Security and privacy come first
Amplitude safeguards your data and your customers with comprehensive and transparent programs.
Trust starts with transparency
Amplitude provides a secure and compliant platform for customers around the globe. Learn more in our Customer Trust Portal.
Privacy by Design
Protect your data end-to-end with Amplitude.
We give you full control over the data you collect and how it is shared. And we’ve built our platform with privacy in mind to enable your compliance with GDPR, CCPA, and other privacy regulations that impact your business.
Product Capabilities
Control how long event data lives in your Amplitude instance with our Time to Live functionality.
Comply with end-user data deletion requests with our easy-to-use API.
Easily retrieve user data to comply with data subject access requests
Manage ingestion of unexpected Personally Identifiable Information.
Prevent storage of IP addresses. Reach out to Support to learn more.
Learn more about our Customer Data Platform and data governance capabilities.
Our Privacy Principles
1
Your privacy and the privacy of your user’s data is our priority
We built the Amplitude platform to protect your data. We partner closely with customers to understand their privacy use cases so we can deliver capabilities that meet their needs.
2
Our goal is to make it easy for you to be compliant
We are committed to providing a platform our customers can use in a data-responsible manner. With constantly evolving privacy laws, we give you the flexibility to adjust quickly and remain compliant.
3
Amplitude provides you with tools to be in control of your data
We believe customers should always have the agency to control how their data is used across Amplitude’s platform.
4
We prioritize data protection through technology design
Our privacy program is based on privacy-by-design principles. We take a proactive, innovative, and user-centric approach to building privacy capabilities.
Compliance with Privacy Laws
We know that global privacy regulations and data protection requirements are constantly evolving. You can trust that Amplitude is focused on meeting your privacy compliance needs, including GDPR, CCPA, and HIPAA.
Amplitude’s privacy team has reviewed our architecture, data flows, vendor capabilities, and agreements to ensure that our platform is GDPR compliant. Amplitude’s Digital Analytics Platform does not directly interact with our customers’ end users, nor does the platform automatically collect personal data. However, our customers might collect and send personal data to Amplitude for processing (e.g., IP address) and, as a result, Amplitude has implemented procedures and upgrades for our customers to remain privacy regulation compliant.
Specifically, we provide our customers with APIs to automatically serve their end-user Access and Deletion requests as detailed below.
- Amplitude’s Data Processing Agreements (DPAs) rely on the EU Standard Contractual Clauses (SCCs) as the transfer mechanism for Personal Data from the United Kingdom, EU, and EEA to our US-West-based AWS environment. On July 16, 2020, the Court of Justice of the European Union (CJEU) determined that the EU SCCs will continue to be a valid transfer mechanism for Personal Data from the EU to the United States.
- Amplitude has signed Data Processing Agreements with our key vendors.
- Amplitude’s SDKs give customers the flexibility to control what data they choose to collect and send to our platform for processing and storage. Our customers, not Amplitude, control the type of data that is collected, stored, and processed in the platform. This is a full summary of the data keys Amplitude recognizes. Unless otherwise noted, all fields are optional and no personal data is required to use our core functionality.
- Amplitude has built advanced features that will allow customers to remove a specific individual’s information from the platform or instruct the platform not to store end-user IP Addresses.
We build our platform to enable data analytics with privacy in mind, and that includes ensuring your compliance with the California Consumer Privacy Act (CCPA) and the growing framework of other US State privacy laws.
As a first-party data analytics platform, you have complete control over the data you collect and send to Amplitude and the actions you choose to take. We only act as a service provider, storing and processing your data according to your instructions. Amplitude does not use customer data for our own purposes and we do not sell or share your data.
We’ve developed features and tools to help you easily manage your data and execute data subject requests, whether access or deletion requests. Our data processing addendum (DPA) sets out our role as a Service Provider, to provide you assurance that your use of our platform meets your CCPA and other US privacy law compliance needs.
For our customers that are covered entities or business associates under the Health Insurance Portability and Accountability Act (HIPAA), we recognize that the protection of protected health information is of paramount importance. Amplitude can enter a Business Associates Agreement to help you maintain your HIPAA compliance.
Amplitude maintains data centers hosted by AWS in the US and in the EU so that our diverse customer base can utilize our Digital Analytics Platform while meeting their data storage and processing preferences and needs. We chose Frankfurt, Germany for our EU data center because it has some of the most stringent privacy and technology standards in the world.
AWS’ data centers are data neutral and agnostic, compliant with privacy regulations including General Data Privacy Regulations (GDPR) and certified in ISO 27001 and SOC 2 Type II.
To enable our customers to appropriately respond to and comply with data subject requests as required by global privacy laws such as the GDPR and CCPA, we have built easy-to-use APIs so you can programmatically submit data subject requests for known Amplitude IDs and/or Users IDs. You can find more details on our User Privacy API for data subject deletion requests here. More details on our API for Data Subject Access Requests under the GDPR and Right to Know Requests under the CCPA can be found here.
Transparency
Amplitude believes that privacy is a fundamental right and that it is our responsibility to be clear and transparent about how we process your data. We are committed to being transparent with you about our privacy policies and practices, including with respect to our development of AI technologies. Our Data Processing Agreement (DPA) outlines our strong commitment to securely and responsibly processing your data. We will continue to invest in resources that protect your privacy and build trust.
Amplitude’s Privacy Notice describes our practices for processing information in relation to visitors of our amplitude.com website, Community Forum and Amplitude Academy; Amplitude’s marketing activities; and Customers accessing and using our products and services.
A Data Processing Addendum (DPA) is a legal agreement that sets out the legal framework under which Amplitude processes personal data submitted to our platform by a customer and applies to all of our services. Our DPA is incorporated by reference into our Terms of Service and Main Services Agreement, so no further action by our customers is needed, regardless of which Amplitude services are used.
Amplitude uses third-party sub processors in the US and EU, according to our customers’ data center choices, in order to provide our services. We impose contractual obligations on our sub processors to implement appropriate safeguards to ensure that the subprocessing of personal data is protected to the standards required by applicable data protection laws. A list of our sub processors is disclosed in Schedule B of your applicable DPA. Our customers may subscribe to notifications of subprocessor changes by emailing subprocessor.notifications@amplitude.com.
On July 10, 2023, the European Commission formally adopted its new adequacy decision for the EU-US Data Privacy Framework. The adoption of this adequacy decision follows years of intense negotiations between the EU and the US after the invalidation of the EU-US Privacy Shield. The adequacy decision provides our customers with additional certainty that any EU personal data submitted to the Amplitude platform can legally be transferred to the United States.
In addition to certifying to the Data Privacy Framework, our DPA will also continue to incorporate other data transfer mechanisms, such as the Standard Contractual Clauses and the UK Addendum.
Our Perspective
Check out Amplitude's content and press coverage to understand our stance on privacy issues.