// Trust & Security Report

    Apollo.io (ZenLeads, Inc.) logo

    Apollo.io (ZenLeads, Inc.)

    AI-powered B2B sales platform with outbound prospecting, inbound lead capture, data enrichment, and deal execution automation. Serves 600K+ companies.

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC 2 Type 2 Report (Security, Availability, Confidentiality) validated by independent auditors. Certified by A-LIGN, a leading third-party cybersecurity firm.

    Verify on trust.apollo.io
    ISO/IEC 27001
    HELD

    ISO 27001 Recertification reflects our commitment to protecting your data through comprehensive security practices. Certified by A-LIGN.

    Verify on trust.apollo.io
    GDPR
    HELD

    GDPR Compliant. Apollo operates as both Data Processor and Data Controller with comprehensive DPA and compliance obligations.

    Verify on apollo.io
    CCPA
    HELD

    CCPA Compliant as listed on Trust Center. Users can submit opt-out requests and data access requests via Privacy Center.

    Verify on trust.apollo.io
    CPRA
    HELD

    CPRA Compliant as listed on Trust Center. California residents have additional privacy rights supported.

    Verify on trust.apollo.io
    EU-US Data Privacy Framework
    HELD

    EU-US DPF Certified as listed on Trust Center. Apollo relies on Data Privacy Framework and Standard Contractual Clauses for lawful cross-border data transfers to the United States.

    Verify on trust.apollo.io
    CASA Tier 2
    HELD

    CASA Tier 2 audit completed. Cloud Application Security Assessment validates stringent security, privacy, and risk management controls.

    Verify on trust.apollo.io
    > Show 2 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No evidence found on Apollo's trust center, security pages, or privacy documentation. Not advertised as a compliance capability.

    source: trust.apollo.io
    PCI DSS
    NOT CONFIRMED

    Mentioned on homepage marketing materials but absent from official Trust Center and Security pages. No independent verification of PCI DSS certification found.

    source: apollo.io

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    United States (service and website hosted in US; exact data center locations not disclosed)

    Apollo explicitly trains AI models on customer data and Service Information. Privacy policy states: 'Apollo may use Service Information and business contact data as inputs to both internally developed models and third-party AI providers.' Users have the right to opt-out of such processing. Additionally, Apollo grants itself 'an irrevocable, perpetual, worldwide, transferable, sublicensable, and royalty-free license to analyze Customer Data using artificial intelligence to improve the Platform.'

    // Security controls

    Encryption in transit

    AES encryption over public networks using TLS/SSL protocols

    apollo.io

    Encryption at rest

    AES encryption for idle data in databases with multi-layer protection

    apollo.io

    Database security

    Multi-layer protection including encrypted passwords, two-factor authentication, intrusion detection systems, and VPC with strict firewall settings

    apollo.io

    Penetration testing

    Annual network and graybox application penetration tests by certified third-party consultants

    apollo.io

    Audit frequency

    Quarterly audits covering access control, risk, information security, IT infrastructure, and HR procedures

    apollo.io

    Incident notification

    Customers notified of security incidents without undue delay, within 72 hours per GDPR requirements

    apollo.io

    Data recovery

    Regular backups with maximum 24-hour RTO and RPO (Recovery Time/Point Objectives)

    apollo.io

    Integration security

    OAuth2 used for SaaS integrations; credentials are not retained by Apollo

    apollo.io

    Subprocessor management

    Apollo publishes authorized subprocessors at trust.apollo.io, provides 30-day notice before adding new subprocessors, and grants customers termination rights if they reasonably object

    apollo.io

    // Products & data scope

    Apollo Sales PlatformSales engagement, prospecting, lead enrichment, deal management

    data: Business contact data, company profiles, email addresses, phone numbers, employee information, customer emails and contact lists (via inbox scanning)

    Core product serving 600K+ companies. Multi-channel campaigns, email deliverability, workflow automation, AI-powered deal insights, conversation intelligence, and CRM integrations (Salesforce, HubSpot, etc.).

    Apollo DataB2B data enrichment

    data: Millions of verified B2B contacts, company profiles, updated contact information

    Apollo's proprietary data network enriches and cleanses customer records with fresh, accurate contact data.

    Apollo MCPTool integration

    data: Model Context Protocol server exposing Apollo's lead search, contact enrichment, and CRM data to AI assistants

    Remote MCP server (mcp.apollo.io) reachable by any MCP-compatible client (Claude, ChatGPT, Cursor, and others) over OAuth. Not tied to a single vendor's environment.

    // What to watch

    • PCI DSS: Listed on homepage marketing materials but NOT on official Trust Center or Security documentation—potential over-claim on marketing homepage. Apollo does not process payment card data, suggesting PCI DSS may not be relevant or properly verified.
    • AI Training: Apollo trains models on customer data using 'irrevocable, perpetual, worldwide, transferable, sublicensable, and royalty-free license' language. Opt-out available but default behavior is to train. This is a significant data practice that should be clearly disclosed to users.
    • Data Sharing: Customer data is added to Apollo's Contributor Database and shared with other Apollo customers for data enrichment purposes. Users' own contacts may appear in other companies' searches.
    • Non-compete clause: Terms prohibit using Apollo's services to train competing products, which is a standard but restrictive clause.
    • Non-refundable: All subscriptions are non-cancelable during term and non-refundable per Terms of Service.

    // At a glance

    Pricing model

    Subscription-based with free tier and paid plans; enterprise available upon request

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Apollo.io (ZenLeads, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.apollo.io

    > Browse all vendor trust reports