// Trust & Security Report
Amplitude, Inc.
AI analytics platform covering product analytics, marketing analytics, session replay, feature experimentation, web experimentation, feature management, guides and surveys, and AI-native capabilities (AI Agents, AI Visibility, AI Feedback, AI Assistant, Amplitude MCP)
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on amplitude.com“Amplitude undergoes an annual SOC2 (Service Organization Control 2) Type 2 review by a qualified auditor, covering all the trust principles (Security, Confidentiality, and Availability) that apply to its operations. Amplitude is audited annually against known, established industry standards performed by external auditors.”
Verify on amplitude.com“Amplitude's privacy team has reviewed our architecture, data flows, vendor capabilities, and agreements to ensure that our platform is GDPR compliant. Amplitude is self-certified under the EU-US Data Privacy Framework (DPF) and the UK Extension to the EU-US DPF, as administered by the U.S. Department of Commerce. Amplitude's Data Processing Agreements (DPAs) incorporate the EU Standard Contractual Clauses (SCCs).”
Verify on amplitude.com“Amplitude is self-certified under the EU-US Data Privacy Framework (DPF) and the UK Extension to the EU-US DPF, as administered by the U.S. Department of Commerce.”
Verify on amplitude.com“For our customers that are covered entities or business associates under the Health Insurance Portability and Accountability Act (HIPAA), we recognize that the protection of protected health information is of paramount importance. Amplitude can enter a Business Associates Agreement to help you maintain your HIPAA compliance.”
Verify on amplitude.com“Amplitude does not use customer data for our own purposes and we do not sell or share your data. Our data processing addendum (DPA) sets out our role as a Service Provider.”
> Show 8 unconfirmed / not-held certifications
source: info.amplitude.comNo public evidence of a CURRENT ISO 27001 certification. The only publicly accessible certificate on Amplitude's domain was read directly: 'Amplitude Inc. ... ISO/IEC 27001:2013 ... Certificate No: CL-102 Rev: 001 Certificate Issuance Date: 08/20/2021 Certificate Expiration Date: 08/19/2024' (issued by Consilium Labs, an ANAB/IAS-accredited body). As of the 2026-06-27 assessment date that certificate is expired by roughly 22 months, and the 2013 standard's mandatory transition to ISO/IEC 27001:2022 lapsed 10/31/2025. Amplitude's DPA still asserts the certification, but no renewed or current certificate is publicly accessible, so current holding cannot be verified. Downgraded to held=false pending a live certificate via the trust center.
source: info.amplitude.comNo public evidence of a CURRENT ISO 27018 certification. The only publicly accessible certificate on Amplitude's domain was read directly: 'Amplitude Inc. ... ISO/IEC 27018:2019 ... Certificate No: CL-102 Rev: 001 Certificate Issuance Date: 08/20/2021 Certificate Expiration Date: 08/19/2024' (issued by Consilium Labs). As of the 2026-06-27 assessment date it is expired by roughly 22 months and no renewed or current certificate is publicly accessible. Downgraded to held=false pending a live certificate.
source: amplitude.comNo public certificate evidence for ISO 27017 on Amplitude's domain. The certification is asserted only in vendor-authored blog posts and docs; unlike ISO 27001/27018 there is no certificate PDF on file at all. Held=false pending an on-domain or independently accessible certificate.
source: trust.amplitude.comNo public evidence of PCI DSS certification on Amplitude's website or trust center.
source: trust.amplitude.comNo public evidence of FedRAMP authorization on Amplitude's website or trust center.
source: trust.amplitude.comNo public evidence of CSA STAR registration or certification found on Amplitude's website or trust center.
source: amplitude.comNo public evidence of ISO 27701 certification found on Amplitude's website or trust center.
source: amplitude.comNo public evidence of ISO 42001 certification found on Amplitude's website or trust center.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US (AWS US-West) and EU (AWS Frankfurt, Germany). EU customers' data never leaves the EU, including for AI feature processing.
Amplitude contractually prohibits its AI partners from using customer data to train or improve their models. For AWS Bedrock-powered features, data does not leave Amplitude's secure AWS environment. For OpenAI-powered features, Zero Data Retention endpoints are used. For Google AI features, Zero Data Retention is used where possible and data is never retained beyond 48 hours. Customers can opt out of all AI features at any time by contacting their account team.
// Security controls
Encryption in transit
Confirmed. Trust center controls list encryption in transit as an active control.
trust.amplitude.comEncryption at rest
Confirmed. Trust center controls list encryption at rest as an active control.
trust.amplitude.comAccess control
MFA enforcement, RBAC, least-privilege access, quarterly independent access reviews, VPN requirement for production access, rapid offboarding process.
trust.amplitude.comVulnerability management
Automated monthly vulnerability scanning of source code, application, and infrastructure. Annual third-party penetration testing. Private bug bounty program.
amplitude.comSubprocessors
9 listed in trust center: AWS (US, Germany), Datadog, Fivetran (US, Germany), Google (US, EU), Microsoft Azure. AI subprocessors are contractually prohibited from training on customer data; Bedrock-powered data stays inside Amplitude's AWS environment and OpenAI/Google use Zero Data Retention. (No public evidence that AI subprocessors are individually covered by BAAs.)
trust.amplitude.comPenetration testing
Annual third-party penetration test. Updated pentest summary published March 2026 in the trust center.
trust.amplitude.com// Products & data scope
data: Behavioral event data from digital products (clicks, flows, funnels, retention). Typically anonymous/pseudonymous.
Core product. GDPR-compliant with user deletion and DSAR APIs. SOC 2 in scope (annual). ISO 27001 was in scope of the now-expired Consilium Labs certificate; current ISO coverage not publicly verifiable.
data: Campaign and web analytics data.
Single line of code instrumentation. Same security controls as core platform.
data: Visual session recordings; may capture UI interactions including form inputs. PII controls available.
PII controls and masking available. Customers control what is captured.
data: Feature flag configuration and A/B test assignment data.
Powered partly by Statsig-branded services (subprocessors: Google, Microsoft Azure for Statsig).
data: May receive any data the customer has submitted to their Amplitude account as input/output depending on feature use.
Powered by third-party LLMs (AWS Bedrock, OpenAI, Google). Contractually prohibited from training on customer data. Zero Data Retention used where available. HIPAA BAAs available for the platform (per-AI-feature BAA coverage not independently confirmed). Opt-out available. EU data stays in EU.
data: In-product survey responses and user interaction data.
Subject to same platform controls.
// What to watch
- EXPIRED CERTS: The only publicly accessible ISO 27001 and ISO 27018 certificate PDFs on Amplitude's domain (info.amplitude.com) show Consilium Labs Cert No. CL-102 with expiration date 08/19/2024. As of June 2026 these documents are expired by nearly 22 months. Amplitude continues to assert these certifications across its website, DPA, and docs. A renewed certificate has not been confirmed via publicly accessible documentation. The trust center may hold a current cert behind a documentation-request wall, but this was not verifiable without access.
- ISO 27001:2013 TRANSITION: The expired certificates were issued under ISO/IEC 27001:2013. The mandatory transition deadline to ISO/IEC 27001:2022 was October 31, 2025. If Amplitude renewed, the new cert should be under the 2022 standard. This transition has not been confirmed publicly.
- ISO 27017 WEAK EVIDENCE: ISO 27017 is claimed in vendor-authored blog posts and docs but no certificate PDF or independent evidence was found on Amplitude's domain. Treat as unverified until confirmed via trust center.
- HOST-VS-VENDOR AMBIGUITY: The security-and-privacy page states 'AWS data centers are... certified in ISO 27001 and SOC 2 Type II' in the data residency section. This sentence refers to AWS's own certifications, not Amplitude's. A casual reader could conflate the two. Amplitude's own ISO 27001 is separately documented via its own certificate (now expired).
- AI TRAINING POSTURE: Amplitude contractually prohibits AI partners from training on customer data and uses Zero Data Retention endpoints where applicable. The AI FAQ (May 2026) in the trust center confirms this posture is current.
// At a glance
Pricing model
Freemium (up to 10K monthly tracked users free) with paid Growth and Enterprise tiers; Enterprise pricing custom/contact sales.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Amplitude, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.amplitude.com