cookies are only set after user interaction or authentication, but it creates ambiguity about when the policy's cookie claims apply to the passive visitor.

    
            Policy claim: 'WorkOS uses both session-based and persistent cookies'
Observed: cookies_set: [] (empty array)
    how we detected this →
  6. info

    Clearbit presence unmentioned in privacy policy

    Clearbit (a B2B data enrichment platform owned by HubSpot) is actively loaded but receives no explicit mention in the privacy policy's named third parties or analytics section. This represents an incomplete disclosure of third-party data flows, as Clearbit typically enriches company and individual data profiles.

    
            Observed: clearbitscripts.com with 1 hit (category: analytics)
Policy: No mention of Clearbit in named_third_parties or claims sections
    how we detected this →

third parties observed

vendor domain category hits disclosure
Clearbit clearbitscripts.com analytics 1 not named
AWS CloudFront cloudfront.net cdn 1 not named
Cloudflare cloudflare.com cdn 5 not named
HubSpot hubspotonwebflow.com embed 1 not named
Intercom intercom.io chat_support 1 not named
Webflow website-files.com cdn 122 not named
Webflow webflow.services api 1 not named
jsDelivr jsdelivr.net cdn 7 not named
unpkg unpkg.com cdn 1 not named

policy claims

source · https://workos.com/privacy

collects pii
yes
shares 3p
yes
sells data
no
cookies
yes
analytics
yes
advertising
not stated

named third parties (5)

Google Analytics, Segment, Mixpanel, Heap, Amplitude

retention

Personal data is retained for the period necessary to fulfill the purposes outlined in the Privacy Policy unless a longer retention period is required by law. Residual data may remain in databases after account closure.

user rights

Users can exercise personal data subject rights by sending an email to support@workos.com with their specific request.

response headers

hsts
no
csp
yes
server
cloudflare

run this yourself

Every audit on this site is reproducible. Install stackpeek and run the same check against https://workos.com from your own machine — the tool is MIT-licensed and runs locally. 

pip install stackpeek
stackpeek audit https://workos.com

source on GitHub · methodology · cli docs

provenance

This audit was generated by running stackpeek against https://workos.com from a public IP, using only HTTP GET and standard browser headers. The findings compare the observed HTML against the extracted privacy policy using the public methodology. Re-scans append new findings at new permalinks and never overwrite the historical record.