Security
Security at Amplifying
Amplifying keeps the customer data surface intentionally small. The current service uses managed providers for authentication, hosting, and account metadata, and benchmark datasets are generated by Amplifying rather than ingested from customer workspaces.
Last updated May 20, 2026.
Data scope
What we protect
We collect the minimum data needed to authenticate users, manage accounts, deliver customer dashboards, and operate the service. Customer-submitted source code, workspace content, prompts, files, special-category data, and children's data are not intentionally processed by the current service.
Authentication identity
Email addresses, sessions, MFA metadata, and related authentication records managed through Clerk.
Account metadata
Names, emails, plan state, billing identifiers, timestamps, and access entitlements needed to operate the service.
Operational logs
Request metadata, deployment events, authentication events, and error signals. Customer prompt content and outputs are not written to operational logs by design.
Private customer analysis
Customer-specific benchmark dashboards, reports, and advisory intake details are access-controlled and not used in public research without explicit permission.
Controls
How we protect it
The controls below summarize the current security program and the managed-provider controls Amplifying relies on for the production service.
Encryption
TLS 1.2 or higher for network traffic, TLS 1.3 where supported, Tailscale/WireGuard for internal access, and AES-256 encryption at rest through managed providers.
Access control
MFA is required for administrative systems. Production access follows least privilege through provider IAM and named identities.
Change management
Production code changes go through pull requests, reviewer approval, CI checks, and Vercel preview review before merge.
Logging and monitoring
Provider security alerts and platform events are monitored by engineering. Operational logs are metadata-focused and retained on rolling provider windows.
Vulnerability management
GitHub Dependabot and security scanning are triaged by severity, with Critical and High findings handled ahead of normal product work.
Incident response
A documented incident response process covers triage, containment, recovery, customer notification, and post-mortems. Affected customers are notified of material breaches involving their data within 72 hours of confirmation.
Assurance
Compliance and review
We will not claim certifications we do not hold. Customer security reviews can request the materials listed below at security@amplifying.ai.
Security framework
Amplifying maintains a documented security program aligned to the Cloud Security Alliance Cloud Controls Matrix v4.1.0.
CAIQ Lite
A CAIQ Lite v4.1.0 self-assessment is maintained and available to customers on request.
DPIA
A Data Protection Impact Assessment is maintained for the current service and available during customer security review.
Independent audit
Amplifying has not completed its own SOC 2 audit yet. Today, independent audit reports are available through our subprocessors; our own SOC 2 readiness work is on the roadmap.
Subprocessors
Service providers
These subprocessors support the current Amplifying service. No subprocessor receives customer-submitted content because the current service does not ingest it.
| Provider | Purpose | Data processed | Location | Legal terms |
|---|---|---|---|---|
| Vercel | Hosting, edge, serverless, TLS, deploys | Request and response metadata, application logs | United States | View |
| Neon | Managed Postgres database | Account metadata | United States | View |
| Clerk | Authentication and identity | Authentication identifiers, sessions, MFA metadata | United States | View |
| Tailscale | Encrypted internal network for engineering access | Access metadata only; no customer data | United States | View |
| Linear | Internal issue tracking | Internal tickets that may reference accounts | United States | View |
| GitHub | Source control and CI | Application source code, build logs | United States | View |
Requests
Security contact
Send security questions, vulnerability reports, data-subject-rights requests, DPA requests, and CAIQ requests to security@amplifying.ai.
For vulnerability reports, include the affected URL or system, reproduction steps, impact, and any relevant logs or screenshots. Please do not include secrets, customer personal data, or exploit code beyond what is necessary to demonstrate the issue.
Available on request
- CAIQ Lite v4.1.0 self-assessment
- Data Protection Impact Assessment
- Subprocessor details and DPA status
- Security questionnaire responses