Security and privacy

Amplitude meets standards for SOC 2 Type 2, GDPR, HIPAA, CCPA, and Privacy Shield. The questions below explain each program and where to find the underlying documentation.

What are the terms of Amplitude's service and privacy policy?

Amplitude's Terms of Service incorporate the Data Processing Addendum (TOS DPA) and the Acceptable Use Policy (AUP).The Privacy Notice describes how Amplitude collects, stores, uses, discloses, and otherwise processes information. It covers visitors to amplitude.com (including the Community Forum and Amplitude Academy), Amplitude's marketing activities, and customers who access and use Amplitude's products.

Read Amplitude's Terms of Service and Privacy Policy carefully to understand Amplitude's policies and practices for the information collected through the website and the product.

For other security and privacy information (GDPR, CCPA, HIPAA, and others), review Amplitude's Stance on Security & Privacy.

What is the SOC 2 report?

The SOC 2 is a report on Amplitude's Description of its Digital Optimization System and on the Suitability of the Design and Operating Effectiveness of Controls Relevant to Security, Availability, and Confidentiality. It's available in Amplitude's Customer Trust Portal.

There you'll find:

SOC 2.
DPA.
ISO certification.
Industry-standard questionnaires (CAIQ).
Privacy-related information.

What is the DPA for paying and non-paying customers?

The Data Processing Addendum for Terms of Service (TOS DPA) is incorporated into and forms part of the Amplitude Terms of Service, or any other written or electronic agreement between customer and Amplitude that governs the customer's use of the Amplitude services. Visit the Customer Trust Portal for the document.

There you'll find:

SOC 2.
DPA.
ISO certification.
Industry-standard questionnaires (CAIQ).
Privacy-related information.

What is the Bug Bounty program?

Amplitude operates several ongoing security procedures:

Automated monthly vulnerability scanning of source code, application, and infrastructure.
Ad-hoc scanning and testing of new features and functionality.
Annual penetration testing of the application and underlying cloud infrastructure by a third-party agency using traditional penetration-testing methodology.

In addition, Amplitude runs a private Bug Bounty program to detect and report security issues as early as possible. Amplitude triages issues identified through any of these channels, prioritizes them by risk and impact, and remediates them within defined SLAs.

To learn about the Bug Bounty reward system, contact security@amplitude.com.

Who can I contact for additional information or concerns?

For questions about security and compliance, email security@amplitude.com.For questions about privacy, email privacy@amplitude.com.To report concerns including fraud, email reports@lighthouse-services.com and include Amplitude in the report.

Was this helpful?