Cambridge Analytica is accused of improperly using the data on behalf of political clients.
In a statement, Mr Zuckerberg said a "breach of trust" had occurred.
In a later interview with CNN he said he was "really sorry", and pledged to take action against "rogue apps".
He added that he was "happy" to testify before Congress "if it's the right thing to do".
In his statement posted on Facebook, he promised to make it far harder for apps to "harvest" user information.
"We have a responsibility to protect your data, and if we can't then we don't deserve to serve you," Mr Zuckerberg said.
What has Zuckerberg pledged to do?
To address current and past problems, Mr Zuckerberg said his company would:
investigate all Facebook apps that had access to large amounts of information before the platform was changed "to dramatically reduce data access" in 2014
conduct a "full forensic audit" of any app with suspicious activity
ban any developer that did not agree to a thorough audit
ban developers that had misused personally identifiable information, and "tell everyone affected by those apps"
In future, he said Facebook would:
restrict developers' data access "even further" to prevent other kinds of abuse
remove developers' access to a user's data if the user hadn't activated the developer's app for three months
reduce the data that users give an app when they sign in to just name, profile photo, and email address
require developers to obtain approval and also sign a contract in order to ask anyone for access to their posts or other private data
Mr Zuckerberg added: "While this specific issue involving Cambridge Analytica should no longer happen with new apps today, that doesn't change what happened in the past.
"We will learn from this experience to secure our platform further and make our community safer for everyone going forward."
Source: BBC