All Vendors
marketing_automation
Apollo.io

Apollo.io

Apollo.io deploys 42 third-party vendors on its own site, roughly 25 of them firing before consent — including identity-resolution and session-replay tools — while holding SOC 2, ISO 27001, and GDPR certifications. Its privacy policy names one of those 42.

59 IOCs62 detections69% pre-consent39 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Apollo.io discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

62 detections across 39 sites69% pre-consent activity2 critical disclosure gaps
CRITICAL

Pre-Consent Tracking

Roughly 25 of 42 third-party vendors fire before consent on apollo.io

GDPR Art. 6ePrivacy Directive Art. 5(3)
CRITICAL

Processor Disclosure

42 third-party vendors observed, including LiveIntent, Bidvertiser, CHEQ, Microsoft Clarity, Hotjar, FullContact and Vector

GDPR Art. 13GDPR Art. 14
CRITICAL

Pre-Consent Activity

Apollo.io was observed loading and executing before user consent was obtained on 69% of sites where it was detected.

GDPRePrivacy
HIGH

Data Sourcing

Apollo's own privacy policy registers it as a data broker and sources information from third-party data providers, public sources, public APIs and the internet

CCPA 1798.99.80
HIGH

Assurance Gap

SOC 2 report gated behind a request process at trust.apollo.io; audit scope not independently verifiable

SOC 2 Trust Services Criteria
Disclosure Gaps

Claims vs. Observed Behavior

5 gaps
2 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X08BTI-X12

Processor Disclosure

GDPR Art. 13 · GDPR Art. 14CRITICAL
They Claim

Privacy policy names Meta, and Google via the API disclosure, as third parties

Observed Behavior

42 third-party vendors observed, including LiveIntent, Bidvertiser, CHEQ, Microsoft Clarity, Hotjar, FullContact and Vector

intel_detections for SCAN-1779381299756 vs apollo.io/privacy-policy

Data Sourcing

CCPA 1798.99.80HIGH
They Claim

Public positioning frames Apollo as owning proprietary, continuously refreshed data rather than aggregating it

Observed Behavior

Apollo's own privacy policy registers it as a data broker and sources information from third-party data providers, public sources, public APIs and the internet

apollo.io/privacy-policy, Section 1

Assurance Gap

SOC 2 Trust Services CriteriaHIGH
They Claim

SOC 2 and ISO 27001 certified by A-LIGN

Observed Behavior

SOC 2 report gated behind a request process at trust.apollo.io; audit scope not independently verifiable

apollo.io/product/security; trust.apollo.io

Scope

GDPR Art. 5(1)(b)MEDIUM
They Claim

Marketed as a sales-engagement and intelligence platform

Observed Behavior

Operates identity resolution, session replay and a Website Visitor Identification de-anonymization product

apollo.io product pages; runtime scan

Customer Impact

What This Means For You

If Apollo's website-visitor pixel is deployed on your site, you are the controller for the visitor identification and enrichment it performs, processing addressed under GDPR Art. 6, Art. 13-14 and ePrivacy Directive Art. 5(3). Apollo's SOC 2 and ISO 27001 certifications cover Apollo's own operations and do not transfer compliance coverage to your deployment; the SOC 2 report is gated behind a request process, so the audit scope cannot be independently verified. Separately, contacts and customer data submitted to Apollo feed its Contributory Database and are made available to other Apollo customers, so prospect lists enriched through Apollo become a shared asset.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Apollo.io

  • Audit your consent configuration. Apollo's vendor stack shows roughly 60% pre-consent firing on its own site, and a deployed Apollo visitor pixel inherits that pattern.
  • Review your privacy policy and confirm Apollo and its sub-vendors are disclosed; Apollo's own policy names only Meta.
  • Request Apollo's SOC 2 report and confirm the audit scope covers client-side JavaScript and the website-visitor pixel.
  • Check whether contacts imported into Apollo are feeding the Contributory Database, and whether your data processing agreement restricts that reuse.

If You're Evaluating Apollo.io

  • Request a complete, named subprocessor list before signing. The public privacy policy names only Meta.
  • Require that SOC 2 and ISO 27001 scope explicitly covers website third-party and client-side practices.
  • Negotiate a carve-out so contacts you contribute are not used to enrich the shared Contributory Database (Apollo Terms of Service Section 8(3)).
  • Compare disclosure transparency and pre-consent behavior against ZoomInfo and Cognism.

Negotiation Leverage

  • Subprocessor disclosure: Apollo's public privacy policy names only Meta while a runtime scan detected 42 third-party vendors on apollo.io. Require a complete named subprocessor list as a contract condition.
  • Contributory Database: Apollo Terms of Service Section 8(3) routes customer-submitted contacts into a database resold to all customers. Negotiate an explicit carve-out for your contributed data.
  • SOC 2 scope: Apollo gates its SOC 2 report behind a request process. Require the full report and confirm the scope covers client-side code and the website-visitor pixel.
  • Pre-consent behavior: roughly 60% of vendors on Apollo's own site fire before consent. Require a consent-gated pixel deployment and a right to independent runtime verification.
  • Data-broker status: Apollo is a registered data broker. Confirm contractual data-handling, deletion and suppression guarantees for data you submit.
Runtime Detections

Runtime Detections

8 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C13Persistence Mechanisms

Long-lived identifiers

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

38 INDICATORS

Indicators of compromise across 7 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*apollo*.js
Tracking script
TRACK
*app.apollo.io/listener/dwn_profiling.js*
Tracking script
TRACK
*www.apollo.io/.netlify/scripts/rum*
Tracking script
TRACK
assets.apollo.io
Tracking script
TRACK
tracker.iife.js
Tracking script
TRACK
app.apollo.io/listener/dwn_profiling.js
Auto-extracted from scan
TRACK
www.apollo.io/.netlify/scripts/rum
Auto-extracted from scan
TRACK
assets.apollo.io/micro/contact-tracker/tracker.iife.js
Apollo contact tracker
TRACK
app.apollo.io/listener/dwn_profiling.js
Apollo profiling listener
TRACK
assets.apollo.io/micro/website-tracker/tracker.iife.js
Apollo Website Visitor Identification pixel
Ecosystem

Ecosystem & Supply Chain

Apollo's visitor-tracking pixel (assets.apollo.io/micro/website-tracker) is embedded by customers running its Website Visitor Identification product, and Apollo JavaScript is detected across 39 sites in the BLACKOUT corpus, roughly 69% loading before consent. On its own site Apollo loads a 42-vendor stack spanning identity resolution (FullContact, LiveIntent, Vector), session replay (Microsoft Clarity, Hotjar), ad exchanges (Bidvertiser, DoubleClick, Meta, Reddit), and bot-filtering (CHEQ). Apollo both consumes identity data, as an enrichment and ad-exchange buyer, and produces it, as a 250M-contact data broker. Its collection architecture extends beyond the browser pixel to a Chrome extension with over a million installs and an MCP connector distributed into AI assistants.
Loads (6)
Liveintent Id ExchangeChilipiper B2b Email IntelligenceAmplitudeRedditLiveintent AdvertisingHubspot
Loaded By (9)
247BuyselladsFingerprintjsFlowlaHotjarOsanoMarchexSequelFullstory
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

59 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details