Skip to content
StackPatrolMVP

Audit checklist

What's on your client's site? An auditor's checklist

A practical checklist for agencies, consultants and freelancers who need to know what a client’s website is actually loading. Run the scan first, work the checklist second.

Scan a client site (free, no signup)

Paste any public URL. You get a shareable report with every third-party vendor classified by region.

Free · No signup · We only scan the front page + one bonus page

Why agencies run this audit

Most clients have no idea what their own website is loading. The tag manager has been touched by three agencies, four interns and a marketing automation consultant. The result is a slow site, a confusing cookie banner and a privacy policy that lists vendors that haven’t been used in years.

The audit conversation goes the same way every time:

  • “What’s loading on the site?”
  • “I think we have Google Analytics. Maybe Hotjar?”
  • “We removed Facebook Pixel last year. I think.”

Three minutes with a network tab usually finds twelve more vendors. StackPatrol does the same thing in fifteen seconds and produces a shareable report you can drop into a proposal.

The checklist

Run a StackPatrol scan, open the report, and walk the client through these eight items. Every one is something a working auditor needs to know.

  1. What third-party domains is the front page contacting? Look for the unfiltered request list. Anything you can’t instantly identify is a candidate for removal.
  2. Which vendors are US-owned? For European clients, US-owned vendors trigger Schrems II obligations: a transfer impact assessment, supplementary measures, often a cookie-banner update.
  3. Which vendors are unmatched? Unmatched domains are usually one of three things: a small regional tool, a CDN nobody documented, or a leftover from a campaign that ended in 2022. Each one is a question to ask.
  4. How many trackers fire before consent? Run the scan in a fresh incognito session. Anything that loads before a banner click is a compliance bug.
  5. Are there duplicate vendors? It is common to find two analytics tools, two tag managers, two consent platforms. Each duplicate costs money and slows the page.
  6. Are there vendors with no business owner? If nobody at the client can explain why a vendor is loading, it should be removed. Document the question, not the answer.
  7. Are there European alternatives worth proposing? For each US vendor StackPatrol surfaces, check the suggested European alternative. Many clients will switch if you do the evaluation work for them.
  8. What does the cookie banner actually disclose? Compare the vendor list in the banner against the scan report. If the banner is shorter than the scan, the privacy policy is wrong.

What clients usually ask next

Once you hand over a report, expect three follow-up questions:

  • “Can we replace [US vendor] with something European?” Often yes. The vendor pages on our directory list common alternatives.
  • “Will removing this break analytics?” Sometimes. Most modern EU analytics tools (Plausible, Matomo, Fathom, Piano) have feature parity for the typical marketing dashboard.
  • “How do we know we’re done?” Re-scan after every change. The report is shareable, so you can show progress over time.

Common findings

Patterns we see on most European sites:

  • Google Tag Manager loading a US chatbot, which loads a Cloudflare worker, which writes a cookie set by a US fraud-detection vendor. The dependency tree is the story.
  • “EU-region” Google Analytics that still phones home togoogle-analytics.com on first request.
  • Old Facebook Pixel from a 2021 campaign, still firing, still sending hashed emails.
  • Three font providers when one would do: Google Fonts + Adobe Fonts + a self-hosted leftover.

Pricing your audit

Agencies typically charge for the analysis and recommendations, not the scan itself. A useful structure:

  • Free: Run a StackPatrol scan, share the report, highlight one or two findings. Use it as a lead magnet.
  • Paid (4–8 hours): Walk the eight-item checklist with the client, write a short remediation plan, recommend specific replacements.
  • Project (2–6 weeks): Implement the replacements, update the cookie banner, write the privacy policy, set up monitoring.

Frequently asked questions

Can I use StackPatrol scans in client deliverables?

Yes. StackPatrol is free and the reports are shareable via a public URL (/r/<id>). Many agencies link to a scan in their pitch decks or audit reports. Attribution is appreciated but not required.

Does StackPatrol find vendors that only appear on internal pages?

Today we scan the front page plus one additional internal page (typically a checkout, contact, pricing, signup or login page) to catch vendors that only load deeper in the site. Full-site crawling is on the roadmap; if you need it for a client engagement, get in touch.

Is this enough for a Schrems II / Transfer Impact Assessment?

No. StackPatrol gives you a fast, accurate inventory of front-end vendors and their ownership region — the boring discovery step. The legal analysis (lawful basis, SCCs, supplementary measures) is your job.

How does this compare to BuiltWith or Wappalyzer?

Those are sales-intelligence tools. They tell you which technologies a site uses so you can pitch products to it. StackPatrol is a privacy and digital-sovereignty tool: it classifies vendors by ownership region, explains the jurisdictional risk, and suggests European alternatives.

Try it on a client site now

Free, no signup, results in under thirty seconds.

Free · No signup · We only scan the front page + one bonus page