Data Processing Addendum
ARCHIVED VERSION: October 3, 2023
This Data Processing Addendum (this “DPA”) is incorporated into and forms part of the Main Service Agreement or Order Form, or other written or electronic agreement between Customer and Amplitude, which governs Customer’s use of the Services (as applicable, “Agreement”). To the extent there is any conflict between the terms of this DPA and the other terms of the Agreement, this DPA will govern.
Definitions
1. In this DPA:
“2021 Standard Contractual Clauses” means the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.
“Applicable Law” means all laws, regulations and other legal requirements applicable to either (i) Amplitude as provider of the Services or (ii) Customer as user of the Services. For example, to the extent applicable, this includes the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), equivalent requirements in the United Kingdom including the Data Protection Act 2018 and the United Kingdom General Data Protection Regulation (“UK Data Protection Law”), the California Consumer Privacy Act and associated regulations, as may be amended from time to time (“CCPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and the Virginia Consumer Data Protection Act (“VCDPA”).
“Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification programs operated by the U.S. Department of Commerce.
“Designated Address” means Customer’s email address for legal notices set forth in the Order Form or the email address in Customer’s account information on record.
“Personal Data” means any information relating to an identified or identifiable individual, within the meaning of the GDPR (regardless of whether the GDPR applies).
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or other Processing of, or access to, Personal Data.
“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Subprocessor” means a subcontractor engaged by Amplitude for the Processing of Personal Data.
“UK Addendum” means the International Data Transfer Addendum to the 2021 Standard Contractual Clauses, issued by the Information Commissioner under S119A(1) Data Protection Act 2018, Version B1.0 available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).
2. For ease of reading, some other terms are defined later in the DPA. Capitalized terms used but not otherwise defined in the DPA will have the meaning set forth in the Agreement.
Scope, Relationship of the Parties, and Data Use Limitations
3. This DPA applies only to the extent that Amplitude Processes Personal Data that Customer submits to Amplitude as part of the Services, where such data is Customer Data.
4. Unless required by Applicable Law, Amplitude will Process the Personal Data only to: (i) perform the Services for Customer pursuant to the Agreement; (ii) comply with this DPA; and (iii) carry out Customer’s reasonable written instructions that are consistent with the Agreement and this DPA. Without limiting the foregoing, (i) Amplitude shall not “sell” or “share” the Personal Data, as such terms are defined in the CCPA, unless expressly directed to do so by Customer; (ii) Amplitude shall not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Amplitude; and (iii) in no event shall Amplitude attempt to link, identify, or otherwise create a relationship between Personal Data and non-Customer Personal Data or any other data without the express authorization of Customer. Amplitude hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.
5. If Amplitude receives a demand under Applicable Law to engage in Processing not permitted by the above, Amplitude shall attempt to redirect the demand to Customer and Customer agrees Amplitude may provide information as reasonably necessary for such redirect. If Amplitude cannot redirect the demand to Customer, Amplitude shall, to the extent legally permitted to do so, provide Customer reasonable notice of the demand as promptly as possible under the circumstances. This section does not diminish Amplitude’s obligations under the 2021 Standard Contractual Clauses or the UK Addendum with respect to access by public authorities.
6. With respect to Personal Data, the parties acknowledge and agree that Customer is the “Controller” and Amplitude is Customer’s “Processor” as such terms are defined in the GDPR (regardless of whether the GDPR applies). For clarity, with respect to CCPA, Amplitude is Customer’s “Service Provider” as defined therein.
Confidentiality and Training
7. Amplitude will ensure that the persons Amplitude authorizes to Process the Personal Data are contractually required to maintain the confidentiality of such data. Amplitude will train relevant employees regarding privacy, confidentiality, and data security.
Security
8. Amplitude will comply with the security obligations of the GDPR and other laws applicable to Amplitude’s Processing of Personal Data. Amplitude will assist Customer in Customer’s compliance with such obligations by implementing technical and organizational measures summarized in Schedule A. Amplitude may make future replacements or updates to the measures, so long as the measures do not materially diminish the level of security provided for the Customer’s Personal Data.
Subprocessors
9. Customer provides general authorization to Amplitude’s use of Subprocessors to Process Personal Data in compliance with Applicable Law regarding subprocessing, including GDPR Art. 28. Amplitude shall impose contractual obligations on its Subprocessor that are substantially the same as, or more restrictive than, those imposed on Amplitude under this DPA to the extent applicable to the nature of the services provided by the Subprocessor.
10. Amplitude’s current Subprocessors are listed in Schedule B (the “Subprocessor List''). When any new Subprocessor is to be engaged, Amplitude will update its list of Subprocessors to include the new Subprocessor at least ten (10) business days prior to giving the Subprocessor access to the Personal Data. If Customer would like to receive email notification of such updates, please contact subprocessor.notifications@amplitude.com to subscribe to such update.
11. If Customer has a reasonable objection relating to data protection to the new Subprocessor, and notifies Amplitude in writing of such objection within thirty (30) days of Amplitude’s notice of the new Subprocessor, Amplitude will use reasonable efforts to make available a change in the Services or Customer’s use of the Services to avoid Processing of Personal Data by the new Subprocessor objected to by Customer. If Amplitude is unable to make available such change within a reasonable time, and it can be reasonably demonstrated to Amplitude that the new Subprocessor is unable to process Customer’s Personal Data in compliance with the terms of this DPA or Applicable Law, then Customer may terminate Customer’s subscription to the Services that cannot be provided without use of the new Subprocessor, effective on a Customer-specified date, by providing written notice of the termination and its basis. Promptly after termination, Amplitude will refund on a pro-rata basis any prepaid fees covering the remainder of the subscription term specified in the applicable Order Form following the effective date of termination. Customer is deemed to consent to the new Subprocessor if Customer does not timely object to the new Subprocessor.
12. Amplitude remains liable for its Subprocessors’ acts and omissions from or related to this DPA to the same extent Amplitude is liable for its own, consistent with the limitations of liability set forth in the Agreement or this DPA.
13. The parties agree that any audit rights provided under the terms of this DPA do not extend to Amplitude’s non-affiliated Subprocessors’ facilities.
Assistance Responding to Individuals’ Requests to Exercise Rights
14. Amplitude will reasonably and timely assist Customer with the fulfillment of Customer’s obligation to honor and respond to requests by individuals to exercise their Personal Data-related rights under the GDPR or other Applicable Law (a “Data Subject Request”), such as rights to access, correct, or delete their Personal Data, insofar as technically possible.
15. If Amplitude receives a Data Subject Request or a complaint from an individual or their representative and the communication identifies Customer (or if Amplitude is aware that the communication pertains to the Personal Data Amplitude Processes for Customer), Amplitude will forward the communication to Customer at the Designated Address:
- a. as soon as commercially practicable; but
- b. no later than three (3) business days of receipt if the communication arrives via privacy@amplitude.com or any other contact method specified in Amplitude’s then-current publicly available Privacy Notice.
Personal Data Breach Notification
16. Amplitude will comply with the Personal Data Breach-related obligations applicable to it under the GDPR and other Applicable Law. Amplitude will assist Customer in complying with those applicable to Customer by informing Customer of a Personal Data Breach without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach impacting Customer and by otherwise complying with this Personal Data Breach Notification section of this DPA.
17. Amplitude will provide such notification to Customer at the Designated Address.
18. Such notification shall not be construed as an acknowledgement of fault or responsibility. The notification will include Amplitude’s then-current assessment of the following, which may be based on incomplete information:
- a. The nature of the Personal Data Breach including, where possible, the categories and approximate number of individuals or data subjects concerned and the categories and approximate number of Personal Data records concerned;
- b. The likely consequences of the Personal Data Breach; and
- c. Measures taken and/or proposed to be taken by Amplitude to address the Personal Data Breach including, where applicable, measures to mitigate its possible adverse effects.
19. Amplitude will provide Customer prompt updates to such information as it becomes available.
Assistance with DPIAs and Consultation with Supervisory Authorities
20. Amplitude will provide reasonable assistance to and cooperation with Customer for (i) Customer’s performance of any data protection impact assessment of the Processing or proposed Processing of Personal Data involving Amplitude, and (ii) related consultation with supervisory authorities, either or both of which Customer reasonably considers to be required of Customer by Applicable Law.
Data Return and Destruction
21. Amplitude shall make available to Customer all Personal Data stored within the Services for thirty (30) days after termination or expiration of the Agreement (“Data Retrievability Period”). After the Data Retrievability Period, Amplitude will promptly destroy all Personal Data (including on all Subprocessor systems), except to the extent Applicable Law or other law requires storage of the Personal Data or retention of the Personal Data by Amplitude is necessary to resolve a dispute between the parties.
22. In the event of such legally required retention of the Personal Data, (i) Amplitude will inform Customer as soon as legally permitted, (ii) Amplitude will retain only Personal Data that it is legally required to retain and will retain it only as long as is legally required, (iii) during the retention period, Amplitude will continue to comply with this DPA with respect to the Personal Data, to the extent legally permitted, and (iv) Amplitude will destroy the Personal Data and inform Customer of such destruction as soon as legally permissible.
23. Upon Customer’s written request, Amplitude will provide certification of the destruction and/or return of Personal Data within ten (10) business days of completing such destruction or return of Personal Data.
Compliance Verification and Audits
24. Amplitude is audited annually against known, established industry standards performed by external auditors. Upon Customer’s written request, and subject to the confidentiality obligations set forth in the Agreement, Amplitude will provide Customer with such audit reports or certificates applicable to the Services (e.g., SOC 2 report, ISO certificates), to the extent available, or such other information reasonably necessary to demonstrate compliance with this DPA.
25. Upon Customer’s written request, Amplitude will also allow for and contribute to Customer’s audit of Amplitude’s applicable controls, including inspection of Amplitude’s physical facility, provided such audit is i) conducted by Customer or a third party auditor designated by Customer that has executed an appropriate confidentiality agreement with Amplitude, ii) Customer and Amplitude mutually agree on the details of the audit, including the reasonable start date, scope and duration of, and security and confidentiality controls applicable to such audit, and iii) a similar audit has not already been conducted less than twelve (12) months prior, unless there are indications of non-compliance and/or it is required or requested by a Supervisory Authority or other similar regulatory authority responsible for the enforcement of Applicable Law.
Data Transfers
26. To protect transfers of Personal Data out of the European Economic Area and its member states, the United Kingdom, and/or Switzerland, Customer authorizes Amplitude to make international transfers of the Personal Data in accordance with one of the following transfer mechanisms. The transfer of Personal Data will be subject to a single transfer mechanism, as applicable, in the following order of precedence: (a) in accordance with the Data Privacy Framework, provided Amplitude is self-certified under the Data Privacy Framework and the Data Privacy Framework remains a lawful transfer mechanism; then (b) subject to the 2021 Standard Contractual Clauses and the UK Addendum, as appropriate. By entering into this DPA, the parties are deemed to be signing the 2021 Standard Contractual Clauses and UK Addendum.
27. To the extent required under GDPR, the 2021 Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA for such transfer to the extent of any conflict, and they will be deemed completed as follows:
- a. Customer acts as controller and Amplitude acts as Customer’s processor with respect to the Personal Data subject to the 2021 Standard Contractual Clauses, and its Module 2 (Controller to Processor) applies.
- b. Clause 7 (the optional docking clause) does not apply.
- c. Under Clause 9 (Use of subprocessors), the parties select Option 2 (General written authorization). The current list of Subprocessors is set forth below in Schedule B of this DPA. Amplitude shall update the list at least ten (10) business days in advance of any intended additions or replacements of subprocessors.
- d. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
- e. Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of the Netherlands.
- f. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of the Netherlands.
- g. Annexes I and II of the 2021 Standard Contractual Clauses are set forth in Schedule A of the DPA.
- h. Annex III of the 2021 Standard Contractual Clauses (Subprocessor List) is set forth in Schedule B of the DPA.
28. To the extent required under UK Data Protection Law, the UK Addendum forms part of this DPA and takes precedence over the rest of this DPA for such transfer to the extent of any conflict, and it will be deemed completed as follows:
- a. The “exporter” is the Customer, and the exporter’s contact information is set forth in Schedule A below.
- b. The “importer” is Amplitude, and Amplitude’s contact information is set forth in Schedule A below.
- c. The Approved EU SCCs described in Table 2 of the UK Addendum shall be the 2021 Standard Contractual Clauses as completed in Section 27 above.
- d. Annex 1A and 1B of the UK Addendum are set forth in Schedule A of the DPA.
- e. Annex II of the UK Addendum is set forth in Annex II of Schedule A of the DPA.
- f. Annex III of the UK Addendum is set forth in Schedule B of the DPA.
- g. Exporter and importer may end the UK Addendum as described in Table 4 of the UK Addendum.
29. Where a transfer of Personal Data is made from Switzerland, the 2021 Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA for such transfer to the extent of any conflict, and they will be deemed completed in accordance with Section 27 except that:
- a. Under Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commission to the extent that the transfer is governed by the Swiss Federal Act on Data Protection.
- b. References to “Member State” in the 2021 Standard Contractual Clauses refer to Switzerland, and data subjects may exercise and enforce their rights under the 2021 Standard Contractual Clauses in Switzerland.
- c. References to GDPR in the 2021 Standard Contractual Clauses refer to the Swiss Federal Act on Data Protection (as amended and replaced).
Miscellaneous
30. This DPA survives termination of the Agreement for so long as Amplitude continues to Process such Personal Data or until such Personal Data has been deleted or returned to Customer.
31. If there is a conflict between any provision of the Agreement and this DPA, this DPA shall control.
32. Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s liability, taken together in the aggregate, arising out of or relating to this DPA the SCCs, and any other data protection agreements or security addendum signed by the parties (“Ancillary Agreement”) in connection with the Agreement (if any), whether in contract, tort, or under any other theory of liability, is subject to the limitations on liability section in the Agreement, and any reference in such section to the liability of a party means the total aggregate liability of that party under the Agreement, this DPA and Ancillary Agreement (if any) together.
33. This DPA supersedes and replaces all previous written and oral agreements, communications and other understandings related to the subject matter of this DPA.
Schedule A to DPA
Annexes I and II of the 2021 Standard Contractual Clauses
ANNEX I
A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
The data exporter is the legal entity executing the Agreement as Customer, and who is engaging Amplitude to provide the cloud-based digital optimization services, defined in the Agreement as “Services.”
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
The data importer is Amplitude, the provider of the Amplitude Services, as defined in the Agreement. Amplitude’s entity and contact details are set forth in the Agreement.
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
Categories of data subjects whose personal data is transferred:
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include the Personal Data of Customer’s end users of mobile and web applications.
Categories of personal data transferred:
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion and may include information about Customer’s end users (e.g., names, email addresses, and telephone numbers) and their website and application browsing activity, session replays, login history, location, and device information (e.g., device identifiers (not Apple ID), operating system, and IP addresses).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
No sensitive data shall be submitted to the Services, unless the Agreement or any Ancillary Agreement specifically permits the transfer of such data subject to any applicable restrictions and/or conditions, and even then, the extent of such transfer is determined and controlled by Customer in its sole discretion.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Notwithstanding termination of the Agreement, and to the extent submitted to the Services by Customer, Amplitude will Process Customer Personal Data continuously, until deletion of all Customer Personal Data as described in this DPA.
Nature of the processing:
Amplitude will Process Personal Data in its performance of Services pursuant to the Agreement and this DPA, and to comply with Customer’s request and instruction to do so provided by Customer’s execution of the Agreement.
Purpose(s) of the data transfer and further processing:
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, for Amplitude’s provision of the Services, as described in the Agreement and further documented, reasonable instructions from Customer specifically agreed upon by the parties.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
(For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing)
The period for which Customer’s Personal Data will be retained in the Services is determined by Customer during the term of the Agreement. Upon termination of the Agreement, Customer may retrieve its Personal Data as set forth in the Agreement and this DPA and Amplitude will destroy (including on all Subprocessor systems) Customer’s Personal Data within the timeline described in this DPA.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
Identify the competent supervisory authority/ies in accordance with Clause 13:
Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority, which shall be made available to Amplitude upon request.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Amplitude, the data importer, maintains administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Services by Customer, the data exporter. Amplitude’s information security program is designed in accordance with ISO 27001, an industry recognized gold standard and is described in more detail below. Amplitude may review and update these security standards from time to time, provided that any such update shall not materially diminish the overall security of the Customer’s Personal Data during the term of the Agreement.
Amplitude’s security controls are designed to address its posture as a cloud-based platform as a service (PaaS) provider. The following concepts apply to Amplitude’s platform and its provision of the Services and are contextually important to understanding Amplitude’s security controls.
Amplitude is data neutral and data agnostic: The Amplitude PaaS does not know what data customers choose to send to the platform and will process all data regardless of its nature as long as it fits the predefined characteristics that allow it to be processed. Amplitude does not make any data-based decisions other than following customers’ instructions as they configure the platform to perform their desired operations.
No employee access: Amplitude employees do not directly access Customer Personal Data as part of their normal job duties, except as necessary to provide the Services or to provide support to a customer upon a customer’s request, or to comply with the law or a binding order of a governmental body. Only the Amplitude platform interacts with such data, and only according to the programmatic instructions provided by each Amplitude customer with respect to its data.
Security Program: Amplitude’s PaaS is designed according to established industry best security practices, and includes many technical and administrative security controls, including, without limitation:
- Audits and Certifications: Amplitude’s information security program is assessed annually by independent third-party auditors as described in its SOC2 audit report, ISO 27001 certification, ISO 27018 certification, and other reports. Amplitude’s annual SOC2 and other such reports are available to customers upon request.
- Secure data centers: Amplitude’s PaaS is fully embedded within Amazon’s AWS platform. For more information about Amazon’s AWS security, refer to https://aws.amazon.com/security/.
- Information Security Policy: Amplitude has developed and implemented, and will maintain, security policies that govern all relevant aspects of its security program, and are aligned with SOC2 and ISO 27001 requirements. The Information Security Policy may be made available to customers upon request.
- Encryption:
- Amplitude utilizes encryption consistent with industry standard practices such as Federal Information Processing Standards FIPS 140-2 and/or NIST SP800-52.
- Customer Data is logically separated and stored in encrypted form in Amplitude's AWS environment.
- Access Controls:
- Amplitude personnel are required to authenticate through VPN and multi-factor authentication to access the Amplitude PaaS.
- Amplitude personnel access customer Personal Data as necessary to provide the Services under the Agreement, to provide customer support upon a customer’s request, or to comply with the law or a binding order of a governmental body.
- Vulnerability Detection and Management:
- Anti-Virus and Vulnerability Detection: Amplitude leverages threat detection tools to monitor and alert Amplitude to suspicious activities, potential malware, viruses and/or malicious computer code (collectively, “Malicious Code”). Amplitude does not monitor Customer Data for Malicious Code.
- Penetration Testing and Vulnerability Detection: Amplitude regularly conducts penetration tests throughout the year and engages one or more independent third parties to conduct penetration tests of the Services at least annually.
- Vulnerability Management: Vulnerabilities meeting defined risk criteria trigger alerts and are prioritized for remediation based on their potential impact to the Services.
- Endpoint Controls: Amplitude logically separates its endpoints and end user environment from its PaaS environment. Multi-factor authentication is required to access the AWS environment.
- Monitoring and Logging: Amplitude monitors its PaaS environment 24/7/365 and centralizes its logs. Anomalies are investigated and prioritized on a 24/7/365 basis.
- Program Testing: Amplitude regularly tests and evaluates its security program.
- Administrative Controls:
- Personnel Security: Amplitude requires criminal background screening on its personnel as part of its hiring process, to the extent permitted by Applicable Law.
- Personnel Training: Amplitude maintains a documented awareness and training program for its personnel, including but not limited to onboarding and annual training.
- Personnel Agreements: Amplitude personnel are required to sign confidentiality agreements and to acknowledge Amplitude’s Information Security Policy.
- Personnel Access Reviews and Separation: Amplitude reviews the access privileges of its personnel to the Amplitude PaaS at least quarterly, and removes access on a timely basis for all separated personnel.
- Physical & Environmental Controls:
- Data Centers: Amplitude hosts all Customer Data in Amazon AWS. Amplitude regularly reviews Amazon’s physical and environmental controls for its relevant data centers, as audited by Amazon’s third-party auditors. Such controls include, but are not limited to:
- Physical access to the facilities is controlled at the building ingress points;
- Visitors are required to present ID and sign in;
- Physical access to servers is managed by access control devices;
- Physical access privileges are reviewed regularly;
- Facilities utilize monitor and alarm procedures;
- Fire detection and protection systems;
- Power back-up and redundancy systems; and
- Climate control systems.
- Amplitude Corporate Offices: While Customer Data is not hosted at Amplitude’s corporate offices, Amplitude’s technical, administrative, and physical controls for its corporate offices are covered by its ISO 27001 certification and include, but are not limited to, the following:
- Physical access to the corporate offices are controlled at office ingress points;
- Badge access is required for all personnel and badge privileges are reviewed regularly;
- Visitors are required to sign in;
- Tagging and inventory of Amplitude-issued laptops and network assets;
- Fire detection and sprinkler systems; and
- Climate control systems.
- Data Centers: Amplitude hosts all Customer Data in Amazon AWS. Amplitude regularly reviews Amazon’s physical and environmental controls for its relevant data centers, as audited by Amazon’s third-party auditors. Such controls include, but are not limited to:
- Incident Detection and Response: Amplitude’s incident response process is designed to address all legal, contractual, and regulatory requirements.
- Security Incident Reporting: If Amplitude becomes aware of a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (“Security Incident”), Amplitude will notify impacted customers without undue delay and in accordance with its contractual obligations and Amplitude’s commitments in this DPA.
- Investigation: In the event of a Security Incident, Amplitude shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident.
- Communication and Cooperation: Amplitude’s notice to impacted customers shall include, but not be limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Amplitude to mitigate or contain the Security Incident, the status of Amplitude’s investigation, and the categories and approximate number of data records concerned. Communications by or on behalf of Amplitude in connection with a Security Incident are not an acknowledgement by Amplitude of fault or liability with respect to the Security Incident.
Schedule B to the DPA
Subprocessor List
To deliver the Services, Amplitude may use the following Subprocessors to Process Customer Data:
Depending on the geographic location of Customer or its users, Amplitude may also engage one or more of the following Amplitude Affiliates as Subprocessors to deliver some or all of the Services provided to Customer: