Security and privacy

This article covers some frequently asked questions about Amplitude's security and privacy policies.

Feature availability

Amplitude has a built-in compliance feature that meets standards for SOC2 Type 2, GDPR, HIPPA, CCPA, and Privacy Shield. It is available to users on Starter, Plus, Growth, and Enterprise plans.

What are the terms of Amplitude's service and privacy policy?

Amplitude provides a secure platform to explore your data, while addressing all relevant legal, industry, and regulatory concerns. The Terms of Service incorporate the Data Processing Addendum for Terms of Service (TOS DPA) and the Acceptable Use Policy (AUP).

The Privacy Notice describes Amplitude’s practices for collecting, storing, using, disclosing, and otherwise processing information in relation to visitors of the Amplitude's website; including our Community Forum and Amplitude Academy (aka, the website); and Amplitude’s marketing activities, customers accessing and using our products or services (collectively, the product).

Note

Read Amplitude's Terms of Service and Privacy Policy carefully to understand the policies and practices regarding your information collected through the website and the product.

For other security and privacy information (GDPR, CCPA, HIPPA, etc.), review Amplitude's Stance on Security & Privacy.

What is the SOC2 report?

The SOC2 is a report on Amplitude’s Description of its Digital Optimization System and on the Suitability of the Design and Operating Effectiveness of Controls Relevant to Security, Availability, and Confidentiality. This is available in Amplitude's Customer Trust Portal.

There you will find the following and more:

SOC2
DPA
ISO certification
Industry Standard Questionnaires (CAIQ)
Privacy Related Information

What is the DPA for paying and non-paying customers?

The Data Processing Addendum for Terms of Service (TOS DPA) is incorporated into and forms part of the Amplitude Terms of Service, or other written or electronic agreement between customer and Amplitude, Inc. which governs customer’s use of the Amplitude Services (as applicable, the in the Terms). Visit the Customer Trust Portal for more information.

There you will find the following:

SOC2
DPA
ISO certification
Industry Standard Questionnaires (CAIQ)
Privacy Related Information

What is the Bug Bounty program?

Amplitude has implemented the following ongoing security procedures:

Automated monthly vulnerability scanning of its source code, application, and infrastructure
Ad hoc scanning and testing of new features and functionality
Annual penetration testing of of the application, as well as the underlying cloud infrastructure by a third party penetration testing agency using traditional penetration testing methodology

Additionally, Amplitude runs a private Bug Bounty program to ensure that security issues are detected and reported as early as possible. All issues identified by any of the sources listed above are triaged, prioritized based on criticality of risk and impact, and remediated within the SLAs defined.

If you are interested in the Bug Bounty program, please reach out to security@amplitude.com for more information on the reward system in place.

Who can I contact for additional information or concerns? For more questions around security and compliance, please feel free to contact security@amplitude.com.

For more questions around privacy, please contact privacy@amplitude.com.

If you want to report any concerns, including fraud, please email reports@lighthouse-services.com and include Amplitude in the report.