Amplitude Trust Center Trust Center

Welcome to Amplitude's Customer Trust Portal. Our commitment to data privacy and security is embedded in every part of our business. Use this Customer Trust Portal to learn about our security posture and request access to our security documentation.

Powered by Wolfia. Review compliance certifications, security policies, subprocessors, and request access to detailed documentation.

Skip to main content
Amplitude Trust Center
Header background

Amplitude Trust Center

Welcome to Amplitude's Customer Trust Portal. Our commitment to data privacy and security is embedded in every part of our business. Use this Customer Trust Portal to learn about our security posture and request access to our security documentation.

security@amplitude.com

Access control

Rigorous user authentication and authorization safeguards restrict system access to the right people at the right time

Multi-factor authentication enforcement

Corporate and production systems require multi-factor authentication.

Role-based access control

Access is assigned by job role to enforce consistent least-privilege access.

Least-privilege privileged access

Administrative access to systems, databases, networks, and encryption keys is limited to authorized staff with a business need.

Unique user identification

Every account has a unique ID, enabling precise accountability for all activity.

Quarterly independent access reviews

A separate team reviews privileged and standard access quarterly to enforce least privilege.

Multi-factor authentication for production access

Production access requires multi-factor authentication.

Quarterly access reviews

User access is reviewed at least quarterly, with required changes tracked to completion.

Rapid offboarding process

Departing personnel lose access within one business day, with the change documented.

Timely access revocation

Termination checklists ensure departing employees lose access within defined timeframes.

VPN requirement for production resources

Administrative access to production is available only over a company-managed VPN.

Data security

Encryption and network protections maintain confidentiality and integrity of customer data throughout its lifecycle

Encryption at rest

Customer data is encrypted at rest across production databases and object storage in both the US and EU regions.

Encryption in transit

Sensitive data is encrypted in transit over public networks using secure protocols.

Customer data segregation

Logical isolation keeps each customer's data separate to prevent cross-tenant leakage.

Restricted access to confidential data

Access to networks, applications, and databases is limited to authorized users.

Firewall and port restrictions

Only approved ports and protocols can reach production networks, blocking unsolicited traffic.

Authorized application access

Data access is restricted to approved applications to prevent access outside defined boundaries.

Controlled removable media usage

Workstations block external storage devices unless explicitly approved.

Portable media encryption

Portable media is encrypted to protect data if a device is lost.

Encryption at rest

Customer data is encrypted at rest in Statsig's cloud datastores.

Encryption in transit

Sensitive data is encrypted in transit over public networks, and production systems are accessed only over encrypted connections.

Privacy and data governance

Comprehensive policies and tooling give customers control over where, how and how long their personal data is processed

Data classification

Information is classified (public, internal, customer, and company data) so protection matches sensitivity.

Global data processing addendum

A standard data processing addendum with current EU standard contractual clauses sets privacy obligations worldwide.

Customer-driven deletion API

Self-service and API tools let customers delete user records to meet GDPR, CCPA, and similar requirements.

Regulated customer data handling

Customer data is handled in accordance with data protection requirements and customer agreements.

Regional data residency choice

Customers can choose US or EU hosting to meet data-residency requirements.

Confidentiality obligations

Employees and contractors are required to protect confidential and private information.

Privacy by design program

Privacy-by-design principles embed data minimization and consent into product development.

Data retention and destruction procedures

Formal policies define retention periods and secure destruction, reviewed at least annually.

Automatic data deletion

Data is automatically deleted once its retention window expires.

Public privacy policy and DPO contact

A public privacy notice and a dedicated data protection officer contact provide transparency and accountability.

Data Privacy Framework certification

Amplitude is certified under the EU-US, UK Extension, and Swiss-US Data Privacy Frameworks for lawful transfer of personal data to the United States.

HIPAA Business Associate Agreements

Amplitude builds its products in line with HIPAA privacy and security rules and can sign Business Associate Agreements with regulated customers.

Application security

Secure development practices and independent testing uncover and remediate vulnerabilities before they affect customers

Secure development lifecycle policy

A documented secure development lifecycle requires change tracking, testing, and approval for every code change.

Secure development lifecycle

A formal secure development lifecycle governs development, maintenance, and changes, including emergency changes.

Mandatory peer code reviews

Every code change requires review and approval by someone other than the author.

Controlled production changes

Production changes must be authorized, documented, tested, reviewed, and approved before deployment.

Annual penetration testing

Independent penetration testing is performed at least annually, with remediation plans tracked to completion.

Annual third-party penetration tests

An independent firm penetration-tests the production environment at least annually, with findings tracked to remediation.

Continuous vulnerability scanning

External-facing systems are continuously scanned for vulnerabilities, including in open-source dependencies, with critical and high findings tracked to remediation.

Public bug bounty program

A public bug bounty program invites the security community to report vulnerabilities.

Automated dependency vulnerability scanning

Continuous scanning flags vulnerable open-source dependencies for prompt patching.

Independent retesting of remediations

An independent retest of the 2025 assessment confirmed no outstanding vulnerabilities remained.

Security monitoring and logging

Continuous logging, automated detection and alerting provide rapid visibility into anomalous or malicious activity

Comprehensive cloud audit logging

Production account activity is logged, encrypted, and tamper-evident for audits and investigations.

Centralized log management

Centralized log management helps identify and investigate security-relevant events.

Network and security logging

Network flow, router, and firewall logs support monitoring and security review.

Network flow and load balancer logs

Network flow and load balancer logs support threat detection and firewall validation.

Automated anomaly detection with on-call alerting

Real-time monitoring alerts on-call engineers to high-severity events 24/7.

Continuous infrastructure monitoring and alerting

Infrastructure and performance are continuously monitored, with alerts on predefined thresholds.

Quarterly independent access log reviews

Access to sensitive logs is reviewed quarterly to confirm only authorized staff can view it.

Continuous application monitoring

Applications, databases, and cloud storage are monitored to keep service delivery within commitments.

Continuous control monitoring platform

Automated tooling continuously tracks the status of internal controls to surface gaps early.

Intrusion detection

Intrusion detection continuously monitors the network for potential breaches.

Incident response

Documented, tested procedures ensure swift containment, resolution and learning from security incidents

Formal incident response plan

A documented plan defines roles, escalation paths, and communications for security events.

Incident response plan

A documented plan guides staff in reporting and responding to security and privacy incidents.

Incident reporting channels

Customers report suspected breaches via support channels; staff report through an internal portal for tracking.

Automatic paging for critical incidents

Critical events automatically page on-call staff to speed acknowledgment and resolution.

Post-incident root cause analysis

Every incident ends with a root-cause analysis and corrective actions shared with engineering.

Annual incident response testing

The incident response plan is tested at least annually to maintain readiness.

Annual incident response exercises

Annual tabletop drills test incident response readiness and surface improvements.

Incident tracking and notification

Incidents are logged, tracked, resolved, and communicated to affected parties per documented procedures.

Security breach response training

Responsible staff are trained to identify and respond to suspected security incidents.

Business continuity and disaster recovery

Redundant architecture, robust backups and tested plans protect availability and facilitate rapid recovery

Business continuity and disaster recovery plan

Documented business continuity and disaster recovery plans support recovery from disruptions.

Disaster recovery and business continuity plans

Documented disaster recovery and business continuity plans define roles and recovery steps for major disruptions.

Annual disaster recovery testing

The recovery plan is tested at least annually through tabletop exercises.

Automatic daily database backups

Production databases are backed up daily and retained for 30 days.

Customer data backups

Customer data is backed up to support recovery and service continuity.

Point-in-time recovery for key datastores

Continuous backups allow point-in-time recovery to any second within the last 35 days.

Backup monitoring and exception handling

Backups are monitored for completion, and exceptions are troubleshot and rerun.

Annual failover and backup restoration tests

Recovery procedures and backups are tested each year to confirm they work when needed.

Continuity communication planning

Continuity plans include communication procedures for when key personnel are unavailable.

Employee security

Hiring, training and endpoint protections cultivate a security-minded workforce and resilient devices

Pre-employment background checks

Employees and contractors are screened, as permitted by local law, before accessing confidential data.

Security awareness training

Employees complete security awareness training within 30 days of hire and at least annually thereafter.

Code of conduct acknowledgment

New employees acknowledge the code of conduct at hire.

Mandatory code of conduct acceptance

All personnel attest to a code of conduct that includes information security obligations.

Employee confidentiality agreements

Personnel sign confidentiality agreements during onboarding.

Managed device encryption and hardening

Company laptops enforce disk encryption, strong passwords, and automatic lockout.

Managed endpoint security

Company laptops are managed via MDM with standard security baselines, and unauthorized software installation is blocked.

Endpoint malware protection and updates

Employee devices run malware protection and receive current operating system and security updates.

Vendor management

Structured oversight of third-party providers reduces supply-chain and compliance risk

Third-party risk management program

A formal program governs how vendors are evaluated, approved, and monitored.

Vendor risk management policy

A formal program classifies vendors by risk and sets due-diligence requirements.

Annual compliance report reviews

Critical vendors' security and privacy attestations are reviewed annually to confirm ongoing compliance.

Vendor due diligence

New providers undergo due diligence covering security, privacy, compliance, financial viability, and performance.

Published subprocessor list

A published subprocessor list lets customers track third parties, for which Amplitude remains contractually responsible.

Critical vendor inventory

An inventory of critical third parties supports oversight of the most important vendors.

Annual vendor reviews

Critical third parties are reviewed at least annually against organizational requirements.

Cybersecurity insurance coverage

Dedicated cyber insurance helps limit the financial impact of a significant security incident.

Vendor confidentiality commitments

Vendor agreements include confidentiality obligations before information is shared.

Compliance and governance

Independent attestations and board-level oversight demonstrate a mature, well-governed security program

SOC 2 Type II certification

An annual independent SOC 2 Type II audit covers security, availability, and confidentiality.

SOC 2 Type II audit

An independent SOC 2 Type II audit examined the design and operating effectiveness of security controls over a defined period.

GDPR and CCPA compliance commitments

Amplitude contractually commits to GDPR, CCPA, and other key privacy regulations.

Annual security risk assessments

Risk assessments are performed at least annually, covering operational, strategic, compliance, fraud, environmental, regulatory, and technological risks.

AI usage governance policy

Internal policies govern the responsible, secure use of AI across the company.

Board cybersecurity oversight

The board or a subcommittee is briefed on cybersecurity risk at least annually.

Board audit committee cybersecurity oversight

A board-level committee reviews security and privacy risk at least twice a year.

Annual control self-assessments

Control self-assessments are performed at least annually to confirm controls operate effectively.

Annual policy review

Information security policies are documented and reviewed at least annually.

ISO/IEC 27001 certification

Amplitude maintains an ISO/IEC 27001-certified information security management system, extended with ISO/IEC 27017 for cloud security and 27018 for personal data protection.

SOC 1 Type 2 report

An independent SOC 1 Type 2 report covers controls relevant to financial reporting.

AI provider data-use restrictions

Amplitude contractually prohibits its AI providers from using customer data to train or improve their models.

Human oversight for agentic AI

Agentic AI features require explicit human approval for consequential actions, respect each user's existing permissions, and give administrators visibility into agent activity.

Infrastructure security

Layered technical safeguards defend the production environment against unauthorized access and disruption

Cloud infrastructure hosting

Production runs in cloud data centers, with physical security managed by the hosting provider.

Environment segmentation

Development, testing, and production are separated to limit the blast radius of any compromise.

Firewall protection

Firewalls block unauthorized access, with rulesets reviewed at least annually.

Web application firewall

A web application firewall filters malicious traffic before it reaches the application.

Network segmentation

The network is segmented to help prevent unauthorized access to customer data.

Load-balanced multi-zone architecture

Traffic is load-balanced across multiple availability zones for resilience against single-point failures.

Bastion-only SSH access

Public SSH is blocked; administrators reach production only through a hardened bastion host.

Configuration and hardening standards

Documented configuration and hardening standards follow industry best practices and are reviewed at least annually.

Routine patch management

Infrastructure is patched through routine maintenance and in response to identified vulnerabilities.