// Trust & Security Report

    Amplitude, Inc. logo

    Amplitude, Inc.

    AI analytics platform covering product analytics, marketing analytics, session replay, feature experimentation, web experimentation, feature management, guides and surveys, and AI-native capabilities (AI Agents, AI Visibility, AI Feedback, AI Assistant, Amplitude MCP)

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Amplitude undergoes an annual SOC2 (Service Organization Control 2) Type 2 review by a qualified auditor, covering all the trust principles (Security, Confidentiality, and Availability) that apply to its operations. Amplitude is audited annually against known, established industry standards performed by external auditors.

    Verify on amplitude.com
    GDPR compliance posture
    HELD

    Amplitude's privacy team has reviewed our architecture, data flows, vendor capabilities, and agreements to ensure that our platform is GDPR compliant. Amplitude is self-certified under the EU-US Data Privacy Framework (DPF) and the UK Extension to the EU-US DPF, as administered by the U.S. Department of Commerce. Amplitude's Data Processing Agreements (DPAs) incorporate the EU Standard Contractual Clauses (SCCs).

    Verify on amplitude.com
    EU-US Data Privacy Framework (DPF)
    HELD

    Amplitude is self-certified under the EU-US Data Privacy Framework (DPF) and the UK Extension to the EU-US DPF, as administered by the U.S. Department of Commerce.

    Verify on amplitude.com
    HIPAA (BAA available)
    HELD

    For our customers that are covered entities or business associates under the Health Insurance Portability and Accountability Act (HIPAA), we recognize that the protection of protected health information is of paramount importance. Amplitude can enter a Business Associates Agreement to help you maintain your HIPAA compliance.

    Verify on amplitude.com
    CCPA (Service Provider posture)
    HELD

    Amplitude does not use customer data for our own purposes and we do not sell or share your data. Our data processing addendum (DPA) sets out our role as a Service Provider.

    Verify on amplitude.com
    > Show 8 unconfirmed / not-held certifications
    ISO/IEC 27001
    NOT CONFIRMED

    No public evidence of a CURRENT ISO 27001 certification. The only publicly accessible certificate on Amplitude's domain was read directly: 'Amplitude Inc. ... ISO/IEC 27001:2013 ... Certificate No: CL-102 Rev: 001 Certificate Issuance Date: 08/20/2021 Certificate Expiration Date: 08/19/2024' (issued by Consilium Labs, an ANAB/IAS-accredited body). As of the 2026-06-27 assessment date that certificate is expired by roughly 22 months, and the 2013 standard's mandatory transition to ISO/IEC 27001:2022 lapsed 10/31/2025. Amplitude's DPA still asserts the certification, but no renewed or current certificate is publicly accessible, so current holding cannot be verified. Downgraded to held=false pending a live certificate via the trust center.

    source: info.amplitude.com
    ISO/IEC 27018
    NOT CONFIRMED

    No public evidence of a CURRENT ISO 27018 certification. The only publicly accessible certificate on Amplitude's domain was read directly: 'Amplitude Inc. ... ISO/IEC 27018:2019 ... Certificate No: CL-102 Rev: 001 Certificate Issuance Date: 08/20/2021 Certificate Expiration Date: 08/19/2024' (issued by Consilium Labs). As of the 2026-06-27 assessment date it is expired by roughly 22 months and no renewed or current certificate is publicly accessible. Downgraded to held=false pending a live certificate.

    source: info.amplitude.com
    ISO/IEC 27017
    NOT CONFIRMED

    No public certificate evidence for ISO 27017 on Amplitude's domain. The certification is asserted only in vendor-authored blog posts and docs; unlike ISO 27001/27018 there is no certificate PDF on file at all. Held=false pending an on-domain or independently accessible certificate.

    source: amplitude.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on Amplitude's website or trust center.

    source: trust.amplitude.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on Amplitude's website or trust center.

    source: trust.amplitude.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification found on Amplitude's website or trust center.

    source: trust.amplitude.com
    ISO/IEC 27701 (Privacy Information Management)
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found on Amplitude's website or trust center.

    source: amplitude.com
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification found on Amplitude's website or trust center.

    source: amplitude.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US (AWS US-West) and EU (AWS Frankfurt, Germany). EU customers' data never leaves the EU, including for AI feature processing.

    Amplitude contractually prohibits its AI partners from using customer data to train or improve their models. For AWS Bedrock-powered features, data does not leave Amplitude's secure AWS environment. For OpenAI-powered features, Zero Data Retention endpoints are used. For Google AI features, Zero Data Retention is used where possible and data is never retained beyond 48 hours. Customers can opt out of all AI features at any time by contacting their account team.

    // Security controls

    Encryption in transit

    Confirmed. Trust center controls list encryption in transit as an active control.

    trust.amplitude.com

    Encryption at rest

    Confirmed. Trust center controls list encryption at rest as an active control.

    trust.amplitude.com

    Access control

    MFA enforcement, RBAC, least-privilege access, quarterly independent access reviews, VPN requirement for production access, rapid offboarding process.

    trust.amplitude.com

    Customer data segregation

    Confirmed as an active data security control.

    trust.amplitude.com

    Vulnerability management

    Automated monthly vulnerability scanning of source code, application, and infrastructure. Annual third-party penetration testing. Private bug bounty program.

    amplitude.com

    Subprocessors

    9 listed in trust center: AWS (US, Germany), Datadog, Fivetran (US, Germany), Google (US, EU), Microsoft Azure. AI subprocessors are contractually prohibited from training on customer data; Bedrock-powered data stays inside Amplitude's AWS environment and OpenAI/Google use Zero Data Retention. (No public evidence that AI subprocessors are individually covered by BAAs.)

    trust.amplitude.com

    Penetration testing

    Annual third-party penetration test. Updated pentest summary published March 2026 in the trust center.

    trust.amplitude.com

    // Products & data scope

    Product AnalyticsProduct Analytics

    data: Behavioral event data from digital products (clicks, flows, funnels, retention). Typically anonymous/pseudonymous.

    Core product. GDPR-compliant with user deletion and DSAR APIs. SOC 2 in scope (annual). ISO 27001 was in scope of the now-expired Consilium Labs certificate; current ISO coverage not publicly verifiable.

    Marketing AnalyticsMarketing Analytics

    data: Campaign and web analytics data.

    Single line of code instrumentation. Same security controls as core platform.

    Session ReplaySession Recording

    data: Visual session recordings; may capture UI interactions including form inputs. PII controls available.

    PII controls and masking available. Customers control what is captured.

    Feature Experimentation / Web ExperimentationA/B Testing and Feature Flags

    data: Feature flag configuration and A/B test assignment data.

    Powered partly by Statsig-branded services (subprocessors: Google, Microsoft Azure for Statsig).

    Amplitude AI (Agents, Visibility, Feedback, MCP, Assistant)AI-native Analytics

    data: May receive any data the customer has submitted to their Amplitude account as input/output depending on feature use.

    Powered by third-party LLMs (AWS Bedrock, OpenAI, Google). Contractually prohibited from training on customer data. Zero Data Retention used where available. HIPAA BAAs available for the platform (per-AI-feature BAA coverage not independently confirmed). Opt-out available. EU data stays in EU.

    Guides and SurveysIn-app Messaging and Feedback

    data: In-product survey responses and user interaction data.

    Subject to same platform controls.

    // What to watch

    • EXPIRED CERTS: The only publicly accessible ISO 27001 and ISO 27018 certificate PDFs on Amplitude's domain (info.amplitude.com) show Consilium Labs Cert No. CL-102 with expiration date 08/19/2024. As of June 2026 these documents are expired by nearly 22 months. Amplitude continues to assert these certifications across its website, DPA, and docs. A renewed certificate has not been confirmed via publicly accessible documentation. The trust center may hold a current cert behind a documentation-request wall, but this was not verifiable without access.
    • ISO 27001:2013 TRANSITION: The expired certificates were issued under ISO/IEC 27001:2013. The mandatory transition deadline to ISO/IEC 27001:2022 was October 31, 2025. If Amplitude renewed, the new cert should be under the 2022 standard. This transition has not been confirmed publicly.
    • ISO 27017 WEAK EVIDENCE: ISO 27017 is claimed in vendor-authored blog posts and docs but no certificate PDF or independent evidence was found on Amplitude's domain. Treat as unverified until confirmed via trust center.
    • HOST-VS-VENDOR AMBIGUITY: The security-and-privacy page states 'AWS data centers are... certified in ISO 27001 and SOC 2 Type II' in the data residency section. This sentence refers to AWS's own certifications, not Amplitude's. A casual reader could conflate the two. Amplitude's own ISO 27001 is separately documented via its own certificate (now expired).
    • AI TRAINING POSTURE: Amplitude contractually prohibits AI partners from training on customer data and uses Zero Data Retention endpoints where applicable. The AI FAQ (May 2026) in the trust center confirms this posture is current.

    // At a glance

    Pricing model

    Freemium (up to 10K monthly tracked users free) with paid Growth and Enterprise tiers; Enterprise pricing custom/contact sales.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Amplitude, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.amplitude.com

    > Browse all vendor trust reports