GDPR · Security · Ecosystem · Performance

Everything Palladium manages for you. Everything we work with.

A consent platform is not just a banner. It's the junction point between your site, your marketing, your security and the law. Palladium Cookies handles that junction end-to-end — and speaks the language of all your tools.

Get started for free See the trust center Talk to an expert
§ 1 · What's managed

Six guarantees, no asterisk.

rgpd

Operational GDPR compliance

Banner compliant with GDPR art. 7 and 4(11), proof register art. 30, data-subject rights art. 12-22, processing art. 28. CNIL guidelines followed.

eprivacy

ePrivacy and local laws

ePrivacy directive, CNIL and EDPB guidelines, Spanish LSSI-CE, German TTDSG, US GPC. Automatic detection of visitor jurisdiction.

auth

Robust authentication

PBKDF2-HMAC-SHA256 password hashing (210k iterations, per-user salt), optional TOTP MFA RFC 6238, RBAC, HttpOnly + Secure + SameSite sessions, session rotation via SecurityStamp. OpenID Connect SSO under development.

ecosystem

Compatible with your ecosystem

Google Consent Mode v2, IAB TCF 2.2, Meta Pixel, Microsoft Clarity, LinkedIn, TikTok. Tag managers, CRM, CMS, e-commerce — already wired.

perf

No performance impact

Async snippet served from a multi-PoP CDN. No Largest Contentful Paint blocking. Core Web Vitals compatible.

souverain

European sovereignty

EU hosting by default, Art. 28 DPA, EU subprocessors prioritised, transfers framed by 2021 SCCs and TIA.

§ 2 · Module catalogue

Fifteen modules. None for show.

Each module addresses a concrete need: compliance, management, measurement, integration. Here is what ships, per module, with applicable plans.

dashboard

Executive dashboard

Unified compliance view
All plans

14-day consent trend, compliance checklist, top domains by acceptance rate, synthetic activity KPIs.

  • 14-day consent trend
  • Dynamic compliance checklist
  • Top 4 domains by acceptance rate
  • 4 KPIs: domains, consents, rate, compliance
domains

Multi-domain management

Centralised management of a site fleet
All plans

Add, suspend, archive. Lifecycle status. Per-domain tracking of cookie count, acceptance rate and latest scan.

  • Statuses: Pending → Active → Paused
  • Snippet versioning for audits
  • 9 editorial + 13 theme fields per domain
  • Plan quotas (1 / 10 / 50 / unlimited)
banner

Professional banner editor

Full customisation without code
From Pro plan

Palladium's visual differentiator. 8 layouts, 9 animations, 6 fonts, gradients, shadows, badges, multi-language — all in a visual editor.

  • 8 layouts (centered, slide, floating, full-screen…)
  • 9 entrance animations
  • 6 built-in fonts
  • Gradient builder + 3 colour pickers
  • Client logo (URL or data-URI)
  • Multilingual via BCP-47 locales
  • Built-in real-time preview
catalog

Cookie catalogue

Detailed per-domain inventory
All plans

Each detected cookie: name, category, vendor, duration, type, description, injection mode. Search, filters, bulk classification.

  • 5 categories: Necessary, Preferences, Statistics, Marketing, Unclassified
  • Search, filters, per-row editing
  • Bulk classification
  • Human edits preserved across re-scans
scanner

Autonomous cookie scanner

Automatic detection and classification
From Pro plan

Multi-page crawl, HTML analysis, native recognition of over 70 major third-party cookies, regex heuristics for first-party cookies, Set-Cookie header capture.

  • Crawl up to 4 URLs per domain, 15 s timeout
  • Automatic HTTP/HTTPS fallback
  • Over 70 third-party cookies natively recognised
  • Regex heuristics for first-party
  • Automatic counter updates
consents

Consent register

Zero-PII legal register
All plans

Consent ID, UTC timestamp, per-purpose flags, SHA-256 IP hash, coarse geolocation. Statistical summary. CSV / JSON export for audit.

  • Flags: Accept All, Necessary, Preferences, Statistics, Marketing
  • SHA-256 IP hash, raw IP never persisted
  • Summary: acceptance, refusal, partial rates
  • CSV export (Pro+) and S3 / GCS / SFTP sync (Business+)
  • Retention: 3 / 24 / 60 months by plan
statistics

Geolocated statistics

World map and A/B testing
From Pro plan

Leaflet map: circle size = volume, colour = acceptance rate. Top 15 countries, top 25 cities. Time and domain filters. A/B testing included.

  • Interactive Leaflet map
  • Top 15 countries, top 25 cities
  • Time filters: 7, 30, 90 days
  • 4 synthetic geo KPIs
  • Banner variant A/B testing
compliance

Compliance module

Score, CNIL report, auto-remediation
Available on Business+ (roadmap)

Regulatory compliance dashboard with score, exportable CNIL report and auto-remediation suggestions.

  • Dynamic compliance score
  • Exportable CNIL report
  • Auto-remediation suggestions
install

Guided installation

Snippet, verifier, multi-CMS
All plans

Ready-to-paste HTML snippet (defer attribute), dedicated tabs for HTML / React / Next.js / Shopify / WordPress, one-click install verifier.

  • Async snippet with defer attribute
  • 5 tabs: HTML, React, Next.js, Shopify, WordPress
  • One-click install verifier
  • List of detected auto-blocked scripts
docs

Documentation and academy

Complete reference and training
Open access

API reference, cURL / Node.js / Python snippets, GDPR best-practice guides, template library, status page, changelog, FAQ.

  • Complete API reference
  • cURL, Node.js, Python snippets
  • Banner template library
  • Public changelog and status page
  • Optional Enterprise team training
team

Team management

4 roles, per-domain permissions
From Business plan

Multi-user console with 4 roles, active / inactive state management, granular per-domain permissions on Business+.

  • Roles: SuperAdmin, Admin, Client, Viewer
  • Per-domain permissions (Business+)
  • 25 seats on Business, unlimited on Enterprise
  • Hot enable / disable
multi-clients

Multi-client console

White-label for agencies and resellers
Agency / reseller add-on (quote)

Operator-only console: customer account list, per-account KPIs, bulk operations. Ideal for digital agencies and resellers.

  • Full customer account list
  • Per-account KPIs: domains, cookies, status
  • Bulk operations
  • Customisable branding
billing

Billing and usage

Real-time meters, upgrade paths
All plans

Real-time domain and consent meters, visual bars, billing history, prorated upgrade and downgrade paths.

  • Real-time domain / consent meters
  • Visual progress bars
  • Billing history
  • Pay-as-you-go beyond quota
  • Prorated downgrade, no commitment
api

REST API and webhooks

All-in-one for custom integrations
From Business plan

Documented endpoints, real-time signed webhooks on consent events, per-domain bcrypt-hashed API keys, full request logging.

  • POST /v1/consent — server-side recording
  • Signed real-time webhooks
  • Per-domain bcrypt API keys, prefix shown once
  • Complete API request log
  • OpenAPI 3.1 and official SDKs
roi

Public ROI calculator

Decision-support for your prospects
All plans

Pricing-page tool: prospect inputs (monthly visits, domains, legal hours), outputs (recommended plan, cost, projected savings).

  • Dynamic plan recommendation
  • Projected monthly and annual cost
  • Legal hours saved
§ 3 · Regulatory coverage

One banner. All jurisdictions.

Automatic visitor-jurisdiction detection, automatic switching of consent model (opt-in / opt-out), adherence to current standards.

GDPR (EU)
Explicit opt-in
All plans
ePrivacy (EU)
Opt-in tracking, necessary exemption
All plans
CCPA / CPRA (California)
Automatic opt-out
From Pro
LGPD (Brazil)
Categorised opt-in
From Pro
TCF 2.2 IAB
Programmatic ad framework
From Business
Google Consent Mode v2
Native connector
From Pro
LSSI-CE (Spain)
AEPD-compliant opt-in
All plans
TTDSG (Germany)
§ 25 compliant
All plans
Global Privacy Control
Browser signal honoured
From Pro
§ 4 · The detail

Three pillars. No grey area.

GDPR, authentication, partner ecosystem. Here is what is covered and who we work with, in detail.

rgpd

Everything GDPR

Consent end-to-end, no blind spot.

  • CNIL and EDPB compliant banner
  • Per-purpose granularity
  • Art. 30 proof register
  • Data-subject rights art. 12-22
  • Art. 28 DPA available
  • Subprocessors published
  • EU hosting by default
  • 2021 Standard Contractual Clauses
  • Automatic jurisdiction detection
  • Withdrawal as easy as collection
auth

Everything authentication

No weak link on the identity side.

  • PBKDF2-HMAC-SHA256, 210,000 iterations
  • Per-user salt, versioned format
  • Optional TOTP MFA RFC 6238
  • RBAC: SuperAdmin, Admin, Client, Viewer
  • HttpOnly · Secure · SameSite sessions
  • Session rotation via SecurityStamp
  • Timestamped exportable audit log
  • Minimal-scope API keys
  • OpenID Connect 1.0 SSO (roadmap)
partners

Everything that validates or integrates

Keep your stack. We speak its language.

  • Google Consent Mode v2 (advanced & basic)
  • IAB TCF 2.2 (TC string propagated)
  • Google Analytics 4, Microsoft Clarity
  • Matomo, Plausible, Segment
  • Meta Pixel, LinkedIn, TikTok, Google Ads
  • Google Tag Manager, Tealium
  • WordPress, Shopify, PrestaShop, Webflow
  • HubSpot, Salesforce, Mailchimp, Brevo
  • REST API, signed webhooks, SDK
§ 6 · Cookie scanner

Over seventy third-party cookies natively recognised.

The scanner crawls your pages, analyses the HTML and automatically categorises every known third-party cookie. For the rest, regex heuristics take over on first-party cookies.

Google Analytics
Measurement
Google Tag Manager
Tag manager
Google Ads
Advertising
Meta Pixel
Advertising
LinkedIn Insight
Advertising
TikTok Pixel
Advertising
Hotjar
UX
Microsoft Clarity
UX
Bing Ads
Advertising
YouTube
Video
Vimeo
Video
Google Maps
Maps
reCAPTCHA
Anti-bot
Stripe
Payment
Intercom
Support
Pinterest
Advertising
X / Twitter Ads
Advertising
§ 7 · REST API & SDK

Everything is programmable.

Documented OpenAPI 3.1, signed webhooks, official JavaScript and server SDKs. Anything doable in the UI is doable via the API.

Main endpoints
POST
/v1/consent
Server-side consent recording (categories, user_ref, locale)
GET
/v1/consent/{id}
Read a consent record
POST
/v1/consent/export
Bulk export in CSV / JSON
GET
/v1/cookies
Domain cookie catalogue
POST
/v1/scan
Trigger a fresh domain scan
GET
/v1/health
Instance health check
POST
/v1/webhooks
Create a signed webhook
DELETE
/v1/webhooks/{id}
Revoke a webhook
Example — cURL
curl -X POST https://api.palladium.cookies/v1/consent \
  -H "Authorization: Bearer plm_a9f4..." \
  -H "Content-Type: application/json" \
  -d '{
    "domain": "monsite.fr",
    "user_ref": "anon-7f3a",
    "locale": "fr-FR",
    "categories": {
      "necessary":   true,
      "preferences": true,
      "statistics":  true,
      "marketing":   false
    }
  }'
JavaScript SDK
@palladium/sdk-js

Official browser SDK, < 8 KB gzipped, zero dependencies.

Server SDK
@palladium/sdk-node

For Node.js, JWT signing, webhook verification, Python and cURL examples.

Webhooks
consent.created · updated · revoked

HMAC-SHA256 signing, exponential retry, full per-webhook log.

§ 8 · Ecosystem

The tools that validate us, those we work with.

Official standards, web measurement, advertising, tag managers, identity, CMS, CRM. Each is wired to honour the declared consent state.

— Standards & validators
they set the rules, we follow
Google Consent Mode v2
Official consent signals
IAB TCF 2.2
IAB Europe ad framework
CNIL
2020 cookie guidelines
EDPB / CEPD
European guidelines
OpenID Connect 1.0
Auth standard — roadmap
— Audience measurement
honour the consent state
Google Analytics 4
Web analytics
Microsoft Clarity
Heatmaps and session replay
Hotjar
Heatmaps and feedback
Matomo
EU self-hostable analytics
Plausible
EU cookieless analytics
Segment
Customer data platform
— Advertising
blocked by default, triggered on consent
Google Ads
Advertising, Consent Mode v2
Meta Pixel
Facebook & Instagram ads
LinkedIn Insight Tag
B2B advertising
TikTok Pixel
TikTok advertising
Bing Ads
Microsoft advertising
Pinterest Tag
Pinterest advertising
X / Twitter Ads
X advertising
— Tag managers
consent variables exposed
Google Tag Manager
Consent variables
Tealium iQ
Enterprise tag manager
Matomo Tag Manager
EU tag manager
— Identity providers
SSO via OpenID Connect
Google Workspace
SSO OIDC — roadmap
Microsoft Entra ID
SSO OIDC — roadmap
Okta
SSO OIDC — roadmap
Auth0
SSO OIDC — roadmap
OneLogin
SSO OIDC — roadmap
— CMS and e-commerce
native plugin or universal snippet
WordPress
Native plugin
Shopify
Storefront integration
PrestaShop
Official module
Webflow
Universal snippet
Drupal
Universal snippet
Magento
Universal snippet
— CRM and marketing
signed webhooks on every change
HubSpot
Consent webhooks
Salesforce
Consent API
Mailchimp
Marketing sync
Brevo
EU emailing
Intercom
Customer support
How does this honour consent?
  • → before consent, no third-party tag is loaded (strict mode);
  • → for Google, Consent Mode v2 signals are emitted (advanced or basic, your choice);
  • → for IAB advertising, the TCF 2.2 TC string is generated and propagated;
  • → for your internal systems, signed webhooks are sent on every change.
§ 9 · Subscription plans

Four plans. No commitment.

Thirteen key features and their availability by plan. For detailed pricing see the pricing page.

Feature Free Pro Business Enterprise
Domains included 1 10 50 Unlimited
Consents / month 1,000 100,000 1,000,000 Unlimited
Register retention 3 months 24 months 60 months 60 months + archive
Banner customisation Full Full Full
Advanced statistics + A/B
Google Consent Mode v2
TCF 2.2 IAB
Webhooks and REST API
Automated S3/GCS/SFTP exports
OpenID Connect SSO (roadmap) Roadmap Roadmap
TOTP MFA
Dedicated EU hosting Shared Shared Shared
Signed DPA On request
Dedicated account manager
§ 10 · Use cases

Four profiles. Four deployments.

From the independent merchant to the digital agency. Here is how Palladium adapts to your shape.

ecommerce

Independent e-merchant

« Complete GDPR compliance and a premium banner for €49/month, deployed in minutes on Shopify or WordPress. »

  • 1-line snippet on Shopify or WordPress
  • Customisable premium banner
  • Compatible with Google Consent Mode v2 and Meta Pixel
  • CSV export for audit
retailer

Multi-site retailer

« Manage 50 brands from a single console, export consent proofs to your data lake, offer role-based access. »

  • Centralised multi-domain console
  • Automatic S3 / GCS / SFTP sync
  • Granular per-domain RBAC
  • Real-time webhooks to your back-end
group

Large group

« Sovereign French hosting, TOTP MFA, contracted SLA, dedicated account manager and DPO consulting. OIDC SSO added during the year. »

  • Dedicated French or EU hosting
  • TOTP MFA RFC 6238 available now
  • OpenID Connect SSO on roadmap
  • Signed DPA as standard
  • Dedicated account manager
  • DPO consulting and team training
agency

Digital agency

« Resell Palladium in white-label, manage your customer portfolio from the multi-client console, build recurring margin. »

  • Dedicated multi-client console
  • Customisable branding (colours, logo, domain)
  • Reseller pricing
  • 4-minute customer onboarding
§ 11 · Add-ons and services

Beyond the plan: services.

Additional domains, white-label, DPO consulting, training, enhanced support. Each option is billed separately.

Additional domains
Beyond plan quota
Quote
Consent pack
Pre-purchase to avoid overage
€0.40 / 1,000
White-label / Reseller
Multi-client console, custom branding
Quote
Custom connectors
Salesforce, SAP, Adobe Experience Cloud, etc.
Project package
DPO consulting
Audit, recommendations, compliance
Daily rate
Team training
Product onboarding + GDPR best practices
Package
4-hour business support
Guaranteed first-response time
Included on Business+
Enhanced SLA
Automatic credits on breach
Included on Enterprise
§ 12 · Concrete questions

What marketing and tech teams ask.

Do we need to change our site to integrate Palladium?
No. A single script line is enough. The banner, cookie scanner and proof register work right away.
Does using Palladium make us CNIL-certified?
The CNIL does not certify CMPs. Palladium follows the CNIL 2020 cookie guidelines and EDPB guidelines; final compliance also depends on your editorial policy.
What if Google changes Consent Mode?
We track official Google documentation updates. Changes ship without action on your side.
Can we use Meta Pixel and stay compliant?
Yes, provided the pixel only loads after explicit consent to the advertising purpose. Palladium blocks the pixel by default and triggers it via the tag manager once consent is given.
Can Microsoft Clarity work with Palladium?
Yes. Clarity is classified under "Statistics" by our scanner and only triggers after consent to that purpose. Sensitive field masking remains your responsibility.
How long to deploy in production?
Minutes for the snippet alone. One to two weeks for an enterprise multi-domain rollout with integration setup, team training and DPA signature.
How does pay-as-you-go billing work?
Beyond your plan's monthly quota, each additional 1,000 consents is billed at €0.40. A monthly cap is configurable. Downgrades are prorated.
Can we automatically export to our data lake?
Yes, from the Business plan onwards. Automatic sync to S3, GCS or SFTP, CSV or JSON format, configurable frequency.
Does the scanner detect third-party cookies automatically?
Yes. The scanner crawls up to 4 URLs per domain, analyses script tags, iframes and inline scripts, and natively recognises over 70 major third-party cookies (Google Analytics, Tag Manager, Google Ads, Meta Pixel, LinkedIn, TikTok, Microsoft Clarity, Hotjar, Tealium, Segment, Bing Ads, YouTube, Vimeo, Stripe, reCAPTCHA, Intercom, Pinterest, X, etc.).
Do you store end-user personal data?
No, beyond a pseudonymous consent identifier. No name, email, plain-text IP nor behavioural profile. See the trust center for details.
Can we resell Palladium in white-label?
Yes, via the agency / reseller add-on. Dedicated multi-client console, customisable branding (colours, logo, console domain), reseller pricing on quote.
How does Palladium handle banner A/B testing?
You configure multiple variants (text, layout, colour). The SDK randomly assigns visitors and reports the acceptance rate per variant. Included from the Pro plan.
More legal and security questions? → Trust center

Ready to sleep easy while your marketing runs ?

14-day free trial, no credit card. Set up in minutes.

Get started for free Talk to an expert See detailed pricing →