Data Processing Addendum
ARCHIVED VERSION: October 22, 2021
This Data Processing Addendum (this “DPA”) is incorporated into and forms part of the Master Services Agreement or Order Form, or other written or electronic agreement between Customer and Amplitude, which governs Customer’s use of the Services (as applicable, “Agreement”). To the extent there is any conflict between the terms of this DPA and the other terms of the Agreement, this DPA will govern.
Definitions
1. In this DPA:
“Applicable Law” means all laws, regulations and other legal requirements applicable to either (i) Amplitude as provider of the Services or (ii) Customer as user of the Services. For example, to the extent applicable, this includes the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), equivalent requirements in the United Kingdom including the Data Protection Act 2018 and the United Kingdom General Data Protection Regulation (“UK Data Protection Law”), and the California Consumer Privacy Act and associated regulations (“CCPA”).
“Designated Address” means Customer’s email address for legal notices set forth in the Order Form or the email address in Customer’s account information on record.
“Personal Data” means any information relating to an identified or identifiable individual, within the meaning of the GDPR (regardless of whether the GDPR applies).
“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or other Processing of, or access to, Personal Data.
“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Standard Contractual Clauses” refers to one or both of the following, as the context requires:
- For Personal Data subject to the UK Data Protection Law, the “2010 Standard Contractual Clauses,” defined as the clauses issued pursuant to EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, available at and completed as described in the “Data Transfers” section below; and
- For Personal Data subject to the GDPR, the “2021 Standard Contractual Clauses,” defined as the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at and completed as described in the “Data Transfers” section below.
“Subprocessor” means a subcontractor engaged by Amplitude for the Processing of Personal Data.
2. For ease of reading, some other terms are defined later in the DPA. Capitalized terms used but not otherwise defined in the DPA will have the meaning set forth in the Agreement.
Scope, Relationship of the Parties, and Data Use Limitations
3. This DPA applies only to Personal Data that Customer submits to Amplitude as part of the Services, where such data is Customer Data and Services as defined in the Agreement.
4. Unless required by Applicable Law, Amplitude will Process the Personal Data only to: (i) perform the Services for Customer pursuant to the Agreement; (ii) comply with this DPA; and (iii) carry out Customer’s reasonable written instructions that are consistent with the Agreement and this DPA. Without limiting the foregoing, (i) Amplitude shall not “sell” the Personal Data, as such term is defined in the CCPA; and (ii) Amplitude shall not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Amplitude. Amplitude hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.
5. If Amplitude receives a demand under Applicable Law to engage in Processing not permitted by the above, Amplitude shall attempt to redirect the demand to Customer and Customer agrees Amplitude may provide information as reasonably necessary for such redirect. If Amplitude cannot redirect the demand to Customer, Amplitude shall, to the extent legally permitted to do so, provide Customer reasonable notice of the demand as promptly as possible under the circumstances. This section does not diminish Amplitude’s obligations under the Standard Contractual Clauses with respect to access by public authorities.
6. For the Services, the parties acknowledge and agree that Customer is the “Controller” and Amplitude is Customer’s “Processor” as such terms are defined in the GDPR (regardless of whether the GDPR applies).
Confidentiality and Training
7. Amplitude will ensure that the persons Amplitude authorizes to Process the Personal Data are contractually required to maintain the confidentiality of such data. Amplitude will train relevant employees regarding privacy, confidentiality, and data security.
Security
8. Amplitude will comply with the security obligations of the GDPR and other Applicable Law. Amplitude will assist Customer in Customer’s compliance with such obligations by implementing technical and organizational measures that comply with Applicable Law and Schedule B. Amplitude may make future replacements or updates to the measures, so long as the measures continue to comply with Applicable Law and do not lower the level of security provided for the Personal Data.
Subprocessors
9. Amplitude may subcontract the Processing of Personal Data only (i) in compliance with Applicable Law regarding subprocessing, including GDPR Art. 28, (ii) with Customer’s consent, and (iii) if Amplitude has imposed contractual obligations on the Subprocessor that are substantially the same as, or more restrictive than, those imposed on Amplitude under this DPA.
10. Current Subprocessors are listed in Schedule C (the “Subprocessor List''). When any new Subprocessor is to be engaged, Amplitude will notify Customer by email to the Designated Address at least ten (10) business days prior to giving the Subprocessor access to the Personal Data.
11. If Customer has a reasonable objection relating to data protection to the new Subprocessor, and notifies Amplitude in writing of such objection within thirty (30) days of Amplitude’s notice of the new Subprocessor, Amplitude will use reasonable efforts to make available a change in the Services or Customer’s use of the Services to avoid Processing of Personal Data by the new Subprocessor objected to by Customer. If Amplitude is unable to make available such change within a reasonable time, and it can be reasonably demonstrated to Amplitude that the new Subprocessor is unable to process Customer’s Personal Data in compliance with the terms of this DPA or Applicable Law, then Customer may terminate Customer’s subscription to the Services that cannot be provided without use of the new Subprocessor, effective on a Customer-specified date, by providing written notice of the termination and its basis. Promptly after termination, Amplitude will refund on a pro-rata basis any prepaid fees covering the remainder of the subscription term specified in the applicable Order Form following the effective date of termination. Customer is deemed to consent to the new Subprocessor if Customer does not timely object to the new Subprocessor.
12. Amplitude remains liable for its Subprocessors’ acts and omissions to the same extent Amplitude is liable for its own, consistent with the limitations of liability set forth in the Agreement or this DPA.
13. The parties agree that any audit rights provided under the terms of this DPA do not extend to Amplitude’s Subprocessors’ facilities.
Assistance Responding to Individuals’ Requests to Exercise Rights
14. Amplitude will reasonably and timely assist Customer with the fulfilment of Customer’s obligation to honor and respond to requests by individuals to exercise their Personal Data-related rights under the GDPR or other Applicable Law (a “Data Subject Request”), such as rights to access, correct, or delete their Personal Data, insofar as technically possible.
15. If Amplitude receives a Data Subject Request or a complaint from an individual or their representative and the communication identifies Customer (or if Amplitude is aware that the communication pertains to the Personal Data Amplitude Processes for Customer), Amplitude will forward the communication to Customer at the Designated Address:
- a. as soon as commercially practicable; but
- b. no later than within three (3) business days of receipt if the communication arrives via privacy@amplitude.com or any other contact method specified in Amplitude’s then-current publicly available Privacy Notice.
Personal Data Breach Notification
16. Amplitude will comply with the Personal Data Breach-related obligations applicable to it under the GDPR and other Applicable Law. Amplitude will assist Customer in complying with those applicable to Customer by informing Customer of a confirmed Personal Data Breach without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach impacting Customer and by otherwise complying with this Personal Data Breach Notification section of this DPA.
17. Amplitude will provide such notification to Customer at the Designated Address.
18. Such notification shall not be construed as an acknowledgement of fault or responsibility. The notification will include Amplitude’s then-current assessment of the following, which may be based on incomplete information:
- a. The nature of the Personal Data Breach including, where possible, the categories and approximate number of individuals or data subjects concerned and the categories and approximate number of Personal Data records concerned;
- b. The likely consequences of the Personal Data Breach; and
- c. Measures taken and/or proposed to be taken by Amplitude to address the Personal Data Breach including, where applicable, measures to mitigate its possible adverse effects.
19. Amplitude will provide Customer prompt updates to such information as it becomes available.
Assistance with DPIAs and Consultation with Supervisory Authorities
20. Amplitude will provide reasonable assistance to and cooperation with Customer for (i) Customer’s performance of any data protection impact assessment of the Processing or proposed Processing of the Personal Data involving Amplitude, and (ii) related consultation with supervisory authorities, either or both of which Customer reasonably considers to be required of Customer by Applicable Law.
Data Return and Destruction
21. Amplitude will destroy all Personal Data within 30 days of termination of the Agreement (including on all Subprocessor systems), except to the extent Applicable Law or other law requires storage of the Personal Data or retention of the Personal Data by Amplitude is necessary to resolve a dispute between the parties.
22. In the event of such legally required retention of the Personal Data, (i) Amplitude will inform Customer as soon as legally permitted, (ii) Amplitude will retain only Personal Data that it is legally required to retain and will retain it only as long as is legally required, (iii) during the retention period, Amplitude will continue to comply with this DPA with respect to the Personal Data, to the extent legally permitted, and (iv) Amplitude will destroy the Personal Data and inform Customer of such destruction as soon as legally permissible.
23. If requested by Customer in writing within 10 days after the termination of this Agreement, Amplitude will first return a copy of the Personal Data to Customer in any reasonably requested format before the destruction described above.
24. Upon Customer’s written request, Amplitude will provide certification of the destruction and/or return of Personal Data within ten (10) business days of completing such destruction or return of Personal Data.
Compliance Verification and Audits
25. Amplitude undergoes annual audits against known, established industry standards performed by external auditors. Upon Customer’s written request, and subject to the confidentiality obligations set forth in the Agreement, Amplitude will provide Customer with such audit reports or certificates applicable to the Services (e.g., SOC 2 report, ISO certificates), or such other information reasonably necessary to demonstrate compliance with this DPA.
26. Upon Customer’s written request, Amplitude will also allow for and contribute to Customer’s audit of Amplitude’s applicable controls, including inspection of Amplitude’s physical facility, provided such audit is i) conducted by Customer or a third party auditor designated by Customer that has executed an appropriate confidentiality agreement with Amplitude, ii) Customer and Amplitude mutually agree on the details of the audit, including the reasonable start date, scope and duration of, and security and confidentiality controls applicable to such audit, and iii) a similar audit has not already been conducted less than twelve (12) months prior, unless there are indications of non-compliance and/or it is required or requested by a Supervisory Authority or other similar regulatory authority responsible for the enforcement of Applicable Law.
Data Transfers
27. Customer authorizes Amplitude to make international transfers of the Personal Data only if (i) Applicable Law for such transfers is respected and (ii) the transfer is otherwise permitted by this DPA.
28. To the extent required under UK Data Protection Law,
- a. the 2010 Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and they will be deemed completed as follows:
- i. The “exporter” is the Customer, and the exporter’s contact information is set forth in Schedule A below.
- ii. The “importer” is Amplitude, and Amplitude’s contact information is set forth in Schedule A below.
- iii. Where Clause 9 of the 2010 Standard Contractual Clauses requires specification of the law that governs the 2010 Standard Contractual Clauses, theParties select the law of the United Kingdom.
- iv. The “illustrative indemnification clause” labeled “optional” does not apply.
- v. Appendices 1 and 2 of the 2010 Standard Contractual Clauses are set forth in Schedule A below.
- vi. By entering into this DPA, the Parties are deemed to be signing the 2010 Standard Contractual Clauses and its applicable Appendices.
- b. To provide additional safeguards, the obligations in Module 2 of Section III of the 2021 Standard Contractual Clauses (Local Laws and Obligations in Case of Access by Public Authorities) shall form part of this DPA with respect to Personal Data subject to UK Data Protection Law, regardless of whether the rest of the 2021 Standard Contractual Clauses apply to any Personal Data.
29. To the extent otherwise legally required, the 2021 Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and they will be deemed completed as follows:
- a. Customer acts as a controller and Amplitude acts as Customer’s processor with respect to the Personal Data subject to the 2021 Standard Contractual Clauses, and its Module 2 (Controller to Processor) applies.
- b. Clause 7 (the optional docking clause) does not apply.
- c. Under Clause 9 (Use of subprocessors), the parties select Option 2 (General written authorization). The current list of Subprocessors is set forth below in Schedule C of this DPA. Amplitude shall update the list at least ten (10) business days in advance of any intended additions or replacements of subprocessors.
- d. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
- e. Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of the Netherlands.
- f. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of the Netherlands.
- g. Annexes I and II of the 2021 Standard Contractual Clauses are set forth in Schedule B of the DPA.
- h. Annex III of the 2021 Standard Contractual Clauses (Subprocessor List) is set forth in Schedule C of the DPA.
Miscellaneous
30. This DPA survives termination of the Agreement for so long as Amplitude continues to Process such Personal Data or until such Personal Data has been deleted or returned to Customer.
31. If there is a conflict between any provision of the Agreement and this DPA, this DPA shall control.
32. Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s liability, taken together in the aggregate, arising out of or relating to this DPA the SCCs, and any other data protection agreements signed by the parties “Ancillary Agreement”) in connection with the Agreement (if any), whether in contract, tort, or under any other theory of liability, is subject to the limitations on liability section in the Agreement, and any reference in such section to the liability of a party means the total aggregate liability of that party under the Agreement, this DPA and Ancillary Agreement (if any) together.
33. This DPA supersedes and replaces all previous written and oral agreements, communications and other understandings related to the subject matter of this DPA.
Schedule A to DPA
Appendices 1 and 2 to the 2010 Standard Contractual Clauses
APPENDIX 1 TO THE 2010 STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Standard Contractual Clauses.
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):
The data exporter is the legal entity executing the Agreement as Customer, and who is engaging Amplitude to provide the cloud-based digital optimization services, defined in the Agreement as “Services.”
Data importer
The data importer is (please specify briefly activities relevant to the transfer):
The data importer is Amplitude, the provider of the Services, as defined in the Agreement. Amplitude’s entity and contact details are set forth in the Agreement.
Data subjects
The Personal Data transferred concern the following categories of data subjects (please specify):
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include the Personal Data of Customer’s end users of mobile and web applications, as well as Customer’s authorized users of the Services.
Categories of data
The Personal Data transferred concern the following categories of data (please specify):
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion and may include the following categories of Personal Data:
- information about end users (e.g., names, email addresses, and telephone numbers) and their website and application browsing activity, history, location, and device information (e.g., device identifiers (not Apple ID), operating system, and IP addresses); and
- information about Customer’s users and device information.
Special categories of data (if appropriate)
The Personal Data transferred concern the following special categories of data (please specify):
None, unless the Agreement specifically permits the transfer of such data.
Processing operations (including subject matter, nature, purpose and duration of Processing)
The Personal Data transferred will be subject to the following basic processing activities (please specify):
Amplitude will Process Personal Data in its performance of the Services pursuant to the Agreement and this DPA, as deemed requested and instructed by Customer by execution of the Agreement.
APPENDIX 2 TO THE 2010 STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Standard Contractual Clauses.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Amplitude, the data importer, will implement and maintain administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Services by Customer, the data exporter. For a description of these technical and organizational security measures, see Schedule B, Annex II.
Schedule B to the DPA
Annexes I and II of the 2021 Standard Contractual Clauses
ANNEX I
A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
The data exporter is the legal entity executing the Agreement as Customer, and who is engaging Amplitude to provide the cloud-based digital optimization services, defined in the Agreement as “Services.”
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
The data importer is Amplitude, the provider of the Amplitude Services, as defined in the Agreement. Amplitude’s entity and contact details are set forth in the Agreement.
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
Categories of data subjects whose personal data is transferred:
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include the Personal Data of Customer’s end users of mobile and web applications, as well as Customer’s authorized users of the Services.
Categories of personal data transferred:
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion and may include the following categories of Personal Data:
- information about end users (e.g., names, email addresses, and telephone numbers) and their website and application browsing activity, history, location, and device information (e.g., device identifiers (not Apple ID), operating system, and IP addresses); and
- information about Customer’s users and device information.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
No sensitive data shall be submitted to the Services, unless the Agreement specifically permits the transfer of such data subject to any applicable restrictions and/or conditions, and even then, the extent of such transfer is determined and controlled by Customer in its sole discretion.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Notwithstanding termination of the Agreement, Amplitude will Process Customer Personal Data continuously, until deletion of all Customer Personal Data as described in this DPA.
Nature of the processing:
Amplitude will Process Personal Data in its performance of Services pursuant to the Agreement and this DPA, and to comply with Customer’s request and instruction to do so provided by Customer’s execution of the Agreement.
Purpose(s) of the data transfer and further processing:
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, for Amplitude’s provision of the Services, as described in the Agreement and further documented, reasonable instructions from Customer specifically agreed upon by the parties.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
(For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing)
The period for which Customer’s Personal Data will be retained in the Services is determined by Customer during the term of the Agreement. Upon termination of the Agreement, Customer may retrieve or delete its Personal Data as set forth in the Agreement and this DPA and Amplitude will destroy (including on all Subprocessor systems) Customer’s Personal Data within the timeline described in this DPA.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
Identify the competent supervisory authority/ies in accordance with Clause 13:
Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority, which shall be made available to Amplitude upon request.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Amplitude, the data importer, maintains administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Services by Customer, the data exporter. Amplitude’s information security program is designed in accordance with ISO 27001, an industry recognized gold standard and is described in more detail below. Amplitude may review and update these security standards from time to time, provided that any such update shall not materially diminish the overall security of the Services or Customer’s Personal Data during the term of the Agreement.
Amplitude’s security controls are designed to address its posture as a cloud-based platform as a service (PaaS) provider. The following concepts apply to Amplitude’s platform and its provision of the Services and are contextually important to understanding Amplitude’s security controls.
Amplitude is data neutral and data agnostic: The Amplitude PaaS does not know what data customers choose to send to the platform and will process all data regardless of its nature as long as it fits the predefined characteristics that allow it to be processed. Amplitude does not make any data-based decisions other than following customers’ instructions as they configure the platform to perform their desired operations. Once data is processed by the Amplitude platform, it is stripped of unnecessary information, and made computationally difficult to separate into the original event state. Recovering a structured dataset tied to a specific individual is computationally difficult.
No employee access: Amplitude employees do not directly access customer Personal Data as part of their normal job duties, except as necessary to provide the Services or to provide support to a customer upon a customer’s request. Only the Amplitude platform interacts with such data, and only according to the programmatic instructions provided by each Amplitude customer with respect to its data.
Data immutability: Customer raw data feeds are preserved in their original state, in encrypted form, in customer-specific S3 buckets, and Customer Data is logically separated using multiple techniques. Such feeds can be removed at any time upon request.
Security Program: Amplitude’s PaaS is designed according to established industry best security practices, and includes many technical and administrative security controls, including, without limitation:
- Audits and Certifications: Amplitude’s information security program is assessed annually by independent third-party auditors as described in its SOC2 audit report, ISO 27001 certification, ISO 27018 certification, and other reports. Amplitude’s annual SOC2 and other such reports are available to customers upon request.
- Secure data centers: Amplitude’s PaaS is fully embedded within Amazon’s AWS platform. For more information about Amazon’s AWS security, refer to
- Information Security Policy: Amplitude has developed and implemented, and will maintain, security policies that govern all relevant aspects of its security program, and are aligned with SOC2 and ISO 27001 requirements. The Information Security Policy may be made available to customers upon request.
- Encryption:
- Amplitude maintains a secure environment for the transmission of customers’ Personal Data, utilizing encryption consistent with industry standard practices such as Federal Information Processing Standards FIPS 140-2 and/or NIST SP800-52 and utilizing industry accepted encryption technologies such as server certificate-based authentication within the Amplitude environment.
- Amplitude maintains a secure environment for the storage of customers’ Personal Data, utilizing encryption consistent with industry standard practices such as Federal Information Processing Standards FIPS 140-2 and/or NIST SP800-52 and data at rest using AES-256.
- Access Controls:
- Amplitude personnel access the Amplitude PaaS via unique user IDs, and are required to authenticate through VPN and multi-factor authentication.
- Amplitude personnel access customer Personal Data as necessary to provide the Services under the Agreement, to provide customer support upon a customer’s request, or to comply with the law or a binding order of a governmental body.
- Vulnerability Detection and Management:
- Anti-Virus and Vulnerability Detection: Amplitude leverages threat detection tools to monitor and alert Amplitude to suspicious activities, potential malware, viruses and/or malicious computer code (collectively, “Malicious Code”). Amplitude does not monitor Customer Data for Malicious Code.
- Penetration Testing and Vulnerability Detection: Amplitude regularly conducts penetration tests throughout the year and engages one or more independent third parties to conduct penetration tests of the SErvices at least annually.
- Vulnerability Management: Vulnerabilities meeting defined risk criteria trigger alerts and are prioritized for remediation based on their potential impact to the Services.
- Endpoint Controls: Amplitude logically separates its endpoints and end user environment from its PaaS environment. Multi-factor authentication is required to access the AWS environment.
- Monitoring and Logging: Amplitude monitors its PaaS environment 24/7/365 and centralizes its logs.
- Anomalies are investigated and prioritized on a 24/7/265 basis.
- Program Testing: Amplitude regularly tests and evaluates its security program.
- Administrative Controls:
- Personnel Security: Amplitude requires criminal background screening on its personnel as part of its hiring process, to the extent permitted by Applicable Law.
- Personnel Training: Amplitude maintains a documented awareness and training program for its personnel, including but not limited to onboarding and annual training.
- Personnel Agreements: Amplitude personnel are required to sign confidentiality agreements and to acknowledge Amplitude’s Information Security Policy.
- Personnel Access Reviews and Separation: Amplitude reviews the access privileges of its personnel to the Amplitude PaaS at least quarterly, and removes access on a timely basisfor all separated personnel.
- Physical & Environmental Controls:
- Data Centers: Amplitude hosts all Customer Data in Amazon AWS. Amplitude regularly reviews Amazon’s physical and environmental controls for its relevant data centers, as audited by Amazon’s third-party auditors. Such controls include, but are not limited to:
- Physical access to the facilities is controlled at the building ingress points;
- Visitors are required to present ID and are signed in;
- Physical access to servers is managed by access control devices;
- Physical access privileges are reviewed regularly;
- Facilities utilize monitor and alarm procedures;
- Fire detection and protection systems;
- Power back-up and redundancy systems; and
- Climate control systems.
- Amplitude Corporate Offices: While Customer Data is not hosted at Amplitude’s corporate offices, Amplitude’s technical, administrative, and physical controls for its corporate offices are covered by its ISO 27001 certification and include, but are not limited to, the following:
- Physical access to the corporate offices are controlled at office ingress points;
- Badge access is required for all personnel and badge privileges are reviewed regularly;
- Visitors are required to sign in;
- Tagging and inventory of Amplitude-issued laptops and network assets;
- Fire detection and sprinkler systems; and
- Climate control systems.
- Data Centers: Amplitude hosts all Customer Data in Amazon AWS. Amplitude regularly reviews Amazon’s physical and environmental controls for its relevant data centers, as audited by Amazon’s third-party auditors. Such controls include, but are not limited to:
- Incident Detection and Response: Amplitude’s incident response process is designed to address all legal, contractual, and regulatory requirements.
- Security Incident Reporting: If Amplitude becomes aware of a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (“Security Incident”), Amplitude will notify impacted customers without undue delay and in accordance with its contractual obligations and Amplitude’s commitments in this DPA.
- Investigation: In the event of a Security Incident, Amplitude shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident.
- Communication and Cooperation: Amplitude’s notice to impacted customers shall include, but not be limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Amplitude to mitigate or contain the Security Incident, the status of Amplitude’s investigation, and the categories and approximate number of data records concerned. Communications by or on behalf of Amplitude in connection with a Security Incident are not an acknowledgement by Amplitude of fault or liability with respect to the Security Incident.
Schedule C to the DPA
Subprocessor List