Privacy policy clauses for AWS Amplify
AWS Amplify is a cloud development platform that provides backend services for web and mobile applications, including authentication, data storage, APIs, and analytics. Websites use it to build scalable applications while outsourcing infrastructure management to Amazon Web Services.
Free scan · No signup · Results in 60 seconds
What data AWS Amplify collects
Your privacy policy must disclose each of the following data types when you use AWS Amplify.
When does AWS Amplify trigger privacy obligations?
Immediate obligations when AWS Amplify is installed
Adding AWS Amplify to your app or website triggers data protection obligations the moment any AWS Amplify service begins processing user data. This happens automatically with several Amplify services:
Auth service: Immediately processes authentication data (email, phone, password hashes, MFA tokens) and stores user identity attributes in Amazon Cognito. This triggers GDPR Article 13/14 disclosure obligations (lawful basis, processor identity, retention) for any EU users, and CCPA Section 1798.100 disclosure requirements for California residents.
Storage service: Automatically transmits files to Amazon S3 and processes metadata. GDPR applies if any user data is stored; CCPA applies to California users regardless of file content sensitivity.
Analytics service: Amplify Analytics (via Amazon Pinpoint) collects session, event, and device data by default. This is cross-border data transfer to the US, triggering GDPR Chapter V adequacy assessments and Standard Contractual Clauses (SCCs) requirements.
First concrete step: Before deploying, execute a Data Processing Agreement (DPA) with AWS covering all Amplify services you enable. AWS provides standard terms under their Customer Agreement Appendix, but you must document which Amplify services you use and confirm SCC adequacy for your user jurisdictions. If you serve EU users, confirm AWS's SCC compliance status post-Schrems II (currently documented in AWS data processing addendum).
