DATA PROCESSING ADDENDUM

Last update: March 20, 2023

Version: 2.0

This DPA is incorporated by reference into all terms and conditions of Apollo’s use. They may be updated from time to time. 

  1. BACKGROUND
    1. ZenLeads Inc. (“Company“, “we“, “our” or “us“) (d/b/a Apollo.io) entered into an order and an agreement (the “Agreement“) with the entity or organization named in the Agreement (“Customer“, you”, “your”, or “yours”) for the provision of our Services to you.
    2. This Data Processing Addendum (the “DPA“) shall be supplemental to the Agreement.  In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.  
    3. This DPA is between you and Company (each a “Party” and collectively the “Parties“). 
    4. Sections 4 through 6 apply solely when Company is a Processor of Customer Personal Data. These Sections do not apply to the extent Company is a Controller of Personal Data, as described in Section 3.2.
  2. DEFINITIONS
    1. Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement, and the following capitalised terms used in this DPA shall be defined as follows:
      1. Controller” has the meaning given in the GDPR and other Data Protection Laws that employ that term in designating between “processors” and “controllers” of personal data.  “Controller” shall also have the same meaning as “Third Party” for the purposes of the CCPA. 
      2. Customer Personal Data” means Personal Data that we process on your behalf in connection with our provision of the Services.  (For avoidance of doubt, Customer Personal Data does not include any personal data as to which we act as a Controller).
      3. Data Protection Laws” means, to the extent applicable to the Processing of Customer Personal Data under the Agreement: the EU General Data Protection Regulation 2016/679 (“GDPR“), the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA”), the Colorado Privacy Act (“CPA”), Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (“CT Act”), the Virginia Consumer Data Privacy Act (“VDCPA”), the Utah Consumer Privacy Act (“UCPA”), and any applicable national or state implementing legislation regarding privacy, data protection, or data security, in each case as amended, replaced or superseded from time to time and together with implementing regulations.
      4. Data Subject” has the meaning given in the GDPR, and shall also mean a “consumer” for purposes of Data Protection Laws using that term.
      5. European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein. 
      6. “Output Data” is Personal Data that Company licenses to you. 
      7. Personal Data” has the meaning given in the GDPR, and shall include information that is “Personal Information” for the purposes of the CCPA.
      8. Processing” has the meaning given in the GDPR or other Data Protection Laws, and “Process” and its cognates will be interpreted accordingly. 
      9. Processor” has the meaning given in the GDPR and other Data Protection Laws that employ that term in designating between “processors” and “controllers” of Personal Data.  “Processor” shall also have the same meaning as “Service Provider” for the purposes of the CCPA. 
      10. Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data.
      11. Standard Contractual Clauses” means either or both of the following, as the context requires:
        1. The “EU SCCs”, meaning the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (located http://data.europa.eu/eli/dec_impl/2021/914/oj.) and completed as set forth herein.
        2. The “UK SCCs”, meaning the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-DPA.pdf) and completed as set forth herein.
      12. Subprocessor” means any Processor engaged by us who agrees to receive from us Customer Personal Data.
      13. Supervisory Authority” has the meaning given in the GDPR. 
  3. DATA PROCESSING
    1. When We Act as a Processor.  To the extent that we receive and Process Customer Personal Data solely to provide you with Services, such as to receive your Customer Personal Data solely in order to match it to and provide you with Output Data, or to such as to receive your Customer Personal Data as contributory data for our network, or such as to receive your Customer Personal Data in order to provide enhance services around emailing products or similar, we are acting as a Processor.  When we act as a Processor, we will only Process Customer Personal Data in accordance with your written instructions and on your behalf. We acknowledge the Agreement (subject to any changes to the Services agreed between the Parties) and this DPA as your written instructions to us in relation to the processing of Customer Personal Data. As a Processor, to the extent required by Data Protection Laws, we will:
      1. not retain, use, or disclose Customer Personal Data outside of the direct business relationship between you and us;
      2. not “sell” any Customer Personal Data or “share”/process any Customer Personal Data for purposes of targeted advertising, as such terms are defined in Data Protection Laws;
      3. comply with any applicable restrictions under the CCPA on combining Customer Personal Data with other data; and
      4. provide the same level of protection for the Customer Personal Data subject to the CCPA as is required under the CCPA.
    2. When We Each Act as Controllers.  We are each independent Controllers of Output Data, in each case when such Output Data is in our respective possession.  Company is an independent Controller of Personal Data in its Contributor Database, including Personal Data (if any) that you have agreed to contribute to the Contributor Database.  You are an independent controller when you provide Customer Personal Data to us. 
    3. Required Notices and Consents. Where required by Data Protection Laws, you will ensure that you have provided/will provide all necessary notices and have obtained/will obtain all necessary consents for the Processing of Customer Personal Data by us in accordance with the Agreement.
  4. SUBPROCESSORS
    1. Authorized Subprocessors. You agree that we may use the following as Subprocessors to Process Customer Personal Data: Google Compute Platform, Microsoft Azure.
    2. Adding New Subprocessors. You agree that we may use Subprocessors to fulfil our contractual obligations under the Agreement. We shall notify you of the identity of any new Subprocessors we engage at least thirty (30) days before the new Subprocessor commences its Processing of Customer Personal Data (the “Notice”). We will provide Notice by either (a) posting such Subprocessors at the following webpage:https://www.apollo.io/product/security/ or  https://trust.apollo.io/, or (b) our sending of an email at the last known email address we have on file.  If you reasonably object to a new Subprocessor on grounds related to the protection of Customer Personal Data, then without prejudice to any right to terminate the Agreement, the Parties shall negotiate a resolution in good faith.  If the Parties cannot agree on a resolution within 30 days of notice, then you may terminate the Agreement immediately upon written notice to us and you shall be entitled to a refund of any prepaid fees for services unused as of the effective date of termination. This termination right and refund is your sole and exclusive remedy if you object to any new Subprocessor.  If you do not object within thirty (30) days of receipt of the Notice, you are deemed to have accepted the new Subprocessor. 
    3. Subprocessor Agreements. We will enter into a written agreement with each Subprocessor which imposes the same obligations on the Subprocessor with regard to their Processing of Customer Personal Data, as are imposed on us under this DPA. 
    4. Liability of Subprocessors. We will at all times remain responsible for compliance with our obligations under the DPA and will be liable to you for the acts and omissions of any Subprocessor as if they were our acts and omissions.
  1. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
    1. Company Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out in Exhibit 2.
    2. Demonstrating Compliance. Upon your reasonable request, we will make available all information reasonably necessary to demonstrate compliance with this DPA. 
    3. Security Incident Notification. If we become aware of a Security Incident we will (a) notify you of the Security Incident within 72 hours, (b) investigate the Security Incident and provide you (and any law enforcement or regulatory official, as required by Data Protection Law) with reasonable assistance as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
    4. Company Employees and Personnel. We will treat the Customer Personal Data as  confidential, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
    5. Audits. We will, upon your reasonable request, allow for and contribute to audits, including inspections, of our compliance with this DPA, conducted by you (or a third party on your behalf and mandated by you) provided (i) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (ii) are conducted only during business hours; and (iii) are conducted in a manner that causes minimal disruption to Company’s operations and business. 
    6. Remediation Right. You retain the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
  2. ACCESS REQUESTS AND ASSISTANCE WITH COMPLIANCE
    1. Government Disclosure. We will notify you of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency. 
    2. Assistance Generally. Solely to the extent and in the manner required under Data Protection Laws, we provide reasonable assistance to you for your compliance with such laws, including, without limitation, as set forth in Sections 6.3 and 6.4.
    3. Data Subject Rights. To the extent required under Data Protection Laws, and taking into account the nature of the Processing, we will use reasonable endeavors to assist you by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising Data Subject rights laid down in Data Protection Laws.
    4. Data Protection Impact Assessments; Prior Consultations. To the extent required under Data Protection Laws, we will provide you with reasonably requested information regarding our Services to enable you to carry out data protection impact assessments or prior consultations with any Supervisory Authority, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to us.  We shall provide reasonable assistance to you in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section, to the extent required under Data Protection Laws.
  3. CONTROLLER OBLIGATIONS.
    1. In the course of acting as a Controller, each Party shall:
      1. Limit its use of Personal Data received from the other Party to the limited and specific purposes set forth in the Agreement or any applicable work order, and (without limitation of the foregoing) to purposes that it reasonably believe an average consumer would reasonably expect.
      2. Comply with its own obligations under Data Protection Laws applicable to it as a Controller, including as to any data subject rights to deletion, access, and “opt out” of “sale” or “sharing” of Personal Data (as such terms are defined in Data Protection Laws). 
      3. Notify the other Party about all valid opt-out and deletion requests, as and to the extent required by Data Protection Laws.   Without limitation of the foregoing, Company may make such opt-out and deletion database available on https://www.apollo.io/privacy or another secure webpage, and (to the extent you continue to hold any Output Data) you agree to log in to that database as and if provided, in a timely manner, and apply all such opt-out or deletion requests to any Output Data you continue to hold.
      4. As to any Personal Data received from the other Party, implement and maintain reasonable security procedures, as appropriate to the level of sensitivity and confidentiality applicable to such Personal Data.  
      5. Provide the other Party with reasonable assurances, in writing, as may be necessary to permit the other Party to ensure that it has employed Personal Data subject to the Agreement as contemplated by the Agreement.
      6. Notify the other Party if it determines that it is no longer able to comply with this DPA or Data Protection Laws. 
      7. For Personal Data subject to the CCPA, provide the same level of protection to the Personal Data as the Party providing the Personal Data is required to provide under the CCPA.
    2. The Party providing the Personal Data retains the right, upon reasonable notice, to (a) take reasonable and appropriate steps to ensure that the other Party uses Personal Data consistent with Data Protection Laws, and (b) stop and remediate any unauthorized Processing of Personal Data, including any Processing not authorized under this DPA.
  4. DATA TRANSFERS. 
    1. Transfers Mechanism. To the extent that the Processing of Personal Data involves the transmission of such Personal Data to a country or territory outside the country from which such Personal Data was provided to the Party receiving the data (the “data importer”), the Parties will comply with any requirements under Data Protection Laws regarding such transfers. To the extent required by Data Protection Laws, the data importer shall ensure that a lawful data transfer mechanism is in place prior to engaging in any onward transfers of Personal Data from one country to another.
    2. EU SCCs. To the extent legally required, by entering into this DPA, the Parties are deemed to have signed the EU SCCs and its Annexes, which form part of this DPA and and take precedence over the rest of this DPA to the extent of any conflict. Except as described in Sections 8.3 and 8.4 below, the EU SCCs are deemed completed as follows:
      1. Module 1 applies to transfers of Personal Data where both Parties are independent Controllers (as described in Section 3.2 of this DPA). Module 2 of the EU SCCs applies to transfers of Customer Personal Data from Customer (the Controller) to us (the Processor).
      2. Clause 7 (the optional docking clause) is included.
      3. Clause 9 of Module 2 (Use of sub-processors): The Parties select Option 2 (General written authorization). The initial list of Subprocessors and the procedures for updating such list are set forth in Sections 4.1 and 4.2 of this DPA.
      4. Clause 11 (Redress): The optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body is not included.
      5. Clause 17 (Governing law): The Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights) and select the law of Ireland.
      6. Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of Ireland.
      7. Annex I is completed as set forth in Exhibits 1A and 1B of this DPA. Annex II is completed as set forth in Exhibit 2 of this DPA. Annex III is not applicable because the Parties have chosen General Authorization under Clause 9.
    3. UK SCCs. To the extent legally required, by entering into this DPA, the Parties are deemed to be signing the UK SCCs, which form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs. The Tables within the UK SCCs are deemed completed as follows:
      1. Table 1: The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts set forth in Exhibits 1A and 1B of this DPA, as applicable.
      2. Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed above.
      3. Table 3: Annex I is set forth in Exhibits 1A and 1B of this DPA. Annex II is set forth in Exhibit 2 of this DPA. Annex III is inapplicable.
      4. Table 4: We may end this DPA as set out in Section 19 of the UK SCCs.
    4. Swiss Data. For transfers of Personal Data that are subject to the Swiss Federal Act on Data Protection (“FADP”), the EU SCCs form part of this DPA as set forth above, but with the following differences to the extent required by the FADP:
      1. References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR, and references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of FADP revisions that eliminate this broader scope.
      2. The term “member state” in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
      3. The relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
  5. TERMINATION
    1. Deletion of data. Subject to Section 9.2 below, we will, at your election within 90 (ninety) days of the date of termination of the Agreement:
      1. delete all Customer Personal Data Processed by us or any Subprocessors; or
      2. return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified to us by you. 
    2. Retention. We and our Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that we ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

EXHIBIT 1A

A. LIST OF PARTIES

Data exporter(s): 

Name: The Customer identified in the Agreement or Order Form. 

Address: As set forth in the Agreement or Order Form.

Contact person’s name, position and contact details: As set forth in the Agreement and Order Form, or as otherwise agreed to by the parties.

Activities relevant to the data transferred under these Clauses: Receiving the services provided by the data importer in accordance with the Agreement and the DPA.

Signature and date: See signature fo the DPA.

Role (controller/processor):  Controller

Data importer: 

Name:  ZenLeads Inc. (d/b/a Apollo.io)

Address:  340 S. Lemon Ave #4750, Walnut, CA 91789

Contact person’s name, position and contact details:  privacy@apollo.io (Ray Li, CTO), or such other person designated by ZenLeads

Activities relevant to the data transferred under these Clauses: Providing the services to data exporter in accordance with the Agreement and the DPA.

Signature and date: See signature and/or electronic acceptance date to the DPA. 

Role (controller/processor): 

  • Processor with regard to Customer Personal Data. 
  • Controller with regard to any Personal Data that Customer contributes (upon but not prior to such contribution) to the Contributor Database, if any is contributed.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferredData subjects include data exporter’s prospects, customers, business partners and vendors.  

Categories of personal data transferredData exporter may submit Customer Personal Data, the extent of which is determined and controlled by the data exporter, and which may include, but is not limited to the following categories of Customer Personal Data:

  • First and last name
  • Title
  • Employer
  • Contact information (company, email, phone, physical business address)
  • IP address

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):  Continuously for the duration of the Agreement.

Nature of the processing:  

  • Where data importer is a Processor: Data importer Processes Customer Personal Data to provide the services pursuant to the Agreement, which includes, without limitation, receiving, storing, analyzing, and deleting Customer Personal Data.
  • Where data importer is a Controller: Data importer Processes Personal Data to maintain and improve the Contributor Database, which includes, without limitation, receiving, storing, analyzing, and deleting Personal Data.

Purpose(s) of the data transfer and further processing:  

  • Where data importer is a Processor: Data importer’s provision of services to the data exporter pursuant to the Agreement between data exporter and data importer.
  • Where data importer is a Controller: Data importer’s creation, improvement, and maintence of the Contributor Database.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: 

  • Where data importer is a Processor: The term of the Agreement between data exporter and data importer
  • Where data importer is a Controller: As long as data importer uses such Personal Data for purposes of the Contributor Database.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:  Same as above.

C. COMPETENT SUPERVISORY AUTHORITY 

To the extent legally permissible, the competent supervisory authority is the Irish Data Protection Commission.

EXHIBIT 1B

A. LIST OF PARTIES

Data exporter(s): 

Name:  ZenLeads Inc. (d/b/a Apollo.io)

Address:  340 S. Lemon Ave #4750, Walnut, CA 91789

Contact person’s name, position and contact details:  privacy@apoll.io (Ray Li, CTO), or such other person designated by Zenleads. 

Activities relevant to the data transferred under these Clauses: Providing the services (including Output Data, as defined in the DPA) to data exporter in accordance with the Agreement and the DPA.

Signature and date: See signature and/or electronic acceptance date to the DPA. 

Role (controller/processor): Controller

Data importer:

Name: The Customer identified in the Agreement. 

Address: As set forth in the Agreement.

Contact person’s name, position and contact details: As set forth in the Agreement and Order Form or otherwise agreed to by the parties.

Activities relevant to the data transferred under these Clauses: Receiving the services (including Output Data, as defined in the DPA) provided by the data importer in accordance with the Agreement and the DPA.

Signature and date: See signature and/or electronic acceptance date to the DPA. 

Role (controller/processor):  Controller

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferredData subjects include individuals whose data has been contributed to the Contributor Database.

Categories of personal data transferredOutput Data (as defined in the DPA), which includes the following categories of Personal Data: 

  • First and last name
  • Title
  • Employer
  • Contact information (company, email, phone, physical business address)
  • IP address

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):  Continuously for the duration of the Agreement.

Nature of the processing:  For marketing, customer insights, analytics and data hygiene, subject to the parties’ additional terms and agreements. 

Purpose(s) of the data transfer and further processing: Data importer’s receipt of services (including Output Data) provided by data exported under the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:  Data importer will retain the Output Data for as long as such data is useful and relevant to the data importer’s purposes for receiving such data, subject to the mutual agreements, licenses and restrictions in place.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:  Same as above.

C. COMPETENT SUPERVISORY AUTHORITY 

To the extent legally permissible, the competent supervisory authority is the Irish Data Protection Commission.

EXHIBIT 2

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITy OF THE DATA

Data importer will implement and maintain the Technical and Organisational Measures described in this Annex II. Notwithstanding any provision to the contrary otherwise agreed to by Data Exporter, Data importer may modify or update these Technical and Organisational Measures at its discretion provided that such modification and update does not result in the degradation of the overall security of the services. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Company Customer Terms of Service.

a) Access Control

i)      Preventing Unauthorized Product Access

Outsourced processing: Company hosts its Service with outsourced, US-based data center providers. Additionally, Company maintains contractual relationships with vendors in order to provide the Service. Company relies on contractual agreements, privacy policies, and vendor compliance programs in order to assure the protection of data processed or stored by these vendors.

Physical and environmental security: Company hosts its product infrastructure with multi-tenant, outsourced data center providers. The physical and environmental security controls are audited for SOC 2 Type I compliance.

Authentication: Company implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.

Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Company’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.

ii)     Preventing Unauthorized Product Use

Company implements industry standard access controls and detection capabilities for the internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. 

Static code analysis: Security reviews of code stored in Company’s source code repositories is performed, checking for coding best practices and identifiable software flaws.

iii)    Limitations of Privilege & Authorization Requirements

Product access: A subset of Company’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, and to detect and respond to security incidents. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.

b) Transmission Control

In-transit: Company makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Company products. Company’s HTTPS implementation uses industry standard algorithms and certificates.

At-rest: Company stores user passwords following policies that follow at least industry standard practices for security.  

c) Input Control

Detection: Company designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Company personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: Company maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Company will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.

Communication: If Company becomes aware of unlawful access to Customer data stored within its products, Company will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Company is taking to resolve the incident; and 3) provide status updates to the Customer contact, as Company deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Company selects, which may include via email or telephone.

d) Job Control

The Company Product provides a solution for Customers to conduct their marketing and sales activities. Customers control the data types collected by and stored within their portals. Company never sells personal data to any third party.

Terminating Customers: Customer Data in active (i.e., primary) databases is purged upon a customer’s written request, or for our web-based application available at https://www.apollo.io, 90 days after a customer terminates all agreements for such products with Company. Marketing information stored in backups, replicas, and snapshots is not automatically purged, but instead ages out of the system as part of the data lifecycle. Company reserves the right to alter data purging period in order to address technical, compliance, or statutory requirements.

e) Availability Control

Infrastructure availability: The data center providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple data centers and availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

Company’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Company operations in maintaining and updating the product applications and backend while limiting downtime.

f) Separation in Processing

Company’s collection of personal data from its Customers is to provide and improve our products. Company does not use that data for other purposes that would require separate processing.