How This Briefing Works
This report opens with key findings, then maps the gaps between what Apollo.io discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
44 detections across 28 sites73% pre-consent activity1 critical disclosure gap
CRITICAL
Processor Disclosure
21+ pre-consent vendors detected including LiveIntent, Bidvertiser, CHEQ, Clarity, HubSpot, Intercom
GDPR Article 28GDPR Article 13CCPA 1798.100
CRITICAL
Pre-Consent Activity
Apollo.io was observed loading and executing before user consent was obtained on 73% of sites where it was detected.
GDPRePrivacy
HIGH
Pre-Consent Tracking
72.7% pre-consent tracking rate detected across deployments
GDPR Article 6ePrivacy Directive Article 5(3)
HIGH
Ad Exchange Presence
Deploys consumer ad tech (LiveIntent, Bidvertiser, Criteo, DoubleClick) suggesting data monetization
CCPA 1798.140(ad)GDPR Article 5(1)(b)
HIGH
Undisclosed Party
Not in privacy policy
Disclosure Gaps
Claims vs. Observed Behavior
4 gaps
1 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X08BTI-X12
Processor Disclosure
GDPR Article 28 · GDPR Article 13 · CCPA 1798.100CRITICAL
They Claim
“Privacy policy names only Meta and Google as third parties”
Observed Behavior
21+ pre-consent vendors detected including LiveIntent, Bidvertiser, CHEQ, Clarity, HubSpot, Intercom
Runtime scan of apollo.io vs privacy policy text
Pre-Consent Tracking
GDPR Article 6 · ePrivacy Directive Article 5(3)HIGH
They Claim
“GDPR and CCPA compliance claimed on trust center”
Observed Behavior
72.7% pre-consent tracking rate detected across deployments
intel_detections analysis shows 32 of 44 detections fire pre-consent
Ad Exchange Presence
CCPA 1798.140(ad) · GDPR Article 5(1)(b)HIGH
They Claim
“B2B sales intelligence platform”
Observed Behavior
Deploys consumer ad tech (LiveIntent, Bidvertiser, Criteo, DoubleClick) suggesting data monetization
Vendor detection on apollo.io shows ad exchange JavaScript
Security Documentation
SOC 2 Trust Services CriteriaMEDIUM
They Claim
“SOC 2 Type II certified”
Observed Behavior
Report access gated behind security review process
trust.apollo.io shows SOC 2 as Private
Customer Impact
What This Means For You
YOUR sales intelligence data processed through Apollo flows through a platform that fires 72.7% of its vendors before consent. YOUR prospect lists, email sequences, and outreach patterns constitute competitive intelligence accessible to a platform running ad exchanges on its own site. YOUR compliance stack citing Apollo's SOC2 and ISO 27001 certifications overlooks that 21+ vendors fire pre-consent — certification scope may not cover website third-party practices. YOUR privacy policy likely names only Meta and Google as Apollo's third parties while 21+ others operate undisclosed.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use Apollo.io
- →Audit your consent implementation — Apollo scripts show 72.7% pre-consent fire rate on their own site
- →Review your privacy policy — ensure Apollo and its 21+ undisclosed sub-vendors are listed
- →Request Apollo SOC2 report and independently verify vendor management controls
- →Monitor for data enrichment — Apollo B2B intelligence may be enriched with your outreach patterns
If You're Evaluating Apollo.io
- →Request complete subprocessor list and compare against 21+ detected vendors before signing
- →Verify SOC2 and ISO 27001 certification scopes cover third-party vendor management
- →Compare with ZoomInfo and Lusha on vendor disclosure transparency and pre-consent behavior
- →Negotiate contractual restrictions on competitive intelligence derived from your prospect data
Negotiation Leverage
- →72.7% pre-consent rate: Nearly three-quarters of vendors fire before consent — use this to negotiate consent architecture guarantees and contractual termination rights for compliance failures
- →21+ undisclosed vendors: Only Meta and Google named while LiveIntent, Bidvertiser, CHEQ, Clarity, HubSpot, and Intercom also detected — require complete disclosure as a contract condition
- →Ad exchange presence: LiveIntent, Bidvertiser, and Criteo on apollo.io suggest advertising revenue from visitor data — negotiate restrictions on advertising derived from your usage data
- →SOC2/ISO scope: Multiple certifications yet 72.7% pre-consent rate — request reports and verify third-party vendor management is within certification scope
Runtime Detections
Runtime Detections
8 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C07Session Recording
Full session replay
BTI-C08Cross-Domain Sync
Identity stitching
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
BTI-C13Persistence Mechanisms
Long-lived identifiers
BTI-C15Tag Manager
Container/loader (neutral)
IOC Manifest
IOC Manifest
208 INDICATORS
Indicators of compromise across 7 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*app.apollo.io/listener/dwn_profiling.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/*-*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/webpack-*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/main-app-*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/906-*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/app/%5Blocale%5D/(homepage)/page-*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/app/global-error-*-1.js*
Tracking script
TRACK
*www.apollo.io/.netlify/scripts/rum*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/app/not-found-*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/app/layout-*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/448-*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/*.*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/app/privacy-policy/(main-privacy-policy)/page-*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/app/terms/(main-tos)/page-*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/app/terms/layout-*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/304-*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/app/(solutions)/solutions/inbound-lead-conversion/page-*-1.js*
Tracking script
EXFIL
*www.apollo.io/_next/static/chunks/app/(solutions)/solutions/b2b-data-enrichment/page-*-1.js*
Data collection endpoint
TRACK
*www.apollo.io/_next/static/chunks/app/(solutions)/solutions/outbound-sales-software/page-*-1.js*
Tracking script
TRACK
*www.apollo.io/_next/static/chunks/app/(solutions)/solutions/sales-execution-software/page-*-1.js*
Tracking script
TRACK
assets.apollo.io
Tracking script
TRACK
tracker.iife.js
Tracking script
TRACK
www.apollo.io/_next/static/chunks/webpack-6824d623f28cd478-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/fd9d1056-da8e1c006b9410b3-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/4895-9594db05689652d0-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/main-app-66f820fd8fb49658-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/app/global-error-700e23e6108df61f-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/4080-d373ee4943d791fb-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/3335-10ca05152367928b-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/3968-b15d02ce0282bf76-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/3464-69446c47af5fd247-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/1178-e9847a147bb803e7-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/8858-16750163e8e9663f-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/2637-0775f1030b62c50f-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/app/layout-d75a9763b9a901dc-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/7648-0f5860082377eb73-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/5878-0a2e4c9ea9287ba0-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/4827-247fbf43a581bc8b-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/4061-a5d8c5a8ab2caeae-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/1239-d5289f7d95916ab2-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/8990-0354cdf933be7c9a-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/5353-35dd3aeef135e888-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/6430-0b0bc6d244d0eb38-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/448-613490138fb2f0ae-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/8026-fa03bc0de2e0f0c4-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/7009-5889873ea772a5a5-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/7966-18fd6a402a0bde95-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/app/not-found-1f8aac3472a37355-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/2947-0ca19c0281ea705a-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/2694-2d296190205f0407-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/2826-984d7bdda621359d-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/9314-eb7e36c1ee536dc5-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/3138-c81272b87cc16aaf-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/3786-258bfa00a45d2028-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/3507-e8cad566c57c1b61-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/1184-7192bdb5f7ad4565-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/2378-d4953a38c3eaea6d-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/8281-fbc356802d3f0168-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/906-362f8445600a9e94-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/1247-eb985d2441a3834a-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/1780-162392cbe55c22df-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/app/%5Blocale%5D/(homepage)/page-0b16a024219f787f-1.js
Auto-extracted from scan
TRACK
app.apollo.io/listener/dwn_profiling.js
Auto-extracted from scan
TRACK
www.apollo.io/.netlify/scripts/rum
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/8627a13e.01eb617a0c6218b5-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/4139-05862b8bee8cd9e1-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/2415-0e79ff5474422216-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/3311-fbe591c47716dbf1-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/7826-05a16f37b0c5bfb4-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/app/privacy-policy/(main-privacy-policy)/page-78dbf7739c591953-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/4066-244b7c434b2c2c37-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/app/terms/(main-tos)/page-dd393fa2875b1db1-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/app/terms/layout-f40214574bb9c268-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/304-ed2e69885d9e1136-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/8604-08aa8fb7eba14a60-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/4323-c5743d9e0102c626-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/3987-b0fcda239f6d6764-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/2417-5cbbad23deef69e4-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/4246-bfcce33a292f5697-1.js
Auto-extracted from scan
EXFIL
www.apollo.io/_next/static/chunks/app/(solutions)/solutions/b2b-data-enrichment/page-c84d6cd2bd3acb65-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/app/(solutions)/solutions/inbound-lead-conversion/page-6a3317cefe2a7852-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/app/(solutions)/solutions/outbound-sales-software/page-24d7a56c68c2cd22-1.js
Auto-extracted from scan
TRACK
www.apollo.io/_next/static/chunks/app/(solutions)/solutions/sales-execution-software/page-d61677fe8d53654d-1.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Apollo.io operates as a major B2B sales intelligence provider with 210M+ contacts database. Their JavaScript is detected on 28 sites in our corpus, loading via direct script tag 72.7% of the time before consent. On their own website, Apollo deploys an extensive surveillance stack: HubSpot and Intercom for engagement, Amplitude and Clarity for analytics, LiveIntent ID Exchange for identity resolution, and multiple ad platforms (Criteo, Bidvertiser, DoubleClick, Meta Pixel, LinkedIn Ads, Google Ads). They are loaded by: GTM deployments, direct script includes. They load: identity resolution services, ad exchanges, session replay tools. Supply chain position: Mid-tier data aggregator that both consumes and produces identity data.
Loads (6)
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
229 detection signatures across scripts, domains, cookies, and network endpoints