General Data Protection Regulation (GDPR) Overview

Apollo's Privacy Policy provides notice of what data Apollo collects and how it processes that data. Apollo also sends a privacy notice to individuals located in certain jurisdictions, including the UK, EU, and Switzerland. Apollo notifies them when their data is added to Apollo's database of business contact information and provides them with instructions on how to opt out.

Apollo's terms of service, including the Data Processing Addendum incorporated by reference therein, set forth to its customers Apollo’s responsibilities as both a data processor and data controller when providing services to its customers.

Apollo is committed to maintaining a high bar of security and has achieved a SOC 2 and ISO 27001 security accreditation report. These accreditations evaluate Apollo controls, relevant to data security, availability, and confidentiality. Additionally, Apollo is certified under the EU, UK, and Swiss Data Privacy Frameworks.

Apollo has implemented advanced data controls, including the technical and organizational measures described in Exhibit 2 of our DPA. The Apollo team regularly tests its product to fix any potential problems and maintains the industry’s highest standards in information security.

Apollo follows data incident response processes. It has built comprehensive processes to supplement data recovery and integrity to help any customers whose data is lost or unintentionally corrupted. Apollo also continuously revisits and tests its effectiveness in data-incident responses every year to ensure your data safety and security.

To learn more about Apollo’s data privacy and security controls, please visit Apollo's trust center.

Like all providers in the industry, Apollo processes the business contact data in its database on a legitimate interests basis. Apollo has worked with outside counsel and its external DPO to conduct a legitimate interest assessment to ensure the legitimate interests of Apollo and its customers are not overridden by the interests of the data subjects whose business contact information is included in its database.

Additionally, Apollo provides all EU, UK, or Swiss residents with a data collection notice informing them that it has obtained their data and how they can opt out.

However, what a customer does with the data they obtain from Apollo is ultimately under the customer’s control. Depending on the customer’s intended use and relationship with the contact, the customer is responsible for providing any additional notices required by applicable law or obtaining any additional consent. For example, if double opt-in for email marketing listserves with net new contacts is required.

In Apollo’s privacy center, Apollo affords all individuals a right to access the data Apollo holds about them and the ability to be deleted from Apollo’s database. For any individual who has opted out of its database, Apollo includes their information on a "suppression list" to ensure that they are not inadvertently added back to the database in the future.

You can automatically remove all EU-located individuals from your prospecting, emailing, and email tracking activities in the Apollo platform. These compliance settings function on an app-wide basis to ensure that no users accidentally contact a prospect in the EU. However, Apollo does not currently apply these safeguard controls from the Apollo Chrome Extension. Please use caution and double-check a prospect's location on LinkedIn when prospecting from the extension.

Apollo also lets you individually manage your GDPR compliance by allowing you to:

• Delete a saved contact upon receiving an EU data subject request.
• Send a data subject a report of all their personal data with a CSV export.
• Update a data subject’s personal data across all systems with a CRM sync.
• Control access to users’ data with governance profiles.

If you use Apollo to engage in email prospecting with EU residents, you must give people the option to opt out of any future messages. Apollo allows you to include opt-out links within your emails in the Apollo engagement platform.

Apollo offers screening against Do Not Call (DNC) lists in the US and UK. When admin users turn on the Do Not Call toggle and request a new direct dial, Apollo displays the Do Not Call tag for any numbers on the Federal Do Not Call list or UK Telephone Preference Service (TPS). Apollo is working hard to expand this functionality to more EU member countries in the future.

Apollo’s terms of service include its data processing addendum, which sets forth Apollo’s responsibilities as both a data processor and a data controller under GDPR and other privacy laws.

Beyond the measures above, Apollo undertakes the following actions to maintain compliance with GDPR:

• Working with its legal counsel (and when requested, those of its customers) to ensure full preparation and compliance with GDPR.
• Evaluating new and existing functionality within its platform to ensure compliance.
• Crafting internal workflows to quickly and thoroughly complete data subject requests.
• Updating contact information and notices so data subjects and customer data controllers may contact Apollo if necessary.
• Obtaining and providing resources and documentation necessary for ongoing compliance.
• Evaluating customer contracts where necessary to ensure a path for legal compliance and to clearly detail Apollo's own responsibilities to avoid any possible confusion.