Done-for-you offer · Fractional CMO with AI Swarm · behavioral-signal-ingestion 3-skill bundle · customer-graph agent
Behavioral signal ingestion for DTC ecommerce, multi-channel retail, and multi-location operators — Ingest + Resolve + Emit 3-skill bundle for 80+ canonical signal types under a 5-anchor compliance gate anchored on FTC behavioral-surveillance enforcement + Washington MHMDA + post-cookie-deprecation
You capture behavioral signals from a website (GA4 + Segment + Snowplow), a mobile app (Mixpanel + Amplitude + Adjust + Branch), a Shopify storefront (Shopify Customer Events + Klaviyo + Triple Whale), email (Klaviyo + Iterable + Braze), SMS (Twilio + Postscript + Attentive), chat (Drift + Intercom + Gorgias), call (CallRail + Invoca), and per- location POS + wifi + beacon + foot-traffic vendors. The cross-source identity binding has to survive Apple WebKit Intelligent Tracking Prevention + Firefox Enhanced Tracking Protection + Safari fingerprint randomization + Google Privacy Sandbox + ePrivacy Directive cookie consent. Each of the 80+ canonical signal types carries different consent- provenance + sensitive-PI classification under CPRA Section 1798.121 + cross-context-behavioral-advertising classification under CCPA Section 1798.140(ae) + Washington My Health My Data Act (effective April 2024) + California AADC (effective July 2024) + COPPA + state-patchwork sensitive-PI definitions. The FTC enforcement environment is sharp: FTC v BetterHelp 2023 + GoodRx 2023 + Premom 2023 + X-Mode/Outlogic January 2024 + Avast 2024 + Cerebral 2024 establish operator-side compliance expectations. The CDP, analytics, event-streaming, server-side-tagging, graph-database, reverse-ETL, and consent- management vendors below ship strong primitives. The orchestration above them — canonical signal taxonomy, per- source consent-provenance verification, post-cookie-deprecation server-side routing, identity resolution composition, customer-graph emission contract, cross-skill feedback wiring, compliance gate, audit trail — is operator-side architecture. The compliance gate is anchored on five real anchors: GDPR Articles 6 + 9 + 13 + 14 + 22 + 30 + ePrivacy + EU AI Act Articles 9 + 10 + 11 + 13 + 14 + 15 + Annex III high-risk + Article 50 generative-AI marking; CCPA/CPRA Section 1798.121 sensitive PI + Section 1798.140(ae) cross-context-behavioral- advertising opt-out + state-comprehensive-privacy patchwork + Maryland Online Data Privacy Act + Washington My Health My Data Act; FTC Section 5 unfair-behavioral-surveillance enforcement (BetterHelp + GoodRx + Premom + X-Mode + Avast + Cerebral); per-platform community guidelines + per-platform cookie policy + Browser Privacy Sandbox + WebKit ITP + Firefox ETP + ePrivacy cookie consent; COPPA + California AADC + Connecticut SB 3 + DSA Article 28 + state children-online- privacy patchwork. You keep the CDP + analytics + graph- database relationships, the canonical signal taxonomy, the per-source consent-policy matrix, the per-jurisdiction sensitive-PI policy, the per-platform cookie-policy library, the server-side tagging configuration, the WORM audit trail, the policy-as-code policies, and the LLM prompts. You keep the ability to in-house at any time.
Published September 24, 2026
The real ecosystem this sits above
CDP + analytics
CDP: Segment, mParticle, Rudderstack, Snowplow, Tealium, Treasure Data, Adobe Real-Time CDP, ActionIQ, Amperity, BlueConic, Lytics, Optimove. Analytics: GA4, Adobe Analytics, Mixpanel, Amplitude, Heap, Pendo, Posthog, Plausible, Fathom, Matomo. Each ships strong primitives. Cross-source canonical signal taxonomy + per-source consent- provenance verification above them is operator-side architecture.
Event streaming + server-side tagging
Event streaming: Apache Kafka, Confluent Cloud, AWS Kinesis, Google Pub/Sub, Azure Event Hubs, AWS EventBridge, Apache Pulsar. Server-side tagging: Google Tag Manager Server-Side, Stape, Adobe Launch Server-Side, Segment Connections, Rudderstack server-side. Each ships strong primitives. The post-cookie-deprecation routing + operator-controlled identity-token issuance above them is operator-side architecture.
Graph databases
Neo4j, ArangoDB, TigerGraph, JanusGraph, Amazon Neptune, Memgraph, Dgraph, RedisGraph (shared with deterministic- probabilistic-identity-resolution sibling skill). Each ships strong primitives. The per-node + per-edge + per-property + per-graph-temporal-versioning emission contract above them is operator-side architecture.
Reverse ETL + warehouse
Reverse ETL: Hightouch, Census, Polytomic, RudderStack Reverse ETL. Warehouse: Snowflake, Databricks, BigQuery, Redshift, Postgres. Each ships strong primitives. The cross- skill feedback fan-out to firmographic-enrichment + BANT- scoring + behavioral-enrichment + multi-source-lead- ingestion + identity-resolution sibling skills above them is operator-side architecture.
Consent management
OneTrust, TrustArc, Ketch, Securiti, BigID, Sourcepoint, Cookiebot, Usercentrics, Didomi, Iubenda. Each ships strong primitives. Per-source per-signal-type consent-policy matrix + per-jurisdiction sensitive-PI + cross-context-behavioral- advertising opt-out + Washington MHMDA + AADC enforcement above them is operator-side architecture.
Policy-as-code + WORM storage + legal research
Policy-as-code: OPA Rego, AWS Cedar, Casbin, Cerbos, Oso. WORM: AWS S3 Object Lock, GCS retention, Azure Blob immutable, Snowflake Time Travel. Legal research: Westlaw, Lexis+, Bloomberg Law, Practical Law, Compliance.ai, LawGeex. Each ships strong primitives. The per-event compliance gate that maps GDPR + EU AI Act + CCPA + state- patchwork + Washington MHMDA + FTC enforcement + per- platform cookie/Privacy Sandbox/ITP/ETP + COPPA/AADC onto an operator-counsel-approved policy bundle is operator-side architecture.
Frequently asked
What does behavioral signal ingestion for DTC ecommerce + multi-channel retail + multi-location operators actually deliver?
An orchestration layer that sits above the operator CDP + analytics + event-streaming + server-side-tagging + graph-database + reverse-ETL + consent-management + policy-as-code + WORM-storage stack and produces a continuous, identity-resolved, consent-verified behavioral signal stream into the operator customer graph. The skill is a three-skill bundle on the customer-graph agent. Skill 1 — Ingest: capture per-signal per-identity behavioral signals across 80+ canonical signal types (page view, content download, email open + click, form submit, demo request, pricing-page view, case-study view, comparison-page view, checkout abandonment, trial signup + usage, account creation + activation + engagement, video watch + completion, webinar registration + attendance, survey submission, chat + chatbot engagement, search query + site search, product detail view + comparison, cart add + modify + abandonment, wishlist add, review read + write, FAQ + help-center + documentation views, community + forum engagement, social share + mention, referral + affiliate link click, UTM + direct + organic-search + paid-search + paid-social arrival, return visit, session duration + depth + scroll depth, device fingerprint, geocoordinate, timezone, call engagement + listen time + question + objection + emotion + disposition, walk-in engagement + duration + store area, receipt purchase + item count + tender + loyalty tap, app open + session duration + screen view + tap + swipe + pinch + permission grant/deny, push receipt + tap + dismiss, SMS open + link click + reply + opt-out). Ingest captures per-source consent-provenance metadata so the downstream signal carries the operator-counsel-approved consent state from collection. Skill 2 — Resolve: route each signal through the deterministic + probabilistic identity resolution sibling skill to bind the signal to a canonical identity, deduplicate against the operator-counsel-set timestamp window, validate freshness against per-source-type staleness floor, resolve cross-source conflicts under operator-counsel-approved survivorship rules, enforce cross-source + cross-touchpoint consistency, and tag with confidence-tier metadata. Skill 3 — Emit: write the resolved signal into the operator customer graph (Neo4j, ArangoDB, TigerGraph, JanusGraph, Amazon Neptune, Memgraph, Dgraph, RedisGraph — operator chooses) with per-node + per-edge + per-property + per-edge-weight + per-edge-direction + per-edge-attribution + per-graph-versioning + per-graph-temporal-versioning. Cross-skill feedback fans out to firmographic-enrichment, BANT-scoring, behavioral-enrichment, multi-source-lead-ingestion, cross-touchpoint-identity-resolution, and deterministic-probabilistic-identity-resolution sibling skills via the operator-chosen event broker (shared with customer-change-event-emission + master-record-sync sibling skills). Every Ingest, Resolve, Emit decision routes through the 5-anchor compliance gate and writes to the WORM audit trail. The CDP, analytics, event-streaming, server-side-tagging, graph-database, reverse-ETL, and consent vendors below ship strong primitives. The orchestration above them — canonical signal taxonomy, identity resolution composition, customer-graph emission contract, cross-skill feedback wiring, compliance gate, audit trail — is operator-side architecture.
Where does single-vendor behavioral analytics stop compounding for DTC ecommerce + multi-channel retail operators?
Single-vendor behavioral analytics is solved. GA4 + Adobe Analytics + Mixpanel + Amplitude + Heap + Posthog + Pendo each ship strong product + marketing analytics. Segment + mParticle + Rudderstack + Snowplow + Tealium + Adobe Real-Time CDP each ship strong customer data platform primitives. The compound case the customer-graph agent has to handle is the one where a DTC operator captures behavioral signals from a website (GA4 + Segment + Snowplow), from a mobile app (Mixpanel + Amplitude + Adjust + Branch), from a Shopify storefront (Shopify Customer Events + Klaviyo + Triple Whale), from email (Klaviyo + Iterable + Braze), from SMS (Twilio + Postscript + Attentive), from chat (Drift + Intercom + Gorgias), from call (CallRail + Invoca), from walk-in via per-location POS + wifi + beacon + foot-traffic vendors, and needs to bind these signals to a canonical customer identity that survives per-platform cookie-deprecation (Apple WebKit ITP + Firefox ETP + Google Privacy Sandbox + Safari fingerprint randomization), respects the 80+ signal types that each carry different consent-provenance + sensitive-PI classification + cross-context-behavioral-advertising classification under CCPA Section 1798.140(ae), survives the post-2024 FTC enforcement environment against unfair behavioral surveillance (FTC v BetterHelp 2023 telehealth-data sharing settlement, FTC v GoodRx 2023 health-data sharing settlement, FTC v Premom 2023 fertility-app data sharing settlement, FTC v X-Mode/Outlogic January 2024 sensitive-location data settlement, FTC v Avast 2024 browsing-data sale settlement, FTC v Cerebral 2024 telehealth-data sharing settlement), satisfies Washington My Health My Data Act (effective April 2024) and similar state health-data-protection statutes, satisfies California Age-Appropriate Design Code Act (effective July 2024) and similar state children-online-privacy statutes, and surfaces into the operator customer graph for downstream agent consumption. Without an orchestration layer above the CDP + analytics + event-streaming + graph-database vendors, the cross-source identity binding fragments, the per-signal consent-provenance metadata gets lost, the FTC enforcement exposure compounds, the post-cookie-deprecation signal coverage degrades, and the audit trail of "what consent did we have to collect this signal, when, against what privacy-policy version, from which platform" splinters across vendor consoles. The orchestration above the vendors is what holds the cross-source + cross-platform + cross-jurisdiction invariants.
How does Skill 1 Ingest handle per-source consent-provenance verification across 80+ signal types?
Per-source consent-provenance verification operates at the signal-collection moment. The operator consent-management vendor (OneTrust, TrustArc, Ketch, Securiti, BigID, Sourcepoint, Cookiebot, Usercentrics, Didomi, Iubenda — operator chooses) captures the user’s consent state for each consent class (analytics, advertising, personalization, functional, social-share, audience-measurement, behavioral-advertising-cross-context, sensitive-PI categories under CPRA Section 1798.121). When a signal arrives at the operator CDP or server-side tagging layer (Google Tag Manager Server-Side, Stape, Adobe Launch Server-Side, Segment Connections, Rudderstack), the orchestration layer joins the signal with the consent state at collection time and writes the join into the canonical signal record. Server-side tagging is critical here because client-side tagging is increasingly blocked by browser-side tracking prevention (Apple WebKit ITP capping first-party-cookie lifetime, Firefox ETP blocking known trackers, Safari fingerprint randomization). Server-side tagging routes signals through operator-controlled infrastructure where the operator counsel can verify consent + apply per-jurisdiction signal-suppression policy + apply per-platform cookie-policy compliance + apply per-vertical signal-suppression (HIPAA when healthcare-vertical, no PHI without authorization; Washington My Health My Data Act when health-data; financial-services FCRA + GLBA exposures). The orchestration layer maintains an operator-counsel-approved per-source per-signal-type consent-policy matrix that defines: which signals require which consent classes; which signals are auto-suppressed in which jurisdictions; which signals require sensitive-PI opt-out checks under CPRA Section 1798.121; which signals require cross-context-behavioral-advertising opt-out checks under CCPA Section 1798.140(ae); which signals can never be ingested for under-13 audiences under COPPA + California AADC + Connecticut SB 3 + DSA Article 28. Per-signal Ingest decisions log to the WORM audit trail with operator privacy-policy-version + consent-management-vendor session ID + per-source consent-state + per-jurisdiction-applicable-statute + per-platform-cookie-policy-version + attestor for FTC + EU DPA + state-AG discovery survival.
How does the post-cookie-deprecation environment (WebKit ITP + Firefox ETP + Google Privacy Sandbox + Safari fingerprint randomization) change Ingest design?
Browser-side tracking prevention has been accelerating since 2020. Apple WebKit Intelligent Tracking Prevention (ITP) caps first-party cookie lifetime to 7 days for cookies set via JavaScript document.cookie, blocks third-party cookies by default, and applies CNAME cloaking detection. Firefox Enhanced Tracking Protection (ETP) blocks known trackers via the Disconnect.me list. Safari adds fingerprint randomization and a privacy-preserving advertisement-attribution model. Google Privacy Sandbox introduced Topics API + Protected Audience API (formerly FLEDGE) + Attribution Reporting API + Related Website Sets to replace third-party cookies on Chrome (though Google reversed the unilateral phaseout decision in 2024, keeping third-party cookies available with user choice). The orchestration response: shift identity collection from client-side cookies to operator-controlled server-side identity. Server-side tagging (Google Tag Manager Server-Side, Stape, Adobe Launch Server-Side, Segment Connections, Rudderstack server-side) routes signals through operator-controlled infrastructure with operator-controlled identity tokens. The deterministic + probabilistic identity resolution sibling skill (covered separately) binds signals to canonical identity via hashed email + hashed phone + hashed device fingerprint + hashed loyalty ID where consent permits. Browser-side signals carry shorter lifetime + lower confidence; server-side signals carry operator-controlled lifetime + higher confidence. The Ingest skill tags each signal with collection-method metadata (client-side vs server-side, browser-blocked vs delivered, ITP/ETP-affected vs not) so downstream skills can weight signal reliability appropriately. The orchestration also subscribes to per-browser tracking-prevention update feeds (Apple ITP release notes, Mozilla Firefox release notes, Chrome Privacy Sandbox status, Safari release notes) so per-platform-cookie-policy compliance stays current.
What compliance does the per-event gate enforce, and how does it map to GDPR Article 6/9/13/14/22/30 + EU AI Act + ePrivacy, CCPA/CPRA + state-patchwork + Maryland + Washington MHMDA, FTC behavioral-surveillance enforcement, per-platform cookie policy + Privacy Sandbox + ITP/ETP, and COPPA + California AADC + state children-online-privacy?
Five anchors. Anchor 1: GDPR (Regulation 2016/679) Articles 6 lawful basis + 9 special categories + 13 information at collection + 14 information when data not from data subject + 22 right not to be subject to solely automated decisionmaking + 30 records of processing + ePrivacy Directive 2002/58/EC for cookie-derived signals + EU AI Act (Regulation 2024/1689) Articles 9 risk management + 10 data quality + 11 technical documentation + 13 transparency + 14 human oversight + 15 accuracy/robustness/cybersecurity + Annex III high-risk-AI obligations when behavioral signals feed into employment + credit + insurance + essential-services scoring + Article 50 generative-AI marking where AI-generated content surfaces. The gate enforces per-signal Article 6 lawful basis attestation + per-signal Article 9 special-category check + per-signal Article 13/14 information provision + per-signal Article 22 automated-decisionmaking gate + per-signal Article 30 records-of-processing entry. EU AI Act Annex III applies when behavioral signals feed eligibility scoring; high-risk obligations attach. Anchor 2: CCPA/CPRA + state-comprehensive-privacy patchwork. CCPA Section 1798.120 right to opt out of sale/sharing + Section 1798.121 sensitive PI opt-out (geolocation + biometric + health + sex life + race + religion + political opinion + union membership + immigration status) + Section 1798.140(ae) cross-context-behavioral-advertising opt-out + state-comprehensive-privacy patchwork sensitive-PI definitions (Connecticut CTDPA + Texas DPSA + Virginia CDPA + Colorado CPA + Utah CPA + Oregon + Tennessee + Montana + Indiana + Iowa + Florida + Delaware) + Maryland Online Data Privacy Act + Washington My Health My Data Act (effective April 2024) — the Washington statute is especially significant because it broadens health-data protection beyond HIPAA-covered entities to non-covered operators handling consumer health information with attorney general enforcement + private right of action. The gate enforces per-jurisdiction sensitive-PI opt-out + cross-context-behavioral-advertising opt-out + Washington MHMDA consumer health information protection + state-AG-applicable definitions. Anchor 3: FTC Section 5 unfair-behavioral-surveillance enforcement. The 2023-2024 FTC enforcement wave establishes operator-side compliance expectations: FTC v BetterHelp 2023 (telehealth-data sharing with Meta + Snap settled at $7.8M), FTC v GoodRx 2023 (health-data sharing with Meta + Google settled at $1.5M), FTC v Premom 2023 (fertility-app data sharing with Chinese firms settled at $200k), FTC v X-Mode/Outlogic January 2024 (sensitive-location data sale settled with prohibition), FTC v Avast 2024 (browsing-data sale settled at $16.5M), FTC v Cerebral 2024 (telehealth-data sharing settled). Massachusetts AG v X-Mode 2024 reinforces state-AG scrutiny. The gate enforces per-vendor consent-provenance attestation (shared library with continuous foot-traffic ingestion + multi-source lead ingestion sibling skills) and refuses to ingest signals from sources whose consent-provenance fails operator-counsel review against FTC enforcement standard. Anchor 4: Per-platform community guidelines + per-platform cookie policy + Browser Privacy Sandbox (Google) + WebKit Intelligent Tracking Prevention (Apple) + Firefox Enhanced Tracking Protection + Safari fingerprint randomization + ePrivacy Directive 2002/58/EC cookie consent. The orchestration layer composes with per-platform-cookie-policy library + per-browser-tracking-prevention update feeds + ePrivacy cookie-consent requirement when EU users present. Server-side tagging through Google Tag Manager Server-Side + Stape + Adobe Launch Server-Side + Segment Connections + Rudderstack server-side routes signals through operator-controlled infrastructure where consent + per-jurisdiction-policy + per-platform-cookie-policy can be verified consistently. Anchor 5: COPPA (15 USC 6501) + California Age-Appropriate Design Code Act (effective July 2024) + Connecticut SB 3 + DSA Article 28 child protection + state children-online-privacy patchwork. When behavioral signals touch under-13 audiences (or mixed audiences where under-13 cannot be excluded), COPPA-compliant data minimization + verifiable parental consent + no behavioral-advertising hooks + restricted data-collection-prompt language apply. California AADC adds default-private design + no dark patterns + age-appropriate content + impact-assessment obligations. The gate refuses to ingest behavioral signals from under-13-attributed sessions without COPPA-compliant consent path + California AADC compliance. Broader gate also enforced: HIPAA + HITECH + FTC Health Breach Notification Rule (16 CFR Part 318) when health-related behavioral signals + PCI DSS 4.0 + GLBA Safeguards Rule + FCRA + state Wiretap + Federal Wiretap when signals derived from communications via policy-as-code (OPA Rego + AWS Cedar + Casbin + Cerbos + Oso). WORM audit trail (AWS S3 Object Lock + GCS retention + Azure Blob immutable + Snowflake Time Travel) with per-statute retention (GDPR 6yr + CCPA 3yr + Washington MHMDA 6yr + FTC 7yr + HIPAA 6yr + FCRA 5yr + GLBA 6yr + IRS 7yr + per-state + per-platform variable) per operator counsel policy.
What does the engagement look like across Tier 1 → Tier 2 → Tier 3, and what does the Tier 3 reporting cycle commit to?
Tier 1 AI Readiness Assessment (2-3 weeks, diagnostic): audits the operator current behavioral signal ingestion posture against the 3-skill bundle + 5-anchor compliance gate + post-cookie-deprecation server-side coverage; deliverable is a gap-pack report identifying which sources lack consent-provenance attestation, which jurisdictions have unenforced sensitive-PI opt-out + cross-context-behavioral-advertising opt-out + Washington MHMDA + AADC, which FTC-enforcement-style exposures exist, which signals are over-collected vs the operator-counsel-approved minimization policy, which post-cookie-deprecation gaps (ITP-blocked, ETP-blocked, Privacy Sandbox-affected) need server-side rerouting, and a recommended remediation sequence for Tier 2. Tier 2 AI Swarm Setup Sprint (4-8 weeks): builds the 3-skill bundle on the customer-graph agent, wires CDP (operator-chosen Segment + mParticle + Rudderstack + Snowplow + Tealium + Treasure Data + Adobe Real-Time CDP + ActionIQ + Amperity + BlueConic + Lytics + Optimove), analytics (operator-chosen GA4 + Adobe Analytics + Mixpanel + Amplitude + Heap + Pendo + Posthog), event streaming, server-side tagging (operator-chosen GTM Server-Side + Stape + Adobe Launch Server-Side), graph database (operator-chosen Neo4j + Amazon Neptune + ArangoDB + TigerGraph + Memgraph + Dgraph + RedisGraph), reverse-ETL, consent-management (operator-chosen OneTrust + TrustArc + Ketch + Securiti + BigID + Sourcepoint + Cookiebot + Usercentrics + Didomi + Iubenda), configures per-source consent-policy matrix + per-jurisdiction sensitive-PI + cross-context-behavioral-advertising opt-out + Washington MHMDA + AADC, wires deterministic + probabilistic identity resolution sibling skill composition, wires policy-as-code + WORM-storage, runs 30-day shadow + canary period before flipping to enforce-mode. Tier 3 Fractional CMO with AI Swarm (6-month minimum, 1-2 days/wk embedded): continues operating with daily per-source consent-provenance audits, weekly per-jurisdiction sensitive-PI policy reviews, monthly per-platform-cookie-policy refresh against tracking-prevention update feeds, quarterly Washington MHMDA + AADC compliance audits, quarterly FTC-enforcement-style risk reviews with operator counsel. Tier 3 reporting is a 6-workstream pre-engagement-baseline reporting cycle (per-source signal-coverage trend + per-jurisdiction sensitive-PI opt-out enforcement + per-platform server-side-vs-client-side delivery ratio + per-vendor consent-provenance freshness + customer-graph emission completeness + WORM audit-trail completeness) measured against the operator’s pre-engagement baseline. Each workstream surfaces trend direction and the gap to operator-defined targets. Reporting carries explicit caveats: CDP + analytics + graph-database vendor SLA + per-platform tracking-prevention updates (Apple ITP + Firefox ETP + Safari + Chrome Privacy Sandbox release cycles) + Google Privacy Sandbox roadmap changes + per-state-comprehensive-privacy statute amendments + Washington MHMDA implementing guidance + California AADC implementing guidance + EU AI Act implementing regulation + FTC enforcement settlements + state-AG enforcement signals + DSA Article 28 implementing guidance sit outside Completions control. Attorney-client privilege preservation across per-source consent-policy matrix + per-jurisdiction sensitive-PI policy + Washington MHMDA classification + per-vendor consent-provenance attestation library + AADC compliance evidence + per-platform cookie-policy library is maintained per operator counsel policy.
Who owns the CDP + analytics + graph-database relationships, the consent-policy matrix, the signal taxonomy, and the audit trail?
Operator owns every artifact. The CDP subscriptions (Segment + mParticle + Rudderstack + Snowplow + Tealium + Treasure Data + Adobe Real-Time CDP + ActionIQ + Amperity + BlueConic + Lytics + Optimove — operator chooses) all run under operator billing on operator-controlled accounts. The analytics subscriptions (GA4 + Adobe Analytics + Mixpanel + Amplitude + Heap + Pendo + Posthog + Plausible + Fathom + Matomo — operator chooses) run under operator account. The event-streaming infrastructure (Apache Kafka + Confluent Cloud + AWS Kinesis + Google Pub/Sub + Azure Event Hubs + AWS EventBridge + Apache Pulsar — operator chooses, shared with customer-change-event-emission + master-record-sync sibling skills) runs under operator cloud. The server-side tagging infrastructure (Google Tag Manager Server-Side + Stape + Adobe Launch Server-Side + Segment Connections + Rudderstack server-side — operator chooses) runs under operator infrastructure. The graph database (Neo4j + ArangoDB + TigerGraph + JanusGraph + Amazon Neptune + Memgraph + Dgraph + RedisGraph — operator chooses, shared with deterministic-probabilistic-identity-resolution sibling skill) runs under operator cloud. The reverse-ETL subscriptions (Hightouch + Census + Polytomic + RudderStack Reverse ETL) run under operator billing. The consent-management vendor (OneTrust + TrustArc + Ketch + Securiti + BigID + Sourcepoint + Cookiebot + Usercentrics + Didomi + Iubenda — operator chooses) runs under operator account. The operator-counsel-and-data-team-approved canonical 80+ signal taxonomy + per-source consent-policy matrix + per-jurisdiction sensitive-PI policy + Washington MHMDA classification + per-platform cookie-policy library + per-vendor consent-provenance attestation library + AADC compliance evidence live in operator code repo + counsel repo. The Ingest + Resolve + Emit code lives in operator code repo. The WORM audit trail lives on operator-controlled cloud storage (AWS S3 Object Lock + GCS retention + Azure Blob immutable + Snowflake Time Travel). The policy-as-code policies (OPA Rego + AWS Cedar + Casbin + Cerbos + Oso) live in operator code repo, counsel-aligned. The GDPR Article 30 records of processing + per-jurisdiction sensitive-PI opt-out register + Washington MHMDA + AADC compliance records + FTC-enforcement-style risk-review records are all operator-counsel-maintained. Completions owns the orchestration knowledge — how to design the canonical signal taxonomy for the operator’s actual channel + vertical + platform mix, how to wire per-source consent-provenance through the operator consent-management vendor, how to compose with the deterministic-probabilistic-identity-resolution sibling skill, how to design server-side tagging routing against post-cookie-deprecation environment, how to enforce Washington MHMDA + AADC + state-patchwork sensitive-PI + cross-context-behavioral-advertising opt-out, how to operationalize FTC-enforcement-style risk review with operator counsel — and that knowledge transfers under the Tier 3 transition path (30-60 days at engagement end with full hand-off of the signal taxonomy, the consent-policy matrix, the server-side tagging configuration, the customer-graph emission code, and the compliance evidence-package generation playbook). Completions credentials revoke on engagement-end.
Engage Completions
Start with the AI Readiness Assessment (Tier 1, 2-3 weeks): audit of current behavioral signal ingestion posture against the 3-skill bundle + 5-anchor compliance gate + post-cookie-deprecation server-side coverage. Hand off to Tier 2 AI Swarm Setup Sprint (4-8 weeks): build the 3-skill bundle on the customer-graph agent, wire CDP + analytics + event streaming + server-side tagging + graph database + reverse-ETL + consent management + policy-as-code + WORM-storage, configure per-source consent-policy matrix + per-jurisdiction sensitive-PI + cross-context-behavioral- advertising opt-out + Washington MHMDA + AADC, run 30-day shadow + canary before flipping to enforce-mode. Continue under Tier 3 Fractional CMO with AI Swarm (6- month minimum, 1-2 days/wk embedded).
Related reading
- Done-for-you deterministic + probabilistic identity resolution (sibling architecture — the canonical identity binding the Resolve step composes with)
- Done-for-you customer change event emission (sibling architecture — shares the event broker; propagates customer- level changes downstream)
- Fractional CMO with AI Swarm (Tier 3 engagement that operates the behavioral signal ingestion cycle)