Welcome to Amplitude's Customer Trust Portal. Our commitment to data privacy and security is embedded in every part of our business. Use this Customer Trust Portal to learn about our security posture and request access to our security documentation.

Certifications
Trusted by
Documentation
Featured
Subprocessors





Controls
Rigorous user authentication and authorization safeguards restrict system access to the right people at the right time
Encryption and network protections maintain confidentiality and integrity of customer data throughout its lifecycle
Comprehensive policies and tooling give customers control over where, how and how long their personal data is processed
Updates
Controls
Access control
Rigorous user authentication and authorization safeguards restrict system access to the right people at the right time
Corporate and production systems require multi-factor authentication.
Access is assigned by job role to enforce consistent least-privilege access.
Administrative access to systems, databases, networks, and encryption keys is limited to authorized staff with a business need.
Every account has a unique ID, enabling precise accountability for all activity.
A separate team reviews privileged and standard access quarterly to enforce least privilege.
Production access requires multi-factor authentication.
User access is reviewed at least quarterly, with required changes tracked to completion.
Departing personnel lose access within one business day, with the change documented.
Termination checklists ensure departing employees lose access within defined timeframes.
Administrative access to production is available only over a company-managed VPN.
Data security
Encryption and network protections maintain confidentiality and integrity of customer data throughout its lifecycle
Customer data is encrypted at rest across production databases and object storage in both the US and EU regions.
Sensitive data is encrypted in transit over public networks using secure protocols.
Logical isolation keeps each customer's data separate to prevent cross-tenant leakage.
Access to networks, applications, and databases is limited to authorized users.
Only approved ports and protocols can reach production networks, blocking unsolicited traffic.
Data access is restricted to approved applications to prevent access outside defined boundaries.
Workstations block external storage devices unless explicitly approved.
Portable media is encrypted to protect data if a device is lost.
Customer data is encrypted at rest in Statsig's cloud datastores.
Sensitive data is encrypted in transit over public networks, and production systems are accessed only over encrypted connections.
Privacy and data governance
Comprehensive policies and tooling give customers control over where, how and how long their personal data is processed
Information is classified (public, internal, customer, and company data) so protection matches sensitivity.
A standard data processing addendum with current EU standard contractual clauses sets privacy obligations worldwide.
Self-service and API tools let customers delete user records to meet GDPR, CCPA, and similar requirements.
Customer data is handled in accordance with data protection requirements and customer agreements.
Customers can choose US or EU hosting to meet data-residency requirements.
Employees and contractors are required to protect confidential and private information.
Privacy-by-design principles embed data minimization and consent into product development.
Formal policies define retention periods and secure destruction, reviewed at least annually.
Data is automatically deleted once its retention window expires.
A public privacy notice and a dedicated data protection officer contact provide transparency and accountability.
Amplitude is certified under the EU-US, UK Extension, and Swiss-US Data Privacy Frameworks for lawful transfer of personal data to the United States.
Amplitude builds its products in line with HIPAA privacy and security rules and can sign Business Associate Agreements with regulated customers.
Application security
Secure development practices and independent testing uncover and remediate vulnerabilities before they affect customers
A documented secure development lifecycle requires change tracking, testing, and approval for every code change.
A formal secure development lifecycle governs development, maintenance, and changes, including emergency changes.
Every code change requires review and approval by someone other than the author.
Production changes must be authorized, documented, tested, reviewed, and approved before deployment.
Independent penetration testing is performed at least annually, with remediation plans tracked to completion.
An independent firm penetration-tests the production environment at least annually, with findings tracked to remediation.
External-facing systems are continuously scanned for vulnerabilities, including in open-source dependencies, with critical and high findings tracked to remediation.
A public bug bounty program invites the security community to report vulnerabilities.
Continuous scanning flags vulnerable open-source dependencies for prompt patching.
An independent retest of the 2025 assessment confirmed no outstanding vulnerabilities remained.
Security monitoring and logging
Continuous logging, automated detection and alerting provide rapid visibility into anomalous or malicious activity
Production account activity is logged, encrypted, and tamper-evident for audits and investigations.
Centralized log management helps identify and investigate security-relevant events.
Network flow, router, and firewall logs support monitoring and security review.
Network flow and load balancer logs support threat detection and firewall validation.
Real-time monitoring alerts on-call engineers to high-severity events 24/7.
Infrastructure and performance are continuously monitored, with alerts on predefined thresholds.
Access to sensitive logs is reviewed quarterly to confirm only authorized staff can view it.
Applications, databases, and cloud storage are monitored to keep service delivery within commitments.
Automated tooling continuously tracks the status of internal controls to surface gaps early.
Intrusion detection continuously monitors the network for potential breaches.
Incident response
Documented, tested procedures ensure swift containment, resolution and learning from security incidents
A documented plan defines roles, escalation paths, and communications for security events.
A documented plan guides staff in reporting and responding to security and privacy incidents.
Customers report suspected breaches via support channels; staff report through an internal portal for tracking.
Critical events automatically page on-call staff to speed acknowledgment and resolution.
Every incident ends with a root-cause analysis and corrective actions shared with engineering.
The incident response plan is tested at least annually to maintain readiness.
Annual tabletop drills test incident response readiness and surface improvements.
Incidents are logged, tracked, resolved, and communicated to affected parties per documented procedures.
Responsible staff are trained to identify and respond to suspected security incidents.
Business continuity and disaster recovery
Redundant architecture, robust backups and tested plans protect availability and facilitate rapid recovery
Documented business continuity and disaster recovery plans support recovery from disruptions.
Documented disaster recovery and business continuity plans define roles and recovery steps for major disruptions.
The recovery plan is tested at least annually through tabletop exercises.
Production databases are backed up daily and retained for 30 days.
Customer data is backed up to support recovery and service continuity.
Continuous backups allow point-in-time recovery to any second within the last 35 days.
Backups are monitored for completion, and exceptions are troubleshot and rerun.
Recovery procedures and backups are tested each year to confirm they work when needed.
Continuity plans include communication procedures for when key personnel are unavailable.
Employee security
Hiring, training and endpoint protections cultivate a security-minded workforce and resilient devices
Employees and contractors are screened, as permitted by local law, before accessing confidential data.
Employees complete security awareness training within 30 days of hire and at least annually thereafter.
New employees acknowledge the code of conduct at hire.
All personnel attest to a code of conduct that includes information security obligations.
Personnel sign confidentiality agreements during onboarding.
Company laptops enforce disk encryption, strong passwords, and automatic lockout.
Company laptops are managed via MDM with standard security baselines, and unauthorized software installation is blocked.
Employee devices run malware protection and receive current operating system and security updates.
Vendor management
Structured oversight of third-party providers reduces supply-chain and compliance risk
A formal program governs how vendors are evaluated, approved, and monitored.
A formal program classifies vendors by risk and sets due-diligence requirements.
Critical vendors' security and privacy attestations are reviewed annually to confirm ongoing compliance.
New providers undergo due diligence covering security, privacy, compliance, financial viability, and performance.
A published subprocessor list lets customers track third parties, for which Amplitude remains contractually responsible.
An inventory of critical third parties supports oversight of the most important vendors.
Critical third parties are reviewed at least annually against organizational requirements.
Dedicated cyber insurance helps limit the financial impact of a significant security incident.
Vendor agreements include confidentiality obligations before information is shared.
Compliance and governance
Independent attestations and board-level oversight demonstrate a mature, well-governed security program
An annual independent SOC 2 Type II audit covers security, availability, and confidentiality.
An independent SOC 2 Type II audit examined the design and operating effectiveness of security controls over a defined period.
Amplitude contractually commits to GDPR, CCPA, and other key privacy regulations.
Risk assessments are performed at least annually, covering operational, strategic, compliance, fraud, environmental, regulatory, and technological risks.
Internal policies govern the responsible, secure use of AI across the company.
The board or a subcommittee is briefed on cybersecurity risk at least annually.
A board-level committee reviews security and privacy risk at least twice a year.
Control self-assessments are performed at least annually to confirm controls operate effectively.
Information security policies are documented and reviewed at least annually.
Amplitude maintains an ISO/IEC 27001-certified information security management system, extended with ISO/IEC 27017 for cloud security and 27018 for personal data protection.
An independent SOC 1 Type 2 report covers controls relevant to financial reporting.
Amplitude contractually prohibits its AI providers from using customer data to train or improve their models.
Agentic AI features require explicit human approval for consequential actions, respect each user's existing permissions, and give administrators visibility into agent activity.
Infrastructure security
Layered technical safeguards defend the production environment against unauthorized access and disruption
Production runs in cloud data centers, with physical security managed by the hosting provider.
Development, testing, and production are separated to limit the blast radius of any compromise.
Firewalls block unauthorized access, with rulesets reviewed at least annually.
A web application firewall filters malicious traffic before it reaches the application.
The network is segmented to help prevent unauthorized access to customer data.
Traffic is load-balanced across multiple availability zones for resilience against single-point failures.
Public SSH is blocked; administrators reach production only through a hardened bastion host.
Documented configuration and hardening standards follow industry best practices and are reviewed at least annually.
Infrastructure is patched through routine maintenance and in response to identified vulnerabilities.
Documentation
Featured
Certifications
Security
AI
Privacy & Legal
General Corporate Information
Tax and Billing Information









Updates
We remain committed to delivering secure, compliant services. As part of our ongoing security and compliance program, we have recently completed our annual Pentesting. Please access our latest report here.
We've updated our AI FAQ to address evolving customer questions around data security, privacy and AI governance.











