Amplitude’s Stance on Security & Privacy

SOC 2 Type 2 Certification

Amplitude undergoes an annual SOC2 (Service Organization Control 2) Type 2 review by a qualified auditor, covering all the trust principles (Security, Confidentiality, and Availability) that apply to our operations. This ensures that our practices across all aspects of the business maintain security and confidentiality of customer data. All of our audit reports are made available to all of our customers under NDA.

ISO 27001 Certification

Amplitude is an ISO 27001 certified organization and has elected to adopt the ISO 27001 standard as the baseline for security governance and our Information Security Management System (ISMS). Complying with ISO 27001 provides all of our customers with the assurance that we manage information security according to a "gold standard".

Download our ISO 27001 certificate here.

ISO 27018:2019 Certification

Amplitude is also ISO 27018:2019 certified, providing our customers with assurance that their personal data is processed securely and in line with ISO’s internationally recognized high standards. Amplitude is committed to the privacy and protection of our customers’ data and this certification demonstrates that we have a robust system of controls in place to specifically address the privacy protection of customer data.

Download our ISO 27018:2019 certificate here.

Amplitude’s security program governance is modeled to support ISO 27001/2 ISMS requirements, and the needs and requirements of our customers. We provide a secure platform, while addressing all relevant legal, industry, and regulatory concerns.

Our core principles for information security are:

1. To maintain a feature-rich, highly secure platform
2. To address our customers’ security needs and compliance mandates
3. To operate our platform safely and reliably

Core Principle – Maintain a Feature-Rich, Highly Secure Platform

We weave security into every aspect of our product life cycle (cradle-to-grave).

Our software development lifecycle (SDLC) ensures that all code undergoes automated and manual security review by embedded security tools and personnel experienced and trained in secure coding techniques. No code can be promoted into production without full testing. We provide relevant training on an ongoing basis, based on the results of external code reviews. Old code is retired regularly, avoiding the accumulation of unnecessary legacy code which can otherwise harm the security and reliability of the platform.

Amplitude also maintains a private bug bounty program with HackerOne, providing us with valuable, ongoing feedback from the security researcher community.

Our cloud operations are embedded in an established, large, secure cloud environment (Amazon AWS), across multiple availability zones, ensuring a solid foundation for security and reliability. We make use of available security features such as virtual private clouds (VPCs), and layer on additional controls within our virtual environment. Examples include system hardening with industry established benchmarks from CIS with automated compliance checks, centralized security event management via a 24x7x365 SOC, use of strong encryption and key management tools, recurring vulnerability testing, centralized and automated configuration management, enforcement of multi-factor authentication for all internal access, and more. Taking advantage of virtualization also allows us to keep our systems patched as a matter of course, as part of their typically short (hours or days) lifecycle.

Core Principle – Address Customers Security Needs and Compliance Mandates

Amplitude knows that many of our customers have explicit requirements tied to rules, laws, regulations, and industry security standards and compliance programs. And while Amazon, our cloud provider, offers a host of compliance certifications, they only cover the network infrastructure and data centers (IaaS components).

We realize that we need to go far beyond that in order to satisfy the needs of our customers. To that end, Amplitude has chosen a number of compliance programs to adopt that cover its own operations within the cloud. Through those programs, we can assure that your use of Amplitude will not put your data and compliance requirements at risk.

Core Principle – Operate our Platform Safely and Reliably

At Amplitude, we recognize that security is not just about well-designed technical security controls – secure environment management is also critically important. We consider security operations a mission-critical aspect of our security program.

Amplitude relies on a mix of internal and external audits, automated and manual in-depth testing of all platform components, and a comprehensive approach towards managing security alerts and events to ensure that our controls are performing as they should. Role segregation ensures that only necessary personnel have access to sensitive data. Recurring, role-based training, is used to maintain awareness of security within Amplitude’s culture.

Security is more than a set of technical controls – we know that to operate our platform securely, we must also keep our people and our processes in mind. As our customer, you want more than just fancy certifications or the technology vendors we use, and we aim to provide that.

Shared Responsibility Model

Like Amazon, Amplitude is responsible for maintaining a secure platform, managing all aspects of the platform to a high, secure, reliable standard; as our customer, you are responsible for using the Amplitude platform in a legal and responsible manner.

It is important to understand that as a platform, Amplitude has certain attributes that as our customer, you must take into account as you use our platform:

Amplitude is data-neutral – we do not know what data you choose to send to our platform. If our engine can process it, then it will, but there is no inspection or monitoring by Amplitude of the underlying data payloads. Amplitude does not make any data-based decisions other than following your instructions as you configure the platform to perform your desired operations.

Amplitude is also data-agnostic – Amplitude will take no action based on the nature of any particular data or its classification. All incoming data is dealt with identically. To support precision ingestion, Amplitude can provide customers an optional Govern add-on, which allows administrators to clearly define which data elements they wish the platform to ingest and process (analytics white-list engine). Data elements that do not conform to the defined specification will be automatically discarded. With Govern customers can be confident that Amplitude will only process their approved data elements, and unapproved data will be blocked even if their application attempts to send it due to configuration or programming errors.

Data Storage & Segregation

Customer raw feeds are stored in separate secured Amazon S3 buckets, and customer data is logically separated using multiple techniques. All data is stored in an AWS US region.

Data Encryption

APIs support TLS, and SDKs can be configured by customers to use TLS as well. Customer data stored within our systems is encrypted using Amazon’s built-in encryption services, which utilize AES-256. Encryption keys are managed via AWS KMS and Hashicorp Vault.

Govern

The Govern Add-on helps customers define and control the data within Amplitude. In addition, customers can set rules regarding this data, and be notified of any potential issues. By specifying your organization’s ingestion rules, you protect yourself against ever accidentally storing sensitive user data such as passwords, social security, or credit card numbers.

SSO

Single Sign On is available to customers on the Growth and Enterprise Plan. For more details, please fill out the contact form here.

Permission Levels

Administrators of Amplitude have control over who has access to data within an organization. For additional details, please reference the User Permissions article or reach out to your contact at Amplitude.

Data Ownership

Amplitude customers own the data they send to the Amplitude platform for processing. Amplitude collects and analyses data about the use of its own platform by its customers, but that data does not include the data sent to the platform by its customers for analysis on their behalf.

Personally Identifiable Information/Personal Data

The Amplitude platform does not require personally identifiable information or personal data to perform product analytics. Amplitude customers have the flexibility to control what data is collected, processed, and stored in Amplitude. This page provides instructions on limiting tracking and storage of specific fields in our SDKs.

Amplitude can help your organization ensure that personal data is not stored on the Amplitude platform and reduce your compliance processes and burden. For example, by removing IP Addresses and location data from stored events. For existing customers, reach out to platform@amplitude.com to set this up.

GDPR

Amplitude’s privacy team has reviewed our architecture, data flows, vendor capabilities and agreements to ensure that our platform is GDPR compliant. Amplitude’s analytics platform does not directly interact with our customers’ end users, nor does the platform automatically collect personal data. However, our customers might collect and send personal data to Amplitude for processing (e.g., IP address) and, as a result, Amplitude has implemented procedures and upgrades for our customers to remain privacy regulation compliant.

Specifically, we provide our customers with APIs to automatically serve their end-user Access and Deletion requests as detailed below.

1. Amplitude’s Data Processing Agreements (DPAs) rely on the EU Standard Contractual Clauses (SCCs) as the transfer mechanism for Personal Data from the United Kingdom, EU and EEA to our US-West based AWS environment. On July 16, 2020 the Court of Justice of the European Union (CJEU) determined that the EU SCCs will continue to be a valid transfer mechanism for Personal Data from the EU to the United States.
2. Amplitude has signed Data Processing Agreements with our key vendors.
3. Amplitude’s SDKs give customers flexibility to control what data they choose to collect, and send to our platform for processing and storage. Our customers, not Amplitude, control the type of data that is collected, stored and processed in the platform. This is a full summary of the data keys Amplitude recognizes. Unless otherwise noted, all fields are optional and no personal data is required to use our core functionality.
4. Amplitude has built advanced features that will allow customers to remove specific individual’s information from the platform or instruct the platform not to store end-user IP Addresses.

CCPA

Our privacy team continually monitors developments for global privacy regulations and works with product and development teams to create solutions that address the growing concerns around processing personal data. As your vendor under the California Consumer Privacy Act (CCPA), Amplitude is defined as a Service Provider, which bears similarity to the Processor definition under the GDPR.

Based on our analysis of the final version of the CCPA and published regulations, the tools currently available through the platform to support end-user rights, as well as the working mechanisms of the platform itself are sufficient to address the CCPA directives. Such tools include our User Privacy API to facilitate individual user deletion requests with a 30-day deletion timeline (exceeding the CCPA’s 45-day requirement), and the DSAR API which can help facilitate access requests. We have also updated our Data Processing Agreement (DPA) in order to meet contractual requirements of the CCPA.

The Amplitude platform receives data collected by our customers from their application or website end-users, and allows them to understand usage metrics of their products. However, Amplitude employees do not access customer end-user data unless instructed by our customer, and customer data is never sold to third parties.

User Privacy API

In order to ensure that our customers can appropriately respond to and comply with end- user data deletion requests as required by global privacy laws such as the GDPR and the CCPA, we have built a simple an easy-to-use API endpoint that allows you to programmatically submit requests to delete all data for set of known Amplitude IDs and/or User IDs. For more details, see our developer documentation: User Privacy API

DSAR API (Data Subject Access Request)

The GDPR, the CCPA, and other global privacy laws require our customers to provide all data about an end user upon their request. Data Subject Access Requests (DSARs) under the GDPR, Requests to Know under the CCPA, as examples, can be completed using the DSAR API, which makes it easy to retrieve all data about a single user. More details can be found here.

We may update this section as the global regulations emerge or are updated and if any additional information is required.

For more information, contact sales here.