Amplify HQ Security and Compliance Overview
Amplify HQ Security and Compliance Overview
Amplify HQ Security and Risk Focus
Our Security and Compliance Objectives
Development and Release Management
Data Backup and Disaster Recovery
System Reliability and Recovery
Customer Data Backup Restoration
Platform Provider Employee Access to Customer Data
Access to Production Infrastructure
Corporate Authentication & Authorisation
Organisational & Corporate Security
Background Checks and Onboarding
Introduction
Our Company and Products
Developed for agencies by an agency, Amplify HQ’s goal is to help marketing professionals and agencies reach and surpass their benchmarks for success. We believe in enhancing automation, improving communication, and boosting scalability in a consumer-friendly way, and we consistently provide future-embracing updates that exemplify these priorities.
Since its inception as a licensed platform based on secure underlying infrastructure, Amplify HQ has continuously grown in impact, increasing the influence created on the tech community and SaaS industry. At Amplify HQ, we measure our success by the successes of our customers and therefore prioritise optimising our offerings to meet their needs.
Our AI-powered all-in-one sales, marketing, and customer relationship management (CRM) platform offers numerous features essential to agencies and marketers. This expansive software solution provides limitless opportunities for customers to set lofty sales goals and actually achieve them while being supported by our team and by the secure, compliant systems of our platform provider. We also encourage customers to rebrand our platform as their own, offering agencies and marketers everything they need to scale beyond what they ever thought possible for themselves, their businesses, and their clients.
Amplify HQ Security and Risk Focus
Amplify HQ’s primary security focus is to safeguard our customers’ data. Amplify HQ is licensed on a secure platform whose platform provider has invested heavily in the appropriate controls to protect and service customers. This investment includes dedicated corporate, product, and infrastructure security programs. The platform owner’s Legal Team, in partnership with other departments, oversees the implementation of these programs.
Our Security and Compliance Objectives
We have developed our security framework using best practices for the SaaS industry. Our key objectives include:
Customer Trust and Protection: deliver superior products and services while protecting the privacy and confidentiality of data
Availability and Continuity of Service: ensure availability of the service and minimise risks to service continuity
Information and Service Integrity: make sure that customer information is never corrupted or altered inappropriately
Compliance with Standards: aim to comply with or exceed industry standard best practices
Amplify HQ Security Controls
To protect the data that is entrusted to us, Amplify HQ, along with our licensed platform provider, utilises layers of administrative, technical, and physical security controls throughout our combined architecture. The following sections describe a subset of our most frequently asked security topics.
Infrastructure Security
Cloud Hosting Provider
Amplify HQ does not host any product systems or data within its physical offices. The platform provider outsources hosting of its product infrastructure to leading cloud infrastructure providers such as Google Cloud Platform Services and Amazon Web Services. Product infrastructure resides in the United States. Reliance is placed on Google’s and AWS’s audited security and compliance programs for the efficacy of their physical, environmental, and infrastructure security controls.
Google provides a monthly uptime percentage to customers of at least 99.5%.
AWS guarantees between 99.95% and 100% service reliability, ensuring redundancy to all power, network, and HVAC services.
The provider’s business continuity and disaster recovery plans have been independently validated under SOC 2 Type 2 reporting and ISO 27001 certification.
Network and Perimeter
The platform provider’s product infrastructure enforces multiple layers of filtering and inspection across web applications, logical firewalls, and security groups. Network-level access control lists prevent unauthorised access to internal infrastructure and resources.
Firewall rulesets are reviewed periodically to ensure only necessary connections are permitted.
Configuration Management
Automation drives the platform provider’s ability to scale, with rigorous configuration management built into day-to-day infrastructure processes.
Server configurations are maintained via image-based and configuration-file automation. Deviations from baseline configuration trigger automatic remediation within a defined timeframe.
Patch management is performed through automated configuration tools or by replacing non-compliant server instances.
Logging
Actions and events occurring within the Amplify HQ platform are comprehensively logged. Logs are centralised within the platform provider’s secure cloud environment.
Security-relevant logs are retained, indexed, and stored to support investigation and response. Access to write logs is tightly controlled.
Alerting and Monitoring
The platform provider invests in automated monitoring, alerting, and response capabilities to continuously address potential issues.
Automated triggers react to anomalies such as attack patterns, abuse, error rates, or misconfigurations—escalating or mitigating issues proactively.
Application Security
Web Application Defenses
All customer content hosted in Amplify HQ is protected by application firewalls and active monitoring. Protections are aligned with OWASP Top 10 frameworks. DDoS mitigation is also incorporated.
Development and Release Management
Amplify HQ benefits from the platform provider’s modern continuous-delivery development cycle:
Code reviews
Automated testing
Static code analysis
Segregated QA environments
Automated deployments and rollbacks
Feature gating for controlled release
Updates are seamless and do not require customer downtime.
Vulnerability Management
The platform provider maintains a multi-layered vulnerability management program, using industry-recognised scanning tools, adaptive asset discovery, continuous monitoring, and periodic penetration testing.
Findings are assessed and mitigated based on severity.
Customer Data Protection
Data Classification
Per Amplify HQ’s Terms of Service, customers are responsible for ensuring they only capture appropriate information. Amplify HQ should not be used to store sensitive personal information such as full credit card numbers, bank account details, Social Security numbers, passport numbers, or financial/health data unless explicitly allowed.
Tenant Separation
Amplify HQ provides a multi-tenant SaaS solution with logical data separation using unique identifiers. Authorisation rules prevent cross-tenant access and are validated continually.
Encryption
All data is encrypted:
In transit: TLS 1.2 or higher
At rest: AES-256 encryption
Passwords are hashed following industry best practices.
Key Management
Encryption keys for both in-transit and at-rest data are managed by the platform provider using a hardened Key Management System. TLS certificates typically renew annually.
Customer-supplied encryption keys are not currently supported.
Data Backup and Disaster Recovery
System Reliability and Recovery
Amplify HQ is built on highly available infrastructure. Server components are distributed across multiple availability zones with redundancy for compute, storage, and networking.
Backup Strategy
System Backups
Systems are backed up regularly with seven days of rolling backups maintained for databases. Backups are monitored; failures are escalated for remediation.
Data is backed up daily to the local region, with alerting in place for replication failures.
Physical Backup Storage
Because cloud services host all infrastructure and backups, no physical storage media is used.
Backup Protections
Backups are protected by:
Access control restrictions
WORM (write-once read-many) policies
ACL protections on file storage systems
Customer Data Backup Restoration
Amplify HQ customers cannot initiate infrastructure-level failover. DR operations are handled by the platform provider’s engineering team.
Amplify HQ enables customer-led recovery options such as:
Recycle bin (30-day retention)
Version history restoration
Data exports
API-based synchronisation
Identity and Access Control
Product User Management
Amplify HQ products allow administrators to create, manage, and restrict users and permissions granularly.
Product Login Protections
Amplify HQ requires:
Minimum 8-character passwords
Mixed character types
Optional two-factor authentication (can be enforced)
Platform Provider Employee Access to Customer Data
Access to Production Infrastructure
The platform provider restricts production access via RBAC, MFA, bastion hosts, and IAM policies. Only essential engineers receive limited access.
Access to Customer Portals
Support and service staff may obtain temporary access through a Just-In-Time Access (JITA) system:
Access expires within 24 hours
All access is logged
High-risk actions are blocked
Monitoring detects unusual behaviour
Corporate Authentication & Authorisation
Internal access to the platform provider’s systems requires MFA, password vaults, RBAC, and semi-annual access reviews.
Organisational & Corporate Security
Background Checks and Onboarding
The platform provider’s employees undergo background checks prior to employment. All personnel must read and acknowledge the provider’s Code of Conduct and Employee Handbook.
Policy Management
The platform provider maintains documented policies for:
Data handling
Privacy
Access control
Disciplinary processes
Policies are reviewed at least annually.
Security Awareness Training
All platform provider employees complete cybersecurity and phishing awareness training.
Vendor Management
The platform provider may use third-party services for product development or internal operations. Vendors are assessed to ensure appropriate security posture.
Endpoint Protection
Company-issued devices used by the platform provider are centrally managed, encrypted, and monitored through MDM.
Compliance
Sensitive Data Processing and Storing
Amplify HQ does not store or process full credit card numbers. PCI-compliant payment processors handle all payment transactions.
Privacy
Amplify HQ does not sell personal data. Protections described in this document and those implemented by the platform provider help keep data private and unaltered.
Data Retention & Deletion
Customer data is retained while the account remains active. Customers may request deletion in accordance with privacy regulations.
Some logs or metadata may be retained for compliance or security reasons.
Privacy Program Management
The platform provider’s Legal and Security teams collaborate with engineering and product teams to maintain an effective privacy program.
Breach Response
Amplify HQ will notify customers as required by law should a data breach affecting personal information occur.
GDPR
Amplify HQ provides tools and features that support customer compliance with GDPR.
Use of Amplify HQ alone does not ensure compliance; businesses must configure their own processes accordingly.
Document Scope and Use
This document is intended as a resource for Amplify HQ customers. It does not create a contractual obligation or modify existing agreements. The platform provider and Amplify HQ continually improve security measures and may update processes accordingly.
Contact Us
For questions about this document or Amplify HQ’s security practices, please contact:
📧 [email protected]
📞 Your Amplify HQ representative
