Amplitude EU Alternative 2026: Product Analytics CLOUD Act Risk and GDPR Compliance for EU Teams

Post #937 in the sota.io EU Cyber Compliance Series | EU-ANALYTICS-SERIE Post #4

Amplitude, Inc. is a product analytics platform incorporated in Delaware and headquartered in San Francisco, California. It provides event-based behavioral analytics — tracking which features users activate, how they move through conversion funnels, where they drop off, and what actions precede subscription upgrades or cancellations. As of 2024, Amplitude had approximately 3,800 enterprise and mid-market customers, including a significant portion in Europe.

The distinction between product analytics and web analytics matters for GDPR. Web analytics tools like Google Analytics primarily track page views, sessions, and referrers. Product analytics tools like Amplitude track authenticated user behavior inside your application: feature activations, onboarding steps completed, API calls made, in-app purchases, and revenue events. The data is richer, more personal, and more directly tied to identifiable individuals — because product analytics tools almost always receive a userId that maps to an account in your database.

Amplitude Inc. is a US person under 18 U.S.C. § 2713, the Clarifying Lawful Overseas Use of Data Act. US government authorities can compel Amplitude to disclose electronic communications and records regardless of where those records are stored. An AWS EU-West-1 data residency option does not change Amplitude's legal obligation to comply with a valid CLOUD Act demand served on its San Francisco parent.

What Amplitude Collects: A GDPR Data Inventory

Understanding the GDPR risk starts with understanding what product analytics actually sends to Amplitude's servers.

Identity Data

Every Amplitude SDK call that includes a userId — your application's internal identifier for an authenticated user — creates a link between Amplitude's behavioral record and a real person in your database. For consumer products, this identifier often maps directly to an email address in your users table. For B2B products, it maps to a contact record in your CRM.

The userId persists across sessions, devices, and time. Amplitude's cross-device identity resolution is one of its core features: if a user signs into your product on a laptop and a phone, Amplitude merges those sessions into a single behavioral profile. The merged profile contains every event that user has ever triggered in your product — including events from years ago.

Under GDPR Article 4(1), any information that relates to an identifiable natural person is personal data. The userId — even if it is an opaque integer like user_48291 — constitutes personal data when it can be linked to an individual through your own database, which it always can be as the company operating both systems.

Behavioral Event Data

Amplitude's event model is based on named events with properties. Typical events for a SaaS product include:

• Signup Completed with properties: plan_tier, company_size_bucket, country, referral_source
• Feature Activated with properties: feature_name, feature_category, first_use_flag
• Payment Initiated with properties: plan_id, billing_period, amount_usd, coupon_applied
• Subscription Upgraded with properties: previous_plan, new_plan, delta_mrr
• Churn Risk Triggered with properties: inactivity_days, last_feature_used, contract_end_date

Revenue events — which include actual transaction amounts — are personal data under GDPR because they relate to an identifiable individual's financial behavior. Financial data is not categorized as special category data under Article 9, but it is still personal data subject to full GDPR protections including transfer restrictions.

User Properties

Amplitude's Identify API allows you to set persistent properties on a user profile. Standard properties include email address, name, account tier, company name, country, and language preference. These properties persist indefinitely in Amplitude's event stream and are queryable from any historical timepoint.

Email address as a user property is unambiguous personal data. When combined with behavioral history, it enables the creation of detailed individual profiles — exactly the kind of processing that the GDPR's transfer restrictions were designed to protect.

Session and Engagement Data

Amplitude tracks session duration, session frequency, time between sessions, and engagement depth within each session. For each event, it captures timestamp, platform (web/iOS/Android), OS version, device type, browser (web), IP address, and geographic location derived from IP.

IP address constitutes personal data under GDPR Recital 30. Geolocation derived from IP address is personal data under Article 4(1). The combination of IP address, timestamp, and behavioral event creates a record that is directly linkable to an individual in most enterprise contexts.

The CLOUD Act Problem: Why EU Data Residency Does Not Help

Amplitude's EU Data Residency Offering

Amplitude offers an EU Data Residency option that stores event data in AWS EU-West-1 (Ireland). The feature is available on Business and Enterprise plans. Amplitude's marketing positions this as a solution for GDPR-sensitive EU customers.

For GDPR Article 44-49 transfer compliance, EU Data Residency does not resolve the fundamental problem.

The CLOUD Act Analysis

The CLOUD Act (18 U.S.C. § 2713) extends US government compulsion authority to providers of electronic communication service and remote computing service that are under US jurisdiction. The critical statutory language: "regardless of whether such communication, record, or other information is located within or outside of the United States."

Amplitude, Inc. is the data processor — the entity your Data Processing Agreement is with. It is a Delaware corporation, headquartered in San Francisco, and subject to US federal jurisdiction. When a US government authority serves a CLOUD Act demand on Amplitude, Inc., Amplitude's obligation to respond is not limited by where the data is physically stored. An AWS Ireland bucket holding your EU users' behavioral profiles can be disclosed in response to a demand served on Amplitude's San Francisco offices.

The Austrian Data Protection Authority's January 2022 decision in the Google Analytics case articulated this principle clearly: the problem is not data location, it is the legal obligation of the US-incorporated parent to comply with US law. The same analysis applies to Amplitude.

Amplitude's European Entity

Amplitude has European offices and employees. European operations typically involve a subsidiary that processes data on behalf of the US parent. The CLOUD Act analysis focuses on the parent entity — Amplitude, Inc. — because it is the US person that holds ultimate control over the infrastructure and can be compelled by US authorities. A European subsidiary's day-to-day data processing does not insulate the data from US government access directed at the parent.

This is the same structure that caused EU DPAs to rule against Google Analytics despite Google having extensive European infrastructure. The structural problem is corporate parentage, not data geography.

Five GDPR Transfer Risk Scenarios

Scenario 1: Feature Adoption Analytics with Email Properties

Your B2B SaaS product tracks Feature Activated events. User properties include email, company_name, and plan_tier. You analyze which features correlate with expansion revenue.

GDPR exposure: Email address plus behavioral history creates a detailed profile of an identifiable natural person. Transfer to Amplitude without a valid Article 46 safeguard is a violation of Article 44. Standard Contractual Clauses do not provide adequate protection where the processor is subject to CLOUD Act disclosure obligations — this is the Schrems II holding.

Scenario 2: Conversion Funnel Analysis Including Revenue Events

Your checkout funnel sends Payment Initiated and Subscription Upgraded events with amount_usd properties. You use Amplitude to identify where users abandon the upgrade flow.

GDPR exposure: Revenue events tied to a userId contain financial information about an identifiable individual. Financial behavioral data is personal data. Transfer to a CLOUD Act-exposed processor without valid legal basis violates Article 44-49.

Scenario 3: Churn Prediction with Engagement Scoring

You send engagement metrics to Amplitude and use Amplitude's AI-powered behavioral prediction to identify churn risk. Amplitude's ML model produces a churn risk score per user.

GDPR exposure: Automated processing of personal data to produce a prediction about an individual's future behavior constitutes profiling under GDPR Article 4(4). If that profiling has legal or similarly significant effects — such as triggering a sales intervention or affecting a subscription renewal — Article 22 applies and requires explicit legal basis.

Scenario 4: Session Replay Integration

Amplitude's Session Replay feature records user interactions with your product's UI — clicks, scrolls, form inputs, and navigation. It can capture form field values before they are submitted.

GDPR exposure: Session replay captures input data, which may include sensitive free-text content. Form fields that accept health information, financial details, or personal messages create special category data exposure under Article 9. Session replay data sent to a CLOUD Act-exposed processor is among the highest-risk categories of product analytics processing.

Scenario 5: Cross-Device Identity Resolution

A user accesses your EU-facing product from a work laptop in Germany and a personal phone in France. Amplitude merges these sessions into a single behavioral profile using its identity resolution.

GDPR exposure: Cross-device tracking creates a longitudinal behavioral record of an individual across multiple contexts. The merged profile — associating work and personal device usage patterns with a named individual — may constitute profiling under Article 4(4) with implications for Article 22 and Recital 71.

Amplitude's Transfer Mechanisms and Their Limitations

Standard Contractual Clauses

Amplitude offers Standard Contractual Clauses (SCCs) as part of its Data Processing Addendum. SCCs provide a legal transfer mechanism under GDPR Article 46(2)(c).

The limitation, established in Schrems II (Case C-311/18, CJEU 2020), is that SCCs do not provide adequate protection where the data importer is subject to laws that conflict with the guarantees in the SCCs. The CLOUD Act creates a direct conflict: it requires Amplitude to disclose data to US authorities without prior judicial authorization from an EU court, and without notifying the data subject or controller. This is precisely the conflict that the CJEU identified as invalidating the EU-US Privacy Shield and limiting the effectiveness of SCCs for US processors.

Data protection authorities that have ruled against US analytics processors — Austria, France, Italy, Sweden, Denmark — have done so under this Schrems II analysis applied to SCCs. The fact that Amplitude offers SCCs does not resolve the transfer problem for EU processors that have conducted a proper Transfer Impact Assessment.

EU-US Data Privacy Framework

The EU-US Data Privacy Framework (DPF), adopted by the European Commission in July 2023, provides a new adequacy decision for transfers to US organizations certified under the framework. Amplitude is listed as a certified DPF organization.

The DPF does not address the CLOUD Act problem in the same way it addressed the Privacy Shield's deficiencies. The CLOUD Act is a US surveillance authority that operates independently of commercial data protection certifications. A DPF-certified US company remains subject to CLOUD Act demands. The practical question for EU DPAs is whether the DPF's National Security safeguards provide sufficient protection — a question that privacy advocates and Max Schrems' organization noyb have indicated they intend to challenge in European courts.

EU-Native Product Analytics Alternatives

PostHog EU Cloud

PostHog is an open-source product analytics platform with a self-hostable architecture and an EU-managed cloud option. The EU Cloud is hosted on AWS Frankfurt (EU-Central-1) through PostHog Ltd, a UK-registered entity.

PostHog's analytics feature set competes directly with Amplitude: event tracking, funnel analysis, retention curves, session replay, feature flags, A/B testing, and user behavioral cohorts. The SDK API is event-based, and migration from Amplitude's SDK to PostHog's SDK is typically a one-to-one substitution for standard events.

For GDPR purposes, self-hosted PostHog running on EU infrastructure eliminates the third-party data transfer entirely. The PostHog EU Cloud avoids US corporate parentage: PostHog Ltd is a UK entity, not a US person under the CLOUD Act.

# PostHog EU Cloud initialization (direct Amplitude SDK replacement)
from posthog import Posthog

posthog = Posthog(
    api_key='phc_your_api_key',
    host='https://eu.posthog.com'  # EU Cloud endpoint
)

# Same event model as Amplitude
posthog.capture(
    distinct_id='user_48291',
    event='Feature Activated',
    properties={
        'feature_name': 'export_reports',
        'feature_category': 'data_management',
        'first_use_flag': True
    }
)

Countly (Self-Hosted)

Countly is an open-source product analytics platform designed for self-hosted deployment. It covers mobile, web, and server-side event tracking with a dashboard that covers funnels, retention, cohorts, and attribution.

Self-hosted on EU infrastructure (Hetzner, OVHcloud, Deutsche Telekom) Countly eliminates third-party data transfers entirely. No data leaves your server. GDPR compliance is structural rather than contractual.

Countly Community Edition is free under AGPL. Enterprise Edition adds features like crash reporting, A/B testing, and dedicated support. For most EU SaaS products that use Amplitude primarily for funnel analysis and retention curves, Countly Community Edition covers the essential use cases.

Mixpanel EU Data Residency

Mixpanel offers an EU data residency option that stores data in the EU. Mixpanel is incorporated in Delaware as Mixpanel, Inc. — the same CLOUD Act analysis applies as for Amplitude.

If your primary motivation for switching is cost or feature differences rather than full CLOUD Act elimination, Mixpanel EU Residency is a lateral move. If your motivation is eliminating CLOUD Act exposure, Mixpanel EU Residency does not achieve that goal.

Matomo (Product Analytics Mode)

Matomo is primarily known as a web analytics platform, but it supports event tracking and user behavioral analytics through its Events and Funnels modules. For products that need both web and product analytics in a single tool, Matomo self-hosted provides a full EU-sovereign stack.

Matomo is open-source, PHP-based, and actively maintained. It lacks some of the advanced ML features (predictive cohorts, Amplitude's AI Recommend) but covers the behavioral analytics use cases that EU compliance teams typically need.

Heap (No EU Data Residency)

Heap, acquired by Contentsquare in 2023, provides retroactive event analytics — it records all user interactions automatically without requiring manual event instrumentation. As of 2025, Heap does not offer an EU data residency option.

Heap is incorporated in the US. It is subject to the CLOUD Act. The lack of EU data residency makes it a higher-risk option than Amplitude (which at least offers EU-West-1 storage, despite the CLOUD Act limitation). Heap should be treated with the same transfer analysis as Amplitude.

Migration Path: Amplitude to PostHog

For teams with an existing Amplitude implementation moving to PostHog EU Cloud, the migration is straightforward because both platforms use an event-based model with similar property structures.

class AmplitudeToPostHogMigrator:
    """
    Maps Amplitude SDK calls to PostHog equivalents.
    PostHog EU Cloud host: https://eu.posthog.com
    """
    
    AMPLITUDE_TO_POSTHOG_EVENT_MAP = {
        # Standard lifecycle events
        'Signup Completed': 'user signed up',
        'Login': '$pageview',  # PostHog captures logins via identify
        'Feature Activated': 'feature used',
        'Subscription Upgraded': 'subscription upgraded',
        'Subscription Cancelled': 'subscription cancelled',
    }
    
    def translate_identify_call(
        self, 
        amplitude_user_id: str, 
        amplitude_user_properties: dict
    ) -> dict:
        """Convert Amplitude identify() to PostHog identify()."""
        return {
            'distinct_id': amplitude_user_id,
            'properties': {
                # PostHog reserved properties with $ prefix
                '$email': amplitude_user_properties.get('email'),
                '$name': amplitude_user_properties.get('name'),
                # Custom properties pass through unchanged
                **{k: v for k, v in amplitude_user_properties.items() 
                   if k not in ('email', 'name')}
            }
        }
    
    def translate_track_call(
        self,
        amplitude_event_type: str,
        amplitude_event_properties: dict,
        amplitude_user_id: str
    ) -> dict:
        """Convert Amplitude track() to PostHog capture()."""
        posthog_event = self.AMPLITUDE_TO_POSTHOG_EVENT_MAP.get(
            amplitude_event_type, 
            amplitude_event_type  # Pass unmapped events through unchanged
        )
        return {
            'distinct_id': amplitude_user_id,
            'event': posthog_event,
            'properties': amplitude_event_properties
        }


class AmplitudeGDPRRiskAssessor:
    """
    Assess GDPR transfer risk for an Amplitude implementation.
    Returns actionable risk findings with remediation recommendations.
    """
    
    def __init__(self, uses_eu_data_residency: bool = False, has_session_replay: bool = False):
        self.uses_eu_data_residency = uses_eu_data_residency
        self.has_session_replay = has_session_replay
    
    def assess(self) -> dict:
        findings = []
        
        # Finding 1: Base CLOUD Act exposure
        findings.append({
            'id': 'AMP-001',
            'severity': 'HIGH',
            'title': 'Amplitude Inc. is a US Person under CLOUD Act',
            'detail': (
                'Amplitude, Inc. is incorporated in Delaware. As a US person under 18 U.S.C. § 2713, '
                'Amplitude can be compelled to disclose your EU users\' behavioral data to US government '
                'authorities regardless of storage location.'
            ),
            'remediation': 'Migrate to self-hosted PostHog (EU infra) or PostHog EU Cloud.'
        })
        
        # Finding 2: EU Data Residency limitation
        if self.uses_eu_data_residency:
            findings.append({
                'id': 'AMP-002',
                'severity': 'MEDIUM',
                'title': 'EU Data Residency does not eliminate CLOUD Act exposure',
                'detail': (
                    'EU Data Residency stores data in AWS EU-West-1 but does not change the legal '
                    'obligation of Amplitude, Inc. (Delaware) to respond to CLOUD Act demands. '
                    'Austrian DSB ruling Jan 2022: data location is not the issue, corporate '
                    'jurisdiction is.'
                ),
                'remediation': (
                    'EU Data Residency reduces breach/misdirection risk but does not resolve GDPR '
                    'Art. 44-49 transfer exposure. Full remediation requires switching to a non-US processor.'
                )
            })
        
        # Finding 3: Session Replay
        if self.has_session_replay:
            findings.append({
                'id': 'AMP-003',
                'severity': 'CRITICAL',
                'title': 'Session Replay may capture special category data',
                'detail': (
                    'Session Replay records UI interactions including form field inputs. If any forms '
                    'collect health information, financial data, or personal messages, this constitutes '
                    'special category data under GDPR Art. 9. Transferring this to a CLOUD Act-exposed '
                    'US processor is high-risk.'
                ),
                'remediation': (
                    'Disable Session Replay immediately or restrict it to pages with no sensitive '
                    'form fields. If Session Replay is required, use PostHog EU self-hosted.'
                )
            })
        
        # Finding 4: Revenue Event exposure
        findings.append({
            'id': 'AMP-004',
            'severity': 'MEDIUM',
            'title': 'Revenue events contain financial personal data',
            'detail': (
                'Amplitude Revenue events (e.g., logRevenue() calls) with userId link transaction '
                'amounts to identifiable individuals. Financial behavioral data is personal data '
                'under GDPR Art. 4(1) subject to transfer restrictions.'
            ),
            'remediation': (
                'Remove revenue amounts from Amplitude events or switch to a EU-native analytics '
                'tool for revenue tracking. Consider keeping revenue events in your own database only.'
            )
        })
        
        risk_score = sum(
            {'CRITICAL': 4, 'HIGH': 3, 'MEDIUM': 2, 'LOW': 1}[f['severity']] 
            for f in findings
        )
        
        return {
            'processor': 'Amplitude, Inc.',
            'jurisdiction': 'Delaware, USA',
            'cloud_act_exposure': True,
            'risk_score': risk_score,
            'max_score': 16,
            'findings': findings,
            'recommendation': (
                'Migrate to PostHog EU Cloud or self-hosted PostHog on EU infrastructure. '
                'PostHog provides near-identical feature coverage with full API compatibility.'
            )
        }

The EU Analytics Compliance Stack

The EU-ANALYTICS-SERIE has covered four major product analytics and web analytics providers that are commonly used by EU-facing SaaS products:

The pattern is consistent: every major US product analytics vendor offers EU data residency, and none of those EU data residency options resolve the CLOUD Act transfer problem. The CLOUD Act binds the US parent corporation, not the AWS region where data is stored.

The EU-native alternatives — PostHog self-hosted, Countly, Matomo, Pirsch, and Plausible — share a common structural property: they are either non-US entities or self-hosted tools where no third-party US corporate entity holds your data. That structural difference is what makes them defensible under GDPR Article 44-49 without requiring constant Transfer Impact Assessment updates as EU-US political conditions change.

20-Point Compliance Checklist: Amplitude GDPR Risk Assessment

Use this checklist to assess your current Amplitude implementation and plan a migration:

Inventory Phase

• Identify all Amplitude sources in your product (web, iOS, Android, server-side)
• List all user properties sent to Amplitude — mark which contain personal data (email, name, IP-derived data)
• List all event types and properties — mark which contain financial data, health data, or behavioral inferences
• Determine if Session Replay is enabled and which pages it covers
• Identify if you use Amplitude's cross-device identity resolution

Legal Basis Review

• Verify your DPA with Amplitude includes SCCs (Module 2: Controller-to-Processor)
• Document your Transfer Impact Assessment for Amplitude — has it been updated post-Schrems II?
• Determine if DPF certification is sufficient for your DPA's legal position
• Check your privacy policy: does it accurately disclose Amplitude as a data processor and the US transfer?
• Review consent layer: are analytics cookies (Amplitude's device ID) covered by explicit consent?

Risk Prioritization

• Flag any events where amount_usd or revenue data is sent as an event property
• Flag any events where free-text user input could be captured as a property
• Confirm Session Replay exclusion rules for sensitive pages (payment, health, support)
• Assess whether Amplitude's AI features (Recommend, predictive cohorts) trigger GDPR Art. 22 profiling

Migration Planning

• Evaluate PostHog EU Cloud for your core analytics use cases (funnels, retention, cohorts)
• Test PostHog's Amplitude import feature for historical data migration
• Plan SDK swap: amplitude.getInstance().logEvent() → posthog.capture()
• Update your data processing register (GDPR Art. 30) to reflect the new processor
• Notify affected data subjects if your privacy policy previously disclosed Amplitude

Conclusion

Amplitude provides valuable product analytics capabilities, and its EU Data Residency option demonstrates awareness of European compliance requirements. But the structural problem — Amplitude, Inc. is a Delaware corporation and US person under the CLOUD Act — is not resolved by choosing an EU AWS region for data storage.

For EU SaaS teams that have conducted a proper Transfer Impact Assessment, Amplitude presents the same legal exposure as Google Analytics, Mixpanel, and Segment. The five EU DPA rulings against Google Analytics established the legal framework; the analysis extends to any US-incorporated analytics processor.

PostHog EU Cloud and self-hosted PostHog on EU infrastructure provide near-identical product analytics functionality without the CLOUD Act exposure. For EU-facing products that need to operate with confidence that user behavioral data will not be subject to undisclosed US government demands, the migration effort is justified by the compliance certainty it provides.

This post is part of the EU-ANALYTICS-SERIE, covering GDPR compliance for analytics tools used by EU SaaS teams. Previous posts: Google Analytics (GA4), Mixpanel, Segment/Twilio CDP.