Data Watch monitors every destination your site sends data to and alerts you the moment a new one appears. If something starts exfiltrating data to a destination you didn't authorise, you'll know.
Catching a new script on your site matters. But for attacks like Magecart, the injection is only the first step. The real damage happens when stolen data gets sent to a server the attacker controls. The script that steals a card number is useless until that number reaches a destination the attacker owns.
A compromised third-party dependency starts sending form data to a drop server. The script itself may not be new — it was already on your page. What changed is where it sends data.
A script quietly redirects XHRs to an unfamiliar endpoint, siphoning session tokens from authenticated users. The session is valid. The destination isn't.
A payment page begins exfiltrating card details to a week-old domain. The form looks normal to the user. The data is going somewhere you never authorised.
Data Watch maintains a live inventory of every destination your site sends data to and monitors it continuously. When a new one appears, you know about it.
Data Watch maintains a live inventory of every endpoint your site sends data to — XHRs, form submissions, and other outbound connections. Each destination is logged with when it first appeared, when it was last seen, and how frequently your site communicates with it. No manual cataloguing. No spreadsheets.
The moment your site sends data to a destination Data Watch hasn't seen before, you're notified by email, webhook, or both. You set the alert threshold — notify on the first new destination, or wait until several accumulate. Either way, you see the change before it becomes a pattern.
www.example.com and checkout.example.com are monitored separately. You choose which parts of your site to watch and receive alerts for each independently. High-sensitivity pages like payment flows can be monitored with tighter thresholds than the rest of the site.
Known-noisy endpoints — ad trackers with rotating paths, A/B testing infrastructure, CDN assets with build hashes — can be excluded per watcher so they don't trigger false alerts. Up to 50 exclusions per watcher, each matched by URL prefix.
If you already have a CSP deployed — in enforce or report-only mode — Data Watch starts analysing your reports immediately. Add a site to monitor, and every inbound CSP report for that site is checked for new data egress destinations.
No full CSP yet? You can still use Data Watch. A minimal report-only header is enough to start tracking where your site sends data without blocking anything:
Content-Security-Policy-Report-Only:
default-src * 'unsafe-inline' 'unsafe-eval';
connect-src 'self'; form-action 'self';
report-uri https://your-subdomain.report-uri.com/r/d/csp/reportOnly
This generates reports for any data sent to destinations outside your own domain. No enforcement, no risk to site functionality, and Data Watch begins monitoring immediately. As you identify expected endpoints, add them to the policy to reduce report volume — the monitoring stays just as effective.
Data Watch monitors where data goes after it leaves the page. It doesn't inspect the contents of that data, and it doesn't block outbound connections. What it does is make unauthorised data flows visible — immediately — so you can act before data reaches a destination it shouldn't.
| Data Watch does | Doesn't replace |
|---|---|
| Track every data egress destination across your site | DLP tools for internal data classification |
| Alert on new or unexpected outbound connections | Network-level traffic inspection |
| Log destination history with timestamps and frequency | SIEM event correlation |
| Support PCI DSS 11.6.1 behavioural monitoring | Full PCI DSS compliance (see PCI DSS Compliance →) |
Data Watch maps to Requirement 11.6.1 — the behavioural exfiltration monitoring PCI DSS 4.0.1 asks for. The full compliance story lives on the PCI DSS Compliance page.
Data Watch is included on Business plans and higher. No full CSP required to get started.
30-day free trial · No full CSP required · Alerts on every new destination
Data Watch tells you where your data goes and when a new destination appears. These capabilities build on the same browser-native data to complete the picture.
| Capability | What it adds |
|---|---|
| Script Watch | Monitors what code is on your site. Script Watch catches the injection; Data Watch catches the exfiltration. |
| Threat Intelligence | Enriches Data Watch destinations with threat context — flagging when data flows to a domain that's a known IoC, recently registered, or low-reputation. |
| Policy Watch | Monitors your deployed CSP for changes. If your policy is modified to allow a new data destination, Policy Watch flags the change. |
Together, these form the client-side security visibility layer that sits between your CSP policy and your incident response process.