Amplitude wears two hats: it controls data about website visitors and business contacts directly, but for data collected inside its customers' apps, it acts only as a processor following the customer's instructions.
This analysis describes what Amplitude's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This distinction determines who is legally responsible for your data and who you should contact with privacy requests, depending on how you encountered Amplitude.
If your data was collected through a third-party app that uses Amplitude, your privacy rights run primarily against that app operator, not Amplitude directly, which may limit your practical recourse against Amplitude for that data.
How other platforms handle this
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.
When you visit a website built on Squarespace, Squarespace acts as a service provider or data processor, meaning that we process your information on behalf of the website owner. In this case, the website owner is responsible for the information they collect through their website and you should conta...
Monitoring
Amplitude has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Amplitude acts as a "data controller" with respect to the personal information it collects about visitors to the Amplitude website and about contacts and representatives of our current and potential customers and partners. Amplitude acts as a "data processor" or "service provider" with respect to the personal information that Amplitude processes on behalf of our customers using the Amplitude platform.— Excerpt from Amplitude's Amplitude Privacy Notice
(1) REGULATORY LANDSCAPE: GDPR Articles 4(7) and 4(8) define controller and processor roles with distinct legal obligations; this provision's characterization of Amplitude as a processor for customer deployments directly engages those definitions and corresponding DPA requirements. The FTC Act is relevant to the controller-side processing. (2) GOVERNANCE EXPOSURE: Medium. The dual-role structure is common in B2B SaaS analytics, but it creates compliance complexity for enterprise customers who must ensure their DPAs with Amplitude are current, complete, and reflect actual data flows for both roles. Misclassification of the role in a given context could create regulatory exposure for either party. (3) JURISDICTION FLAGS: EU and UK data subjects are most directly affected given GDPR and UK GDPR requirements for documented DPAs between controllers and processors. California CPRA similarly requires service provider contracts that restrict downstream use. Organizations serving data subjects in multiple jurisdictions should ensure DPA templates address all applicable frameworks. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm that executed DPAs with Amplitude explicitly address Standard Contractual Clauses for international transfers, sub-processor lists, audit rights, and breach notification timelines. The notice's assertion of processor status may not automatically satisfy all contractual requirements without a separately executed agreement. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should map all data flows to confirm whether Amplitude is acting as controller or processor in each context, update data inventories accordingly, and ensure that end-user-facing privacy notices for apps built on Amplitude accurately disclose Amplitude as a sub-processor or third-party recipient.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This distinction determines who is legally responsible for your data and who you should contact with privacy requests, depending on how you encountered Amplitude.
If your data was collected through a third-party app that uses Amplitude, your privacy rights run primarily against that app operator, not Amplitude directly, which may limit your practical recourse against Amplitude for that data.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Amplitude.